http://www.evil0x.com/posts/20507.html
0x00 前言
由於還找到一款比較適合批量檢測sql注入點的工具(proxy+sqlmapapi的方式批量檢測之類的批量sql注入點檢測),我的目光就轉向了sqlmap。雖然sqlmap沒有支持僞靜態注入點的測試(需要手動添加註入標記),由於是python寫的,可以快速方便的進行二次開發。
0x01 思路
我的思路是在有.html之類的後綴或者既沒有.html或者包含”?”的url進行修改。
僞靜態注入點一般都在數字,所以我就在數字後面添加註入標記。字符串的僞靜態就不搞了,搞了工作量就會添加很多。
用如下的URL進行測試
http://www.site.com/index.php/index/id/14 http://www.site.com/index.php/newsContent/id/341.html http://www.site.com/show/?29-575.html
結果如下
http://www.site.com/index.php/index/id/14* http://www.site.com/index.php/newsContent/id/341*.html http://www.site.com/show/?29*-575*.html
代碼如下:
if re.search('html|htm|sthml',url) or url.find("?") == -1:
flag = 0
suffix = ""
if re.search('html|htm|sthml',url):
suffix = "." + re.search('html|htm|sthml',url).group()
urlList = url.split("/")
returnList = []
for i in urlList:
i = re.sub('/.html|/.htm','', i)
if i.isdigit():
returnList.append(i + "*")
flag = 1
else:
returnList.append(i)
url = '/'.join(returnList) + suffix
returnList = []
if flag == 0:
for i in urlList:
if re.search('html|htm|sthml',i):
digitList = re.findall('/d+',i)
for digit in digitList:
i = i.replace(digit, digit + "*")
returnList.append(i)
else:
returnList.append(i)
url = '/'.join(returnList)
print url
0x02 sqlmap支持單個自動檢測僞靜態
相關文件
- https://github.com/sqlmapproject/sqlmap/blob/master/sqlmap.py
- https://github.com/sqlmapproject/sqlmap/blob/master/lib/controller/controller.py
- https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/target.py
流程
SQLMAP.PY 116行START()->CONTROLLER.PY 256行SETUPTARGETENV()->TARGET.PY 72行_SETREQUESTPARAMS()->TARGET.PY 117行
if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data:
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "'--data'. Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
if kb.processUserMarks:
kb.testOnlyCustom = True
這裏檢測是否使用了注入標記。
sqlmap獲取完所有你指定的信息後,開始正式檢測是否有注入之前,會檢測是否使用了注入標記”*“,如果有的話就先處理這個注入標記的點進行測試。
這樣就明白注入標記的流程,只要_setRequestParams函數調用之前處理好URL,就可以支持自動的僞靜態注入的測試了。
只要在260行處添加
if re.search('html|htm|sthml',conf.url) or conf.url.find("?") == -1:
flag = 0
suffix = ""
if re.search('html|htm|sthml',conf.url):
suffix = "." + re.search('html|htm|sthml',conf.url).group()
urlList = conf.url.split("/")
returnList = []
for i in urlList:
i = re.sub('/.html|/.htm','', i)
if i.isdigit():
returnList.append(i + "*")
flag = 1
else:
returnList.append(i)
conf.url = '/'.join(returnList) + suffix
returnList = []
if flag == 0:
for i in urlList:
if re.search('html|htm|sthml',i):
digitList = re.findall('/d+',i)
for digit in digitList:
i = i.replace(digit, digit + "*")
returnList.append(i)
else:
returnList.append(i)
conf.url = '/'.join(returnList)
logger.info(conf.url)
這樣就可以了。
效果圖
這裏只是單個的,要支持批量檢測注入點。修改這裏不是不行的。
0x03 sqlmap支持批量自動檢測僞靜態
相關文件
https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/option.py
583行處
for line in getFileItems(conf.bulkFile):
if re.match(r"[^ ]+/?(.+)", line, re.I) or CUSTOM_INJECTION_MARK_CHAR in line:
found = True
kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None))
一行一行讀取文件裏面的url。只要匹配到有問號”?”或者有注入標記”*”才進行測試。
在583處添加
if re.search('html|htm|sthml',line) or line.find("?") == -1:
flag = 0
suffix = ""
if re.search('html|htm|sthml',line):
suffix = "." + re.search('html|htm|sthml',line).group()
urlList = line.split("/")
returnList = []
for i in urlList:
i = re.sub('/.html|/.htm','', i)
if i.isdigit():
returnList.append(i + "*")
flag = 1
else:
returnList.append(i)
line = '/'.join(returnList) + suffix
returnList = []
if flag == 0:
for i in urlList:
if re.search('html|htm|sthml',i):
digitList = re.findall('/d+',i)
for digit in digitList:
i = i.replace(digit, digit + "*")
returnList.append(i)
else:
returnList.append(i)
line = '/'.join(returnList)
效果圖:
