Academy of Cheetah Sciences, 2015/11/24 19:03
0 x00 preface
When it comes to SQL injection, the first thing that comes to mind is SQLMAP, which is an open source tool for SQL injection detection and utilization. So SQLMap in the scan OF SQL logic exactly how to achieve it, the next discussion of SQLMap scan logic, through the understanding of SQLMap scan logic to create a SQL scan tool of their own.
0x01 Preparation of SQLMAP
SQLMAP has other functions to determine useful information about the current target before scanning, such as firewall detection. When a firewall is detected, the judgment basis for SQL detection will be adjusted, such as bool blind injection. Which heuristicCheckSqlInjection this function will not only affect the next tested to use what kind of content, heuristicCheckSqlInjection translated means heuristic SQL injection test, then what is heuristic, What exactly does this do? When we use SQLMAP frequently, the following prompts may appear.
Above suggests the current version of the target database like Oracle, which tip the basis of the above is based on this a heuristic SQL injection test is heuristicCheckSqlInjection is introduced in this paper. The SQLMAP contains a large number of payloads, which can be several hundred. If you test all the payloads, it will be a waste of time. It also uses this one to select the Payload to test against the fingerprint of the database.
The main effect of heuristicCheckSqlInjection can be divided into the following:
- Database version identification.
- Obtaining an absolute path.
- XSS test
0x02 Database version identification
#! python # Alphabet used for heuristic checks HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', ',', '.') ... randStr = "" while '\'' not in randStr: randStr = randomStr(length=10, alphabet=HEURISTIC_CHECK_ALPHABET) kb.heuristicMode = True payload = "%s%s%s" % (prefix, randStr, suffix) payload = agent.payload(place, parameter, newValue=payload) page, _ = Request.queryPage(payload, place, content=True, raise404=False) ...Copy the codeA HEURISTIC_CHECK_ALPHABET takes 10 random characters from the HEURISTIC_CHECK_ALPHABET and sets up the Payload. Of course, these characters are not ordinary characters, but special characters. When we do SQL injection tests, we usually add semicolons to the parameters. Or some other special character that, if you’re lucky, might generate a data-related error message, and then you can guess what the target database is based on that error message.
Actually find a website to test, code down, protect.
http://***.***.***/datalist/default.aspx/article?category_id=1051
Copy the codeSo while ‘\” not in randStr: generates random characters, and then sends packets to check the returned data.
The diagram below:
If you are familiar with SQL injection, you will know that this is an error message from Oracle, so let’s see how SQLMAP determines this.
The getPage function is located in./lib/request/connect.py, around line 598.
#! python def getPage(**kwargs): ... processResponse(page, responseHeaders) ...Copy the code/lib/parse/html.py is called by processResponse to the htmlParser function, which identifies the current database based on different database fingerprints.
#! python def htmlParser(page): """ This function calls a class that parses the input HTML page to fingerprint the back-end database management system """ xmlfile = paths.ERRORS_XML handler = HTMLHandler(page) parseXmlFile(xmlfile, handler) if handler.dbms and handler.dbms not in kb.htmlFp: kb.lastParserStatus = handler.dbms kb.htmlFp.append(handler.dbms) else: kb.lastParserStatus = None # generic SQL warning/error messages if re.search(r"SQL (warning|error|syntax)", page, re.I): handler._markAsErrorPage() return handler.dbmsCopy the codeHTMLHandler and paths.errors_xml is the fingerprint configuration file path identified by SQLMAP in./ XML /errors.xml.
#! html <! -- Oracle --> <dbms value="Oracle"> <error regexp="\bORA-[0-9][0-9][0-9][0-9]"/> <error regexp="Oracle error"/> <error regexp="Oracle.*Driver"/> <error regexp="Warning.*\Woci_.*"/> <error regexp="Warning.*\Wora_.*"/> </dbms>Copy the codeThis configuration file is relatively simple, in fact, some corresponding database re. SQLMAP parses errors. XML, and then matches the current page information with regEXP regexp regexp regEXP regEXP regEXP regEXP regEXP regEXP regEXP regEXP
#! python class HTMLHandler(ContentHandler): """ This class defines methods to parse the input HTML page to fingerprint the back-end database management system """ def __init__(self, page): ContentHandler.__init__(self) self._dbms = None self._page = page self.dbms = None def _markAsErrorPage(self): threadData = getCurrentThreadData() threadData.lastErrorPage = (threadData.lastRequestUID, self._page) def startElement(self, name, attrs): if name == "dbms": self._dbms = attrs.get("value") elif name == "error": if re.search(attrs.get("regexp"), self._page, re.I): self.dbms = self._dbms self._markAsErrorPage()Copy the codeThe page information returned can be found that the current hit < error regexp = “\ bORA – [0-9] [0-9] [0-9] [0-9]” / > this a formal
The SQLMap can determine the version of the data and select the corresponding test Payload to reduce the SQLMap scan time.
0x03 Absolute Path Obtaining and XSS Detection
Compared with fingerprint identification, it is relatively simple to obtain the function module of absolute path, and the absolute path is found by regular matching.
#! python def parseFilePaths(page): """ Detects (possible) absolute system paths inside the provided page content """ if page: for regex in (r" in <b>(? P<result>.*?) </b> on line", r"(? :>|\s)(? P<result>[A-Za-z]:[\\/][\w.\\/]*)", r"(? :>|\s)(? P<result>/\w[/\w.]+)"): for match in re.finditer(regex, page): absFilePath = match.group("result").strip() page = page.replace(absFilePath, "") if isWindowsDriveLetterPath(absFilePath): absFilePath = posixToNtSlashes(absFilePath) if absFilePath not in kb.absFilePaths: kb.absFilePaths.add(absFilePath)Copy the codeThe XSS detection code is in line 889:
#! python # String used for dummy XSS check of a tested parameter value DUMMY_XSS_CHECK_APPENDIX = "<'\">" ... value = "%s%s%s" % (randomStr(), DUMMY_XSS_CHECK_APPENDIX, randomStr()) payload = "%s%s%s" % (prefix, "'%s" % value, suffix) payload = agent.payload(place, parameter, newValue=payload) page, _ = Request.queryPage(payload, place, content=True, raise404=False) paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place if value in (page or ""): infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType infoMsg += "'%s' might be vulnerable to XSS attacks" % parameter logger.info(infoMsg) ...Copy the codeFinally, according to whether the input character is left on the page, if there is a hint that there may be XSS vulnerability.
0 x04 summary
Thus heuristicCheckSqlInjection function also introduced about, through some of the specific understanding of SQLMAP scanning rules or the train of thought, can let us according to the specific situation to configure SQLMAP or write your own SQL Fuzz systems, You can enhance SQLMAP’s sniffing capability by editing the errors.xml index configuration to make it even more powerful.