Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to analyze the sqlmap source code

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

How to carry out sqlmap source code analysis, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Sqlmap source code analysis

I am also a rookie. I summarize my understanding of sqlmap and share some methods that I think are easy to use.

Directory structure

Let's sort it out against the directory structure:

Here I am downloading the latest version of sqlmap 1.4.3.12

The 1.data directory contains graphical interface templates that can be built, shell backdoors (the code inside is encrypted), udf weighting functions, database injection detection payloads, etc.

The 2.doc directory is an instruction for different countries and regions.

The 3.extra directory has some additional functions, such as running bounce shell of cmd and shellcode,icmp protocols (yes, icmp can be used to bounce shell, in the usual infiltration process, the traditional tcp,udp bounce shell is not successful, you can consider using icmp protocol or DNS protocol to bounce shell), and make a sound (beep), etc.

The 4.lib/ directory contains a variety of connection libraries for sqlmap, such as parameters of requests for five injection types, lifting operations, and so on. (this catalog needs our attention.)

5.plugins/ database information and database common matters

The 6.tamper directory contains various bypass scripts (this is very useful)

Third-party plug-ins used by the 7.thirdparty directory sqlmap

Configuration files for sqlmap.conf sqlmap, such as various default parameters (no parameters are set by default, default parameters can be set for batch or automatic detection)

Sqlmap.py sqlmap main program file

Sqlmapapi.py sqlmap's api file, which can integrate sqlmap into other platforms

Swagger.yaml api document

Entry file

Sqlmap.py

Let's first look at five more important functions.

DirtyPatches ()

Some problems and fixes of the program are written as patch functions and priority is given to execution.

In DirtyPatches, first set the maximum line length (httplib._MAXLINE) of httplib, then import the ip address translation function module (win_inet_pton) under the third party windows, and then replace the code with utf8 to avoid some interactive errors. These operations do not have a great impact on the actual function of sqlmap, and belong to the normal option to ensure the user experience and system settings. You don't need to care too much.

ResolveCrossReferences ()

In order to eliminate the problem of cross-references, functions in some subroutines are rewritten and assigned at this location

CheckEnvironment ()

The function of this function is to detect the running environment, including checking the module path, checking the Python version, and importing global variables

These three global variables can be said to run through the whole process of sqlmap, especially conf,kb.

SetPaths (modulePath ())

Get path

Banner ()

This function is used to print banner information

Global variable cmdLineOptions

It's an AttribDict,AttribDict. What is it?

This class takes several super method through override.

Modify the native dict customization into the attribute dictionary needed by your own project.

Usage of the original dictionary: dict1 ["key"]

The usage of the current custom dictionary: dict1.key

Follow up cmdlineParser ()

Here, we judge and split the command line parameter options we entered, and store them in cmdLineOptions in the form of dict key-value pairs.

Conf,kb

1.init () mainly contains the initial values of all initial variables, these initial values in init () are mainly set by referring to a variety of functions to complete the basic settings, we do not need to branch them in turn, we just need to know when we need to come back and look for them.

two。 The second part is all kinds of tests, including smoke test, fuzzy test and so on.

The tested url parameter information is saved to kb.testedParams.

3. Enter our workflow after the test is completed.

Controller.py file

The following code is the core detection method.

For targetUrl, targetMethod, targetData, targetCookie TargetHeaders in kb.targets: try: if conf.checkInternet: infoMsg = "checking for Internet connection" logger.info (infoMsg) if not checkInternet (): warnMsg = "[% s] [WARNING] no connection detected"% time.strftime ("% X ") dataToStdout (warnMsg) valid = False for _ in xrange (conf.retries): if checkInternet (): valid = True Break else: dataToStdout (.') Time.sleep (5) if not valid: errMsg = "please check your Internet connection and rerun" raise SqlmapConnectionException (errMsg) else: DataToStdout ("\ n") conf.url = targetUrl conf.method = targetMethod.upper () .strip () if targetMethod else targetMethod conf.data = targetData conf.cookie = targetCookie conf.httpHeaders = list (initialHeaders) conf.httpHeaders.extend (targetHeaders or []) if conf.randomAgent or conf.mobile: For header Value in initialHeaders: if header.upper () = = HTTP_HEADER.USER_AGENT.upper (): conf.httpHeaders.append ((header Value)) break conf.httpHeaders = [conf.httpHeaders [I] for i in xrange (len (conf.httpHeaders)) if conf.httpHeaders [I] [0] .upper () not in (_ _ [0] .upper () for _ in conf.httpHeaders [I + 1:])] initTargetEnv () parseTargetUrl () TestSqlInj = False if PLACE.GET in conf.parameters and not any ((conf.data Conf.testParameter): for parameter in re.findall (r "([^ =] +) = ([^% s] +% s?\ Z)"% (re.escape (conf.paramDel or "") or DEFAULT_GET_POST_DELIMITER, re.escape (conf.paramDel or ") or DEFAULT_GET_POST_DELIMITER), conf.parameters [PLACE.GET]): paramKey = (conf.hostname, conf.path) PLACE.GET, parameter [0]) if paramKey not in kb.testedParams: testSqlInj = True break else: paramKey = (conf.hostname, conf.path, None None) if paramKey not in kb.testedParams: testSqlInj = True if testSqlInj and conf.hostname in kb.vulnHosts: if kb.skipVulnHost is None: message = "SQL injection vulnerability has already been detected" message + = "against'% slots. Do you want to skip "% conf.hostname message + =" further tests involving it? "kb.skipVulnHost = readInput (message, default='Y', boolean=True) testSqlInj = not kb.skipVulnHost if not testSqlInj: infoMsg =" skipping'% s'"% targetUrl logger.info (infoMsg) continue if conf.multipleTargets:

Initialize the currently detected target, including: url,method,Data,Cookie,headers related fields

Extract the parameters for detection from the conf dictionary

Check whether the target has been tested

This code is for multiple targets.

Then go through the setupTargetEnv () function

Let's take a look at the processing of the request, mainly parsing the data sent by get or post into a dictionary and saving it to conf.paramDict.

In the body of the foreach targets loop in the start () method before returning, after setupTargetEnv (), we now know that all the points that can be tried to inject the test for this goal have been set and exist in the conf.paramDict dictionary.

Read the session file (if it exists) and read the data in the file and save it to the kb variable

Then there is checkWaf, which is to check whether there is waf (the strange thing here is that the waf directory is missing in the sqlmap directory of this download)

Then check the empty connection (nullConnection), check the page stability, and sort the parameters and test lists.

NullConnection: according to the official manual, it is a way to know the page size without getting the content of the page. This method works very well in Boolean blind notes.

If-- null-connection is enabled, the page similarity rate is simply calculated by the length of the page

The algorithm of page similarity rate plays an important role in the process of sqlmap detection, and Gaussian distribution also plays a very important role in sqlmap anomaly detection.

After reading the above, have you mastered the method of sqlmap source code analysis? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 284

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report