wcf1987
- 浏览: 624315 次
- 性别:
- 来自: 西安
-
文章分类
最新评论
-
d1438138:
[img][/img]
google api 的一些神奇使用 -
waykingeye:
[i][b][u]引用[list]
[*][img][url] ...
No result defined for action and result input -
tss0823:
...
No result defined for action and result input -
yahier:
有什么办法能够捕捉,然后给出自定义的提示呢
No result defined for action and result input -
chen_lian:
恩恩 按照上面的代码测试一下觉得很对
java创建目录
上篇讲到了payload.xml,这篇就详细说下
payload.xml帮助 写道
<!--
Tag: <boundary>
How to prepend and append to the test ' <payload><comment> ' string.
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Sub-tag: <ptype>
What is the parameter value type.
Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
Sub-tag: <prefix>
A string to prepend to the payload.
Sub-tag: <suffix>
A string to append to the payload.
Tag: <test>
SQL injection test definition.
Sub-tag: <title>
Title of the test.
Sub-tag: <stype>
SQL injection family type.
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <risk>
Likelihood of a payload to damage the data integrity.
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Sub-tag: <vector>
The payload that will be used to exploit the injection point.
Sub-tag: <request>
What to inject for this test.
Sub-tag: <payload>
The payload to test for.
Sub-tag: <comment>
Comment to append to the payload, before the suffix.
Sub-tag: <char>
Character to use to bruteforce number of columns in UNION
query SQL injection tests.
Sub-tag: <columns>
Range of columns to test for in UNION query SQL injection
tests.
Sub-tag: <response>
How to identify if the injected payload succeeded.
Sub-tag: <comparison>
Perform a request with this string as the payload and compare
the response with the <payload> response. Apply the comparison
algorithm.
NOTE: useful to test for boolean-based blind SQL injections.
Sub-tag: <grep>
Regular expression to grep for in the response body.
NOTE: useful to test for error-based SQL injection.
Sub-tag: <time>
Time in seconds to wait before the response is returned.
NOTE: useful to test for time-based blind and stacked queries
SQL injections.
Sub-tag: <union>
Calls unionTest() function.
NOTE: useful to test for UNION query (inband) SQL injection.
Sub-tag: <oob>
# TODO
Sub-tag: <details>
Which details can be infered if the payload succeed.
Sub-tags: <dbms>
What is the database management system (e.g. MySQL).
Sub-tags: <dbms_version>
What is the database management system version (e.g. 5.0.51).
Sub-tags: <os>
What is the database management system underlying operating
system.
Formats:
<boundary>
<level></level>
<clause></clause>
<where></where>
<ptype></ptype>
<prefix></prefix>
<suffix></suffix>
</boundary>
<test>
<title></title>
<stype></stype>
<level></level>
<risk></risk>
<clause></clause>
<where></where>
<vector></vector>
<request>
<payload></payload>
<comment></comment>
<char></char>
<columns></columns>
</request>
<response>
<comparison></comparison>
<grep></grep>
<time></time>
<union></union>
<oob></oob>
</response>
<details>
<dbms></dbms>
<dbms_version></dbms_version>
<os></os>
</details>
</test>
-->
Tag: <boundary>
How to prepend and append to the test ' <payload><comment> ' string.
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Sub-tag: <ptype>
What is the parameter value type.
Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
Sub-tag: <prefix>
A string to prepend to the payload.
Sub-tag: <suffix>
A string to append to the payload.
Tag: <test>
SQL injection test definition.
Sub-tag: <title>
Title of the test.
Sub-tag: <stype>
SQL injection family type.
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <risk>
Likelihood of a payload to damage the data integrity.
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Sub-tag: <vector>
The payload that will be used to exploit the injection point.
Sub-tag: <request>
What to inject for this test.
Sub-tag: <payload>
The payload to test for.
Sub-tag: <comment>
Comment to append to the payload, before the suffix.
Sub-tag: <char>
Character to use to bruteforce number of columns in UNION
query SQL injection tests.
Sub-tag: <columns>
Range of columns to test for in UNION query SQL injection
tests.
Sub-tag: <response>
How to identify if the injected payload succeeded.
Sub-tag: <comparison>
Perform a request with this string as the payload and compare
the response with the <payload> response. Apply the comparison
algorithm.
NOTE: useful to test for boolean-based blind SQL injections.
Sub-tag: <grep>
Regular expression to grep for in the response body.
NOTE: useful to test for error-based SQL injection.
Sub-tag: <time>
Time in seconds to wait before the response is returned.
NOTE: useful to test for time-based blind and stacked queries
SQL injections.
Sub-tag: <union>
Calls unionTest() function.
NOTE: useful to test for UNION query (inband) SQL injection.
Sub-tag: <oob>
# TODO
Sub-tag: <details>
Which details can be infered if the payload succeed.
Sub-tags: <dbms>
What is the database management system (e.g. MySQL).
Sub-tags: <dbms_version>
What is the database management system version (e.g. 5.0.51).
Sub-tags: <os>
What is the database management system underlying operating
system.
