Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points about how to analyze the problems of sqlmap, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to have a look, and follow the editor to learn more about how to analyze sqlmap.

Overview of 0x00

Recently in the use of sqlmap injection testing encountered a strange phenomenon, the high version of sqlmap can not detect the injection, but the lower version can detect the injection, and can run out of data is not a false alarm, after comparative testing and viewing the sqlmap source code, found two small holes.

0x01 scenario reappearance

Injection point form: json

"whereparams": [{"name": "keyWord", "value": "test"}]}

Injectable parameter: value

Sqlmap command:

Python sqlmap.py-r sqlpk.txt-flush-session-vv

Sqlmap v1.2.11 failed to be injected

Sqlmap v1.2 successfully injected

Similarly, v1.2.10 cannot be injected, v1.1.12 can be injected.

After analysis, the two pits are as follows:

(1) the boundaries.xml of v1.2.11 (/ v1.2.10/v1.2.9/master) has no test for fuzzy queries (%), but v1.2 (/ v1.1.12) 1.1.4Universe 1.2.2).

(2) v1.2.11 (/ v1.2.10/1.2.9/master) you must manually set a parameter of json to * to inject this parameter (even if y-inject inside is selected), otherwise payload is directly followed by json and cannot be injected, while v1.2 (/ v1.1.12) can enter a parameter of json by default.

0x02 detailed testing

Pit points (1):

First, learn about the payload composition of sqlmap:

/ / Image source https://www.freebuf.com/colum...

Take a look at the v1.2 test payload:

Payload:%' and 5731 to 5731 and'%'= 'was used

This is a very common search box injection.

Take a look at the boundaries.xml of v1.2:

Boundaries.xml in v1.2.11 does not have an injection test for fuzzy queries!

Https://github.com/sqlmapproj...

So add the injection test of the fuzzy query to the file in v1.2.11, and manually add * to the injection parameters (such as value), and you can successfully inject!

The added version is attached:

Https://github.com/theLSA/sql...

Pr received a reply because there were too many false positives and removed the relevant payload, but there will be a limited recovery.

Https://github.com/sqlmapproj...

Pit spot (2):

Compare the payload of v1.2 and v1.2.11:

You can see that v1.2.11 connects payload directly to the end of json.

Manually add * in the injection parameter value

% 22whereparams%22%3A%5B%7B%22name%22%3A%22keyWord%22%2C%22value%22%3A%22*%22%7D%5D%7D

Can be successfully injected!

0x03 conclusion

Personally, it is recommended to add a fuzzy query test payload, false positives are better than false positives, and it is a very common fuzzy query injection.

If you encounter json parameters, try to use manual * (for some versions of sqlmap).

It is recommended to add-vv when testing with sqlmap.

Do not rely too much on tools, and it is safe to try to do tools + manual testing.

This is the end of the introduction on "how to analyze the problems about sqlmap". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.