Fatal编程技术网
  • php/
  • Php 带有单个URL应用程序的SQLMAP

Php 带有单个URL应用程序的SQLMAP

php mysql mariadb

Php 带有单个URL应用程序的SQLMAP,php,mysql,mariadb,sql-injection,sqlmap,Php,Mysql,Mariadb,Sql Injection,Sqlmap,我有一个本地应用程序,只有登录后才能访问。它的单一URL应用程序,应用程序的URL不会改变,只是它使用“XMLHttpRequest”根据操作和其他参数刷新屏幕内容 使用的数据库如下所示 [root@localhost ~]# mysql -q Welcome to the MariaDB monitor. Commands end with ; or \g. Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000,

我有一个本地应用程序,只有登录后才能访问。它的单一URL应用程序,应用程序的URL不会改变,只是它使用“XMLHttpRequest”根据操作和其他参数刷新屏幕内容

使用的数据库如下所示

[root@localhost ~]# mysql -q
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. 

GET /api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC*%22%7D%5D&start=0&limit=18 HTTP/1.1
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://10.20.100.200/test/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 10.20.100.200
Cookie: client_time=1580129655.074; check=1; uid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; sid=4memnc2vdi7pj7i56q5sopu5gbspba99; vid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh
有SQL注入问题的“XMLHttpRequest”和“sorters”字段之一存在此问题,例如,如果我们在“ASC”字段中添加('),则页面显示500错误。为了复制它,我使用burpsuitecommunityedition截取请求,并使用文件将其馈送到SQLMAP

请求详细信息

Name    Protocol    Method  Result  Content type    Received    Time    Initiator
http://10.20.100.200/test/api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC%22%7D%5D&start=0&limit=18    HTTP    GET 200 application/json    1.29 KB 677.42 ms   XMLHttpRequest

Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Cookie: client_time=1580129655.074; check=1; aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; bid=4memnc2vdi7pj7i56q5sopu5gbspba99; cid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh
Host: 10.20.100.200
Referer: http://10.20.100.200/test/
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
X-Requested-With: XMLHttpRequest
Connection: close

sqlmap.py -r C:\Users\Documents\request.txt --dbs --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

[00:34:56] [WARNING] URI parameter '#1*' does not appear to be dynamic
[00:34:57] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[00:34:58] [INFO] testing for SQL injection on URI parameter '#1*'
[00:34:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:35:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:35:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:35:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:35:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:35:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:35:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:35:16] [INFO] testing 'MySQL inline queries'
[00:35:17] [INFO] testing 'PostgreSQL inline queries'
[00:35:18] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[00:35:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:35:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:35:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:35:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:35:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:35:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:35:52] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[00:37:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:37:20] [WARNING] URI parameter '#1*' does not seem to be injectable
[00:37:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests
[00:37:20] [WARNING]  HTTP error codes detected during run:
403 (Forbidden) - 1 times, 400 (Bad Request) - 578 times, 414 (Request-URI Too Long) - 235 times
request.txt为SQLMAP提供数据(将astrick(*)放在分拣机的ASC字段中)

GET /api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC*%22%7D%5D&start=0&limit=18 HTTP/1.1
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://10.20.100.200/test/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 10.20.100.200
Cookie: client_time=1580129655.074; check=1; uid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; sid=4memnc2vdi7pj7i56q5sopu5gbspba99; vid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh
用于SQL注入的SQLMAP命令

Name    Protocol    Method  Result  Content type    Received    Time    Initiator
http://10.20.100.200/test/api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC%22%7D%5D&start=0&limit=18    HTTP    GET 200 application/json    1.29 KB 677.42 ms   XMLHttpRequest

Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Cookie: client_time=1580129655.074; check=1; aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; bid=4memnc2vdi7pj7i56q5sopu5gbspba99; cid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh
Host: 10.20.100.200
Referer: http://10.20.100.200/test/
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
X-Requested-With: XMLHttpRequest
Connection: close

sqlmap.py -r C:\Users\Documents\request.txt --dbs --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

[00:34:56] [WARNING] URI parameter '#1*' does not appear to be dynamic
[00:34:57] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[00:34:58] [INFO] testing for SQL injection on URI parameter '#1*'
[00:34:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:35:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:35:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:35:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:35:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:35:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:35:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:35:16] [INFO] testing 'MySQL inline queries'
[00:35:17] [INFO] testing 'PostgreSQL inline queries'
[00:35:18] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[00:35:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:35:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:35:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:35:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:35:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:35:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:35:52] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[00:37:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:37:20] [WARNING] URI parameter '#1*' does not seem to be injectable
[00:37:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests
[00:37:20] [WARNING]  HTTP error codes detected during run:
403 (Forbidden) - 1 times, 400 (Bad Request) - 578 times, 414 (Request-URI Too Long) - 235 times
SQLMAP输出

Name    Protocol    Method  Result  Content type    Received    Time    Initiator
http://10.20.100.200/test/api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC%22%7D%5D&start=0&limit=18    HTTP    GET 200 application/json    1.29 KB 677.42 ms   XMLHttpRequest

Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Cookie: client_time=1580129655.074; check=1; aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; bid=4memnc2vdi7pj7i56q5sopu5gbspba99; cid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh
Host: 10.20.100.200
Referer: http://10.20.100.200/test/
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
X-Requested-With: XMLHttpRequest
Connection: close

sqlmap.py -r C:\Users\Documents\request.txt --dbs --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

[00:34:56] [WARNING] URI parameter '#1*' does not appear to be dynamic
[00:34:57] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[00:34:58] [INFO] testing for SQL injection on URI parameter '#1*'
[00:34:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:35:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:35:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:35:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:35:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:35:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:35:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:35:16] [INFO] testing 'MySQL inline queries'
[00:35:17] [INFO] testing 'PostgreSQL inline queries'
[00:35:18] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[00:35:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:35:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:35:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:35:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:35:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:35:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:35:52] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[00:37:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:37:20] [WARNING] URI parameter '#1*' does not seem to be injectable
[00:37:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests
[00:37:20] [WARNING]  HTTP error codes detected during run:
403 (Forbidden) - 1 times, 400 (Bad Request) - 578 times, 414 (Request-URI Too Long) - 235 times
这里的问题是SQLMAP替换了aid,这样服务器就不会验证SQLMAP请求

我们需要告诉SQLMAP排除这些参数,还可以告诉SQLMAP通过放置通配符(*),即dir=ASC*,来尝试所需的参数。在这种情况下,SQLMAP将尝试为param'dir'注入代码

比如说

GET /api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC*&start=0&limit=18 HTTP/1.1
那么,为什么可以手动复制它,但不能使用SQLMAP?是的,SQLMAP无法注入SQL。我在这里做错了什么?猜测SQLMAP没有在与手动发送的请求相同的上下文中发送相同的请求。403表示可能SQLMAP没有访问经过身份验证的对象。会话ID是否可能已过期或以其他方式验证失败?如果让SQLMAP记录所有请求和响应数据并研究跟踪,它将对正在发生的事情提供一些见解。