Small white diary 44:kali penetration testing of Web infiltration-sqlmap automatic Injection (ii)-SQLMAP parameters detailed request

SQLMAP Automatic Injection (ii)

Request

###################################################

#inurl:. php?id=

1. Data segment:--data

Get/post are used

the POST method " Sqlmap-u "http://1.1.1.1/a.php"--data= "user=1&pass=2" –f

#sqlmap可自动识别 "&"

the GET method " Sqlmap–u "http://1.1.1.1/a.php" –-data= "user=1&pass=2"

2. variable delimiter:--param-del

#大部分web application Use & As a delimiter between variables, but some use ";", "/" and so on. You need to use-param-del to specify

Sqlmap–u "http://1.1.1.1/a.php" –data= "Q=foo;id" –param-del= ";" –f

3. Cookies Head ( target drone: DVWA)

Web apps require cookie-based identity authentication

The injection point in the cookie (Sqlmap automatic test) is also checked.

# Scan the cookie for injection points only when level>=2 is present

# When the cookie information is updated, Sqlmap automatically detects the new HTTP header and automatically adds a new cookie. "Can use-drop-set-cookie to pause its function"

Sqlmap–u "http://1.1.1.1/a.php?id=1" –cookie= "a=1;b=2" –f

4. --user-agent

Sqlmap/1.0-dev-xxxxxx (This is the case by default)

--random-agent "Random use of user-agent , User-agent dictionary file "

5. App/waf/ips/ids Filter Exception User-gent Error

[Hh:mm:20] [ERROR] The target URL responded with an unknown HTTP

Status code, try to force the HTTP user-agent header with option--user-

Agent or--random-agent

6. Host Head:--host "There may also be injection points that are relatively rare"

Premise: Level=5

7. Referer Head :--referer "Theoretically, there's a possibility."

When the browser sends a request to the Web server, it usually takes an HTTP REFERER to tell the server which page link I took from, and the server can get some information for processing.

Premise: Level>=3

8. Additional Headers :--headers "Developers may customize the HTTP Head "

Single row per header (name is case sensitive)

Sqlmap-u "http://1.1.1.1/a.php?id=1"--headers= "Host: www.a.com\nuser-agent: yqwr" "\ n: For line wrapping ; Be aware of the case "

## by default, use of Get method, if failed, then try Post Method

--method=post/get

9. based on HTTP authentication of the Protocol

BASIC/DIGEST/NTLM "Authentication type https://technet.microsoft.com/zh-cn/library/ms191264 (v=sql.105). aspx"

Sqlmap–u "http://1.1.1.1/a.php?id=1" –auth-type basic–auth-cred "User:pass"

10. --auth-cert/--auth-file "Rare"

Identity authentication based on client certificate

--auth:file= "ca. PEM "

with a private key (or containing a PEM format of the certificate chain) of PEM Format certificate file

11. http (s) Agent

--proxy= "http://127.0.0.1:8087"

--proxy-cred= "Name:pass"

--ignore-proxy

Ignore system-level proxy settings, typically used to scan local network targets

Sqlmap–u "http://1.1.1.1/a.php?id=1" –proxy= "http://127.0.0.1:8087"-F

# Command Specification "-- command = " parameters " "

、--delay

Delay time between each HTTP (s) request, floating-point number in seconds, default no delay, network bandwidth, maximum packet

、--Timeout

Request time-out, floating-point number, default is 30 seconds

、--retires

HTTP (s) connection Timeout retry count, default 3 times

、--Randomize

Specifies the parameter name of the random value for each request, if the length, type, and the original value are consistent

#如: Sqlmap–u "http://1.1.1.1/a.php?id=100" –randomize= "id"

、--scope "function: Specify Range"

Filtering log content, filtering scanned objects with regular expressions

Sqlmap-l burp.log–scope= "(www)? \.target\. (com | net | org) "

Sqlmap–l 2.log–scope= "(19)? \.168\.20\. (1|10|100) "–level 3–dbs

user-agent injection points in the

#使用靶场mutillidae, get Get/post request

0x00 using Burpsuit to log information

0x01 Manual Crawl in Mutillidae

、--safe-url/--sqfe-freq

Detection and blind truncation can result in a large number of failed requests, and the server side may destroy the session

Send a normal request every time a--safe-freq (frequency) Injection request is sent

、--Skip-urlencode

The default get method encodes the transmitted content, and some Web servers do not follow the RFC standard encoding and submit data using raw characters. "This is a feature of the Web application that needs to be analyzed before scanning"

、--Eval

"Typical usage scenario: links to retrieve passwords in some Web application

(sqlmap–u "http:/mailaddress&hash=wqd32ni5abvi7a"---eval= "import haslib;hashlib.md5 (ID). hexdigest ( ) {Where the hash value is the hash value of the email address; Other cases: hash value is time} "

Execute the specified Python code before each request

Each request to change or add a new parameter value ( time dependency, other parameter value dependency)

Small white diary 44:kali penetration testing of Web infiltration-sqlmap automatic Injection (ii)-SQLMAP parameters detailed request