In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces "Wireshark analyzes what data the attacker queried during sql injection". In the daily operation, I believe that many people have doubts about what data was queried when Wireshark analyzed the attacker's sql injection. The editor consulted all kinds of information and sorted out simple and easy-to-use operation methods. I hope it will be helpful for everyone to answer the doubt that "Wireshark analyzes what data the attacker queried when sql injection"! Next, please follow the editor to study!
0x001 topic
0x002 View injection statement
Import traffic packages into Wireshark
It looks very messy. Enter url to request the use of http/https through the browser, and there is only http in the traffic packet, so we filter out the http protocol packets directly.
Filter out the packets requested by http
The injection statement is as follows:
Http://localhost:81/?id=1' and ascii (substring ((select keyid from flag limit 0jue 1), 1pm 1)) = 3 minutes
Thus it can be seen that the attacker uses Boolean blind injection for sql injection.
0x003 observation response package
Here we think that the packets returned by the success and failure of the injection statement must be different.
Observe the sql injection response package.
Injection failure response content:
Injection of successful response content:
As a result, we can think of whether we can filter out the injection successful response packet first. So what rules should we use to filter, or which characteristics should we filter in response to the package?
The filter conditions that I came up with:
Filter out all response packages with article content in the response content
Filter based on the length of the response packet
Response packet length of injection failure:
The length of the response packet successfully injected:
I'm not familiar with the syntax of Wireshark, and I can't find the syntax of how to filter by content, so I filter here by the length of the response package.
Wireshark http filtering rules:
Http.host==magentonotes.comhttp.host contains magentonotes.com// filters http packets through the specified domain name. The host value here is not necessarily the domain name in the request. Http.response.code==302// filtering http response status code 302 packets http.response==1// filtering all http response packets http.request==1// filtering all http requests, it seems that you can also use http.requesthttp.request.method==POST//wireshark to filter all http request packets whose request mode is POST Note that POST filters http packets with specified cookie http.request.uri== "/ online/setpoint" / / filter request uri for uppercase http.cookie contains guid// If the value is part of the http.request.full_uri== "http://task.browser.360.cn/online/setpoint"// after the domain name, to filter the entire url containing the domain name, you need to use http.request.full_urihttp.server contains" nginx "/ / to filter packets with nginx characters in the server field in the http header http.content_type = =" text/html "/ / filter content_type is the http response of text/html, post packet That is, filter http packets by file type http.content_encoding = = "gzip" / filter content_encoding is http packets of gzip http. Transfer _ encoding = = "chunked" / / filter based on transfer_encoding http.content_length = = 279http.content_length_header = = "279" / / filter all packets containing server fields in the http header http.request.version = = "HTTP/1.1" / / filter HTTP/1.1 versions of http packets based on the numerical filter http.server// of http Include request and response http.response.phrase = = "OK" / / filter phrase in http response
Filter by content-Length length, and the filtering syntax is http.content_length = = 366
All statements that were successfully injected can also be seen in the response package.
Http://localhost:81/?id=1' and ascii (substring ((select keyid from flag limit 0jue 1), 1pm 1)) = 10pm
The meaning of this sql statement: the ASCII code of the first character is 102.
> print (chr) # convert ASCII codes to characters > f
How can I check one by one what the ASCII value of the character is when the injection is successful?
0x004 scripting
Export the filtered results above
Use regular filtering to filter out the ASCII codes corresponding to injection statements and characters
Import renumber = [] with open ("aa.txt", "r", encoding= "utf-8") as f: for i in f.readlines (): flag_number = re.findall (r "\ [Request URI:. *? = (\ d +)% 23\]", iRe.S) url_list = re.findall (r "\ [Request URI: (. *?)\]", I Re.S) # injected url if flag_number: print (url_list) number.append (flag_number [0])
Note here that the order of success of the injection statements, that is, the order of the places circled above (judging from the first character to 38 characters), is the successful execution process of the injection.
Know the ASCII code corresponding to the character, and in turn, get the corresponding character through the ASCII code.
Finally ran out of flag
Import renumber = [] with open ("aa.txt", "r", encoding= "utf-8") as f: for i in f.readlines (): flag_number = re.findall (r "\ [Request URI:. *? = (\ d +)% 23\]", iQuery re.S) url_list = re.findall (r "\ [Request URI: (. *?)\]", I Re.S) if flag_number: print (url_list) number.append (flag_number [0]) print (number) flag =''for i in number: flag + = chr (int (I)) print (flag)
At this point, the study on "Wireshark analyzes what data was queried when the attacker injected sql" is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 246
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.