sqlmap学习笔记(二)???? 上篇讲到了payload.xml,这篇就详细说下payload.xml帮助 写道!-- Tag: boundary
sqlmap学习笔记(二)
???? 上篇讲到了payload.xml,这篇就详细说下
payload.xml帮助 写道<!--
Tag: <boundary>
How to prepend and append to the test ' <payload><comment> ' string.
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Sub-tag: <ptype>
What is the parameter value type.
Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
Sub-tag: <prefix>
A string to prepend to the payload.
Sub-tag: <suffix>
A string to append to the payload.
Tag: <test>
SQL injection test definition.
Sub-tag: <title>
Title of the test.
Sub-tag: <stype>
SQL injection family type.
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <risk>
Likelihood of a payload to damage the data integrity.
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Sub-tag: <vector>
The payload that will be used to exploit the injection point.
Sub-tag: <request>
What to inject for this test.
Sub-tag: <payload>
The payload to test for.
Sub-tag: <comment>
Comment to append to the payload, before the suffix.
Sub-tag: <char>
Character to use to bruteforce number of columns in UNION
query SQL injection tests.
Sub-tag: <columns>
Range of columns to test for in UNION query SQL injection
tests.
Sub-tag: <response>
How to identify if the injected payload succeeded.
Sub-tag: <comparison>
Perform a request with this string as the payload and compare
the response with the <payload> response. Apply the comparison
algorithm.
NOTE: useful to test for boolean-based blind SQL injections.
Sub-tag: <grep>
Regular expression to grep for in the response body.
NOTE: useful to test for error-based SQL injection.
Sub-tag: <time>
Time in seconds to wait before the response is returned.
NOTE: useful to test for time-based blind and stacked queries
SQL injections.
Sub-tag: <union>
Calls unionTest() function.
NOTE: useful to test for UNION query (inband) SQL injection.
Sub-tag: <oob>
# TODO
Sub-tag: <details>
Which details can be infered if the payload succeed.
Sub-tags: <dbms>
What is the database management system (e.g. MySQL).
Sub-tags: <dbms_version>
What is the database management system version (e.g. 5.0.51).
Sub-tags: <os>
What is the database management system underlying operating
system.
Formats:
<boundary>
<level></level>
<clause></clause>
<where></where>
<ptype></ptype>
<prefix></prefix>
<suffix></suffix>
</boundary>
<test>
<title></title>
<stype></stype>
<level></level>
<risk></risk>
<clause></clause>
<where></where>
<vector></vector>
<request>
<payload></payload>
<comment></comment>
<char></char>
<columns></columns>
</request>
<response>
<comparison></comparison>
<grep></grep>
<time></time>
<union></union>
<oob></oob>
</response>
<details>
<dbms></dbms>
<dbms_version></dbms_version>
<os></os>
</details>
</test>
-->
?
?
?
这是一个test实例 写道??? <test>
??????? <title>MySQL UNION query (NULL) - 1 to 10 columns</title>
??????? <stype>3</stype>
??????? <level>1</level>
??????? <risk>1</risk>
??????? <clause>1,2,3,4,5</clause>
??????? <where>1</where>
??????? <vector>[UNION]</vector>
??????? <request>
??????????? <payload/>
??????????? <comment>#</comment>
??????????? <char>NULL</char>
??????????? <columns>1-10</columns>
??????? </request>
??????? <response>
??????????? <union/>
??????? </response>
??????? <details>
??????????? <dbms>MySQL</dbms>
??????? </details>
??? </test>
???
?????? 首先看注释中payloads文件中共分为两类元素,一类为<boundary>,一类为<test>,
其中boundary指的是注入时使用的一些通配符之类的,类似'? )? (? and? 1=1? and '1'='1之类的东西,
而test则是注入时具体使用的语句,类似select之类的。两者区别还是比较明显的
?先讲讲两个元素中相同的子元素释义:
?
?
1. level这个属性,这是每个test都要有的属性,他指出了在sql注入中处于哪个档次,换句话说,你在实际运行sqlmap的时候,需要指定运行level,默认是1,从1-5都可以指定,在level=1的情况下,大概执行的注入test在100个以内,level越高,所执行的test越多,如果你指定level5,那么所有test中标注为1,2,3,4,5的都将执行,这里要注意的是执行level 5,估计执行的sql注入语句将超过1000个,如果再猜解表内容,语句将更多,并不是注入test越多越好,这将造成大量的通信负担。另外,如上所举的例子 UNION query (NULL) ,就是level 1 ,最基本的测试,实际上union null测试字段个数也是最常见的手法,但是这里如果你实际使用就会发现,这里有些问题,后面类似的会有11-20字段,21-30字段这样的test,并且他们给予了不同的level,估计老外觉得查询字段一般不会超过10个,但是我觉得这个不是很合理,所以我推荐大家把后面那几个的level都改成1,这样子实际使用效果将会非常好。
?
?
2.clause这个属性,这是一个条件属性,test编辑中是可以多选的
写道Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
?
大家可以看<title>MySQL UNION query (NULL) - 1 to 10 columns</title>所举得例子中,???? <clause>1,2,3,4,5</clause>,即union可以在 where/having子句中,group by ,order by limit offset子句中使用,后面比较多的test中,也可以看到基本上也就前面的几个常用些,特别是1-5,当然你要吃不准你自创的sql的话,就标注成1吧。。。
?
3.where 这个属性,
写道Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
?这是他的boudary中的注释,我估计写错了,test中的注释是
?
写道Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
?
这个估计是对的,实际上就是1 附加到原始的变量值后面,类似id=1 ’这个概念,而2就是 id=31231 ‘这个概念。3就是id=’这个概念,细微之处大家可以体会下。具体sql具体对待。
?
?
下来就是各自独有的概念了,
4 <boudary>中的ptype属性
写道1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
?实际上就是bandary的值是什么属性,数字,单引号字符串,或者双引号字符串。
?
5 <boudary>中的ptype属性<prefix>?<suffix>这一对,就是前缀和后缀了,举个例子因为在实际中payload可能有重复迭代,例如那个union null,所以把select之类可以设成前缀,
?
6. <test>中的独有概念
<title>显示用的,没啥大用,但也别起个没意义的,例如Microsoft SQL Server/Sybase error-based - Parameter replace,就比较好,指出数据库名,注入类型,具体功能。
?
<stype> 比较重要的一个属性
写道Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
?
这是一个分类,就是你写的这个test具体属于那个功能模块的是盲注呢,还是union注入呢,还是基于时间的呢,这个也很直白。
?
<risk>这个属性也很重要,
写道Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
?
实质就是,如果你的sql注入语句包含了update,insert,delete之类的或者更猛的操作,那么请不要设置为0,而且自己在用sqlmap的时候也不要轻易的设置--risk为高值,因为risk较高的操作都带有ddl的性质,容易引起数据库数据上的改变。谨慎,慎重。
?
<vector> 就是要执行的sql注入句式 例如在上面那个例子中就是<vector>[UNION]</vector>,实际上是union all select句型,这个细节我也需要继续学习。。
?
<response>和<request>这个是sql注入中最关键的一个部分,他们被设计的赋予了很大的灵活性和技巧,下次再说吧。。。。。
?
?
?
?