Formats:
<boundary>
<level></level>
<clause></clause>
<where></where>
<ptype></ptype>
<prefix></prefix>
<suffix></suffix>
</boundary>
<test>
<title></title>
<stype></stype>
<level></level>
<risk></risk>
<clause></clause>
<where></where>
<vector></vector>
<request>
<payload></payload>
<comment></comment>
<char></char>
<columns></columns>
</request>
<response>
<comparison></comparison>
<grep></grep>
<time></time>
<union></union>
<oob></oob>
</response>
<details>
<dbms></dbms>
<dbms_version></dbms_version>
<os></os>
</details>
</test>
-->
这是一个test实例 写道
<test>
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
首先看注释中payloads文件中共分为两类元素,一类为<boundary>,一类为<test>,
其中boundary指的是注入时使用的一些通配符之类的,类似' ) ( and 1=1 and '1'='1之类的东西,
而test则是注入时具体使用的语句,类似select之类的。两者区别还是比较明显的
先讲讲两个元素中相同的子元素释义:
1. level这个属性,这是每个test都要有的属性,他指出了在sql注入中处于哪个档次,换句话说,你在实际运行sqlmap的时候,需要指定运行level,默认是1,从1-5都可以指定,在level=1的情况下,大概执行的注入test在100个以内,level越高,所执行的test越多,如果你指定level5,那么所有test中标注为1,2,3,4,5的都将执行,这里要注意的是执行level 5,估计执行的sql注入语句将超过1000个,如果再猜解表内容,语句将更多,并不是注入test越多越好,这将造成大量的通信负担。另外,如上所举的例子 UNION query (NULL) ,就是level 1 ,最基本的测试,实际上union null测试字段个数也是最常见的手法,但是这里如果你实际使用就会发现,这里有些问题,后面类似的会有11-20字段,21-30字段这样的test,并且他们给予了不同的level,估计老外觉得查询字段一般不会超过10个,但是我觉得这个不是很合理,所以我推荐大家把后面那几个的level都改成1,这样子实际使用效果将会非常好。
2.clause这个属性,这是一个条件属性,test编辑中是可以多选的
写道
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
大家可以看<title>MySQL UNION query (NULL) - 1 to 10 columns</title>所举得例子中, <clause>1,2,3,4,5</clause>,即union可以在 where/having子句中,group by ,order by limit offset子句中使用,后面比较多的test中,也可以看到基本上也就前面的几个常用些,特别是1-5,当然你要吃不准你自创的sql的话,就标注成1吧。。。
3.where 这个属性,
写道
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
这是他的boudary中的注释,我估计写错了,test中的注释是
写道
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
这个估计是对的,实际上就是1 附加到原始的变量值后面,类似id=1 ’这个概念,而2就是 id=31231 ‘这个概念。3就是id=’这个概念,细微之处大家可以体会下。具体sql具体对待。
下来就是各自独有的概念了,
4 <boudary>中的ptype属性
写道
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
实际上就是bandary的值是什么属性,数字,单引号字符串,或者双引号字符串。
5 <boudary>中的ptype属性<prefix> <suffix>这一对,就是前缀和后缀了,举个例子因为在实际中payload可能有重复迭代,例如那个union null,所以把select之类可以设成前缀,
6. <test>中的独有概念
<title>显示用的,没啥大用,但也别起个没意义的,例如Microsoft SQL Server/Sybase error-based - Parameter replace,就比较好,指出数据库名,注入类型,具体功能。
<stype> 比较重要的一个属性
写道
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
这是一个分类,就是你写的这个test具体属于那个功能模块的是盲注呢,还是union注入呢,还是基于时间的呢,这个也很直白。
<risk>这个属性也很重要,
写道
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
0: No risk
1: Low risk
2: Medium risk
3: High risk
实质就是,如果你的sql注入语句包含了update,insert,delete之类的或者更猛的操作,那么请不要设置为0,而且自己在用sqlmap的时候也不要轻易的设置--risk为高值,因为risk较高的操作都带有ddl的性质,容易引起数据库数据上的改变。谨慎,慎重。
<vector> 就是要执行的sql注入句式 例如在上面那个例子中就是<vector>[UNION]</vector>,实际上是union all select句型,这个细节我也需要继续学习。。
<response>和<request>这个是sql注入中最关键的一个部分,他们被设计的赋予了很大的灵活性和技巧,下次再说吧。。。。。
分享到:
发表评论
-
metasploit 图形化界面和自动化exploit脚本
2013-10-21 16:25 76700x01 最新版的metasploit没了图形化界面, ... -
