When we inject, the judgment is injected
http://site/script?id=10 Http://site/script?id=11-1 # equivalent to id=10
http://site/script?id= (select 10) # equivalent to id=10
http://site/script?id=10 and 1=1 #失败
Can be found by judging and and or being filtered
http://site/script?id=10–# failure
http://site/script?id=10;– #失败
http://site/script?id=10); – #失败
http://site/script?id=10) subquery;– #失败
You can run with Burp's Intruder dictionary, but still fail.
Here you can use the case of SQL statement when ... then ... else ... end statement
Case-When statements are supported in large databases such as the Db2,oracle,sql server family, Sybase, and are standard SQL statements. Can understand: case ... When ... Then ... ELSE ... END
Case-When syntax has two situations: the first is that there is no expression behind the cases;
Case if expression then operation 1
When expression then operates 2
.......
ELSE Action
END
The second is that the case is followed by an expression (and, at this point, the possible value of the expression), generic.
Case expression
When expression value 1 then operation 1
When expression value 2 then operation 2
.......
ELSE Action N
END
http://host/script?id=11-(case time 1=1 then 1 else 0 end) test http://host/script?id=10 with 1=1 and 1=2 # when the condition is true HTTP://HOST/SCRI PT?ID=11 # When the conditions are false
It can be obvious to see that the return is different and then can be judged injected. So how can we get sqlmap to identify it? Sqlmap The default is to find the injection point, but you add a *, you can guide him. Statement
Sqlmap.py-u http://host/script?id=11-(case when 1=1 asterisk then 1)
Inject the most headache is to encounter the filter, Sqlmap provides the function of character conversion
"–tamper=between" Of course, they can rewrite the conversion content, files in the/tamper directory.
About post injection SQLMAP can load a packet with the-R parameter
Sqlmap.py-r Post.txt
Continue to add that logical symbols such as the having XOR can also be used to determine injection.
TIP2
Post Injection
There are two methods for post injection, one is to use
–data
parameter, the post key and value are submitted in a similar get method. The second is to use
-R
parameter, Sqlmap reads the POST request packet that the user has captured for post injection detection.
View payload
Before has been added local agent, and then use Burpsuit to see Sqlmap payload, until now found using
-V
Parameters can be implemented. Always thought
-V
The only implementation is the control warning, debug information level. actually use
-V 3
The injected payload,4,5,6 can also be displayed to display HTTP requests, HTTP response headers, and pages.
Using Google search
SQLMAP can test SQL injection in Google search results, which is a powerful feature. The use method is parameter
-G
。 However, it is still very rare to use it in practice.
Request delay
If the request is too frequent during injection, it may be blocked by a firewall,
–delay
The parameter is working. You can set the delay between HTTP requests two times. Some Web programs block all requests after multiple false accesses, which results in all subsequent tests not being able to be done, bypassing this policy to use
–safe-url
To access a normal page every once in a while.
Pseudo-Static pages
Some Web servers have URL rewrite or the site is pseudo-static and cannot be directly supplied with test parameters, which can be used
*
Instead of the parameters to be tested.
Execute system command
When the database is supported and the current user has permissions, the system commands can be executed, using the
–os-cmd
Or
–os-shell
, specifically, when multiple statements can be executed, a UDF (Mysql,postgrepsql) or xp_cmdshell (MSSQL) is attempted to execute the system commands. When you cannot execute multiple statements, you still try to create a Webshell to execute the statement, which requires the absolute path of the web. Overall, the success rate is low, but the individual also has a successful experience ~
Test level
Sqlmap use
–level
Parameters for different comprehensiveness of the test, the default is 1, different parameters affect the use of which payload,2 when the cookie injection detection, 3 will be
UserAgent
Detection.
Sqlmap Injection Skill Collection