APKTool签名的一个问题
2013-10-14 21:19 24610x01 昨天写了反编译,今天就写下签名的问题 0 ... -
APKTool打包的一个小问题
2013-10-13 20:23 247540x01,又开始写blog了,好久没有网络了,最近终于可以开 ... -
struts2远程执行漏洞学习(四)
2013-05-23 00:12 22290x01 最近又有了一个新的struts2漏洞,http:/ ... -
CVE-2013-1493 学习
2013-03-25 16:06 28490x01 这个又是一个java CVE,效果前几个一样, ... -
python调用 bing api search接口 技术
2013-01-24 23:42 93160x01 微软bing的api现在也 ... -
CVE-2013-0422 分析2
2013-01-11 23:47 33040x01 http://wcf1987.iteye.c ... -
CVE-2013-0422 学习
2013-01-11 16:26 40600x01 这个是这两天爆出来的,我构建了一个本地测试代码,主 ... -
CVE 2012 0507 分析
2012-12-17 16:00 35190x01 https://github.com/wche ... -
android 无权限 伪造短信
2012-11-06 09:15 35410x01 这个有是大名鼎鼎的蒋教授发现的,原理简单,有点意思 ... -
A new way to hack android app info
2012-11-06 01:04 1613最近新研究了一种android攻击手段,blog发到团队那里的 ... -
一次被黑追凶(未完待续)
2012-10-15 19:52 24260x01,某天师妹告诉我们某台服务器疑似被人干掉了,我果断远程 ... -
<找工作 八>整数分解为连续整数相加
2012-09-13 17:14 1509整数分解为连续整数相加,最长列表 def ... -
<找工作 五> 子数组之和最大值
2012-09-13 16:22 1157实现了两种,一种是算出最大值,一种是把最大值的子数组打印出来, ... -
python 反编译 pyc 一些心得
2012-09-06 10:59 537360x01 , 现在用python的人也多了起来,代码安全始终是 ... -
关于web渗透中得一些记录
2012-08-24 23:31 35601. 当得到linux root shell时 ... -
mail xss
2012-08-11 21:57 16591 最近迷上了xss,感觉各种飘逸,特别是http://www ... -
XSS学习二
2012-07-31 15:48 12241.xss学习到今天算是告一个段落了,发现了一个sohu邮箱 ... -
我的sinaapp
2012-07-27 22:10 1237我的sinapp小家终于成型了 http://icefish ... -
phpcms v9的补充
2012-07-25 21:28 1161前一篇留了个疑问: 为什么 file_get_conten ...
相关推荐
SQLMAP使用笔记
收录了SQLmap使用笔记,使用方法,以及讲解实例,是学习使用sqlmap应用工具的好材料
sqlmap笔记
SQLMAP渗透笔记
网络安全攻防工具 sqlmap 使用方法笔记,包括攻击实例和使用简介,是听课程做的笔记,适合初学者
1.读取数据库版本,当前用户,当前数据库 2.判断当前数据库用户权限 3.读取所有数据库用户或指定数据库用户的密码
sqlmap学习思维导图,含基础知识及sql注入流程介绍及实例。
4.iBatis2学习笔记:SqlMap的配置总结(18条).doc 5.iBatis2学习笔记:入参和返回值的问题.doc 6.iBatis2学习笔记:一对多映射(双向).doc 7.iBatis2学习笔记:多对多映射(双向) .doc 8.iBatis2学习笔记:总结与...
SQLmap压缩包
Python 和 SQLMAP 依赖 将repo拷贝到你的机器 编辑sqlmap/inc/config.php配置文件...启动sqlmap API服务(python /home/user/tools/sqlmap/sqlmapapi.py -s) 通过浏览器访问Web应用 (http://127.0.0.1/sqlmap/index.php)
sqlmap用于自动化的sql注入。sqlmap用于自动化的sql注入。sqlmap用于自动化的sql注入。sqlmap用于自动化的sql注入。sqlmap用于自动化的sql注入。sqlmap用于自动化的sql注入。sqlmap用于自动化的sql注入。sqlmap用于...
sqlmap
sqlmap命令中文详解,2018.5.13更新 sqlmap命令中文详解,2018.5.13更新 sqlmap命令中文详解,2018.5.13更新 sqlmap命令中文详解,2018.5.13更新 sqlmap命令中文详解,2018.5.13更新
sqlmap -u http://url 列数据库信息 sqlmap -u http://url --dbs 指定库名列出所有表 sqlmap -u http://url -D dbname --tables 指定库名表名列出所有字段 sqlmap -u ...
基于SQLmap的SQL注入工具源码.。基于SQLmap,使用Java开发 安装教程 安装JDK(需要有javafx) 安装Python 安装SQLmap 基于SQLmap的SQL注入工具源码.。基于SQLmap,使用Java开发 安装教程 安装JDK(需要有javafx)...
sqlmap
是sqlmap的脚本,解压后可直接运行 列几个基本命令 ./sqlmap.py –h //查看帮助信息 ./sqlmap.py –u “http://www.anti-x.net/inject.asp?id=injecthere” //get注入 ./sqlmap.py –u ...
sqlmap源码sqlmap源码sqlmap源码sqlmap源码sqlmap源码sqlmap源码
SQLMAP安装工具(含:SQLMAP+Python2.7.15);以下是参考资料 sqlmap防注入软件安装: https://jingyan.baidu.com/article/86112f13b976e92736978749.html sqlmap防注入案例: ...sqlmap基本用法: Sqlmap.py -u ...
iBATIS SQLMap