wcf1987
- 浏览: 631080 次
- 性别:
- 来自: 西安
-
文章分类
最新评论
-
d1438138:
[img][/img]
google api 的一些神奇使用 -
waykingeye:
[i][b][u]引用[list]
[*][img][url] ...
No result defined for action and result input -
tss0823:
...
No result defined for action and result input -
yahier:
有什么办法能够捕捉,然后给出自定义的提示呢
No result defined for action and result input -
chen_lian:
恩恩 按照上面的代码测试一下觉得很对
java创建目录
上篇讲到了payload.xml,这篇就详细说下
payload.xml帮助 写道
<!--
Tag: <boundary>
How to prepend and append to the test ' <payload><comment> ' string.
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Sub-tag: <ptype>
What is the parameter value type.
Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
Sub-tag: <prefix>
A string to prepend to the payload.
Sub-tag: <suffix>
A string to append to the payload.
Tag: <test>
SQL injection test definition.
Sub-tag: <title>
Title of the test.
Sub-tag: <stype>
SQL injection family type.
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <risk>
Likelihood of a payload to damage the data integrity.
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Sub-tag: <vector>
The payload that will be used to exploit the injection point.
Sub-tag: <request>
What to inject for this test.
Sub-tag: <payload>
The payload to test for.
Sub-tag: <comment>
Comment to append to the payload, before the suffix.
Sub-tag: <char>
Character to use to bruteforce number of columns in UNION
query SQL injection tests.
Sub-tag: <columns>
Range of columns to test for in UNION query SQL injection
tests.
Sub-tag: <response>
How to identify if the injected payload succeeded.
Sub-tag: <comparison>
Perform a request with this string as the payload and compare
the response with the <payload> response. Apply the comparison
algorithm.
NOTE: useful to test for boolean-based blind SQL injections.
Sub-tag: <grep>
Regular expression to grep for in the response body.
NOTE: useful to test for error-based SQL injection.
Sub-tag: <time>
Time in seconds to wait before the response is returned.
NOTE: useful to test for time-based blind and stacked queries
SQL injections.
Sub-tag: <union>
Calls unionTest() function.
NOTE: useful to test for UNION query (inband) SQL injection.
Sub-tag: <oob>
# TODO
Sub-tag: <details>
Which details can be infered if the payload succeed.
Sub-tags: <dbms>
What is the database management system (e.g. MySQL).
Sub-tags: <dbms_version>
What is the database management system version (e.g. 5.0.51).
Sub-tags: <os>
What is the database management system underlying operating
system.
Formats:
<boundary>
<level></level>
<clause></clause>
<where></where>
<ptype></ptype>
<prefix></prefix>
<suffix></suffix>
</boundary>
<test>
<title></title>
<stype></stype>
<level></level>
<risk></risk>
<clause></clause>
<where></where>
<vector></vector>
<request>
<payload></payload>
<comment></comment>
<char></char>
<columns></columns>
</request>
<response>
<comparison></comparison>
<grep></grep>
<time></time>
<union></union>
<oob></oob>
</response>
<details>
<dbms></dbms>
<dbms_version></dbms_version>
<os></os>
</details>
</test>
-->
Tag: <boundary>
How to prepend and append to the test ' <payload><comment> ' string.
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Sub-tag: <ptype>
What is the parameter value type.
Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
Sub-tag: <prefix>
A string to prepend to the payload.
Sub-tag: <suffix>
A string to append to the payload.
Tag: <test>
SQL injection test definition.
Sub-tag: <title>
Title of the test.
Sub-tag: <stype>
SQL injection family type.
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
Sub-tag: <level>
From which level check for this test.
Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <risk>
Likelihood of a payload to damage the data integrity.
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Sub-tag: <vector>
The payload that will be used to exploit the injection point.
Sub-tag: <request>
What to inject for this test.
Sub-tag: <payload>
The payload to test for.
Sub-tag: <comment>
Comment to append to the payload, before the suffix.
Sub-tag: <char>
Character to use to bruteforce number of columns in UNION
query SQL injection tests.
Sub-tag: <columns>
Range of columns to test for in UNION query SQL injection
tests.
Sub-tag: <response>
How to identify if the injected payload succeeded.
Sub-tag: <comparison>
Perform a request with this string as the payload and compare
the response with the <payload> response. Apply the comparison
algorithm.
NOTE: useful to test for boolean-based blind SQL injections.
Sub-tag: <grep>
Regular expression to grep for in the response body.
NOTE: useful to test for error-based SQL injection.
Sub-tag: <time>
Time in seconds to wait before the response is returned.
NOTE: useful to test for time-based blind and stacked queries
SQL injections.
Sub-tag: <union>
Calls unionTest() function.
NOTE: useful to test for UNION query (inband) SQL injection.
Sub-tag: <oob>
# TODO
Sub-tag: <details>
Which details can be infered if the payload succeed.
Sub-tags: <dbms>
What is the database management system (e.g. MySQL).
Sub-tags: <dbms_version>
What is the database management system version (e.g. 5.0.51).
Sub-tags: <os>
What is the database management system underlying operating
system.
Formats:
<boundary>
<level></level>
<clause></clause>
<where></where>
<ptype></ptype>
<prefix></prefix>
<suffix></suffix>
</boundary>
<test>
<title></title>
<stype></stype>
<level></level>
<risk></risk>
<clause></clause>
<where></where>
<vector></vector>
<request>
<payload></payload>
<comment></comment>
<char></char>
<columns></columns>
</request>
<response>
<comparison></comparison>
<grep></grep>
<time></time>
<union></union>
<oob></oob>
</response>
<details>
<dbms></dbms>
<dbms_version></dbms_version>
<os></os>
</details>
</test>
-->
这是一个test实例 写道
<test>
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
首先看注释中payloads文件中共分为两类元素,一类为<boundary>,一类为<test>,
其中boundary指的是注入时使用的一些通配符之类的,类似' ) ( and 1=1 and '1'='1之类的东西,
而test则是注入时具体使用的语句,类似select之类的。两者区别还是比较明显的
先讲讲两个元素中相同的子元素释义:
1. level这个属性,这是每个test都要有的属性,他指出了在sql注入中处于哪个档次,换句话说,你在实际运行sqlmap的时候,需要指定运行level,默认是1,从1-5都可以指定,在level=1的情况下,大概执行的注入test在100个以内,level越高,所执行的test越多,如果你指定level5,那么所有test中标注为1,2,3,4,5的都将执行,这里要注意的是执行level 5,估计执行的sql注入语句将超过1000个,如果再猜解表内容,语句将更多,并不是注入test越多越好,这将造成大量的通信负担。另外,如上所举的例子 UNION query (NULL) ,就是level 1 ,最基本的测试,实际上union null测试字段个数也是最常见的手法,但是这里如果你实际使用就会发现,这里有些问题,后面类似的会有11-20字段,21-30字段这样的test,并且他们给予了不同的level,估计老外觉得查询字段一般不会超过10个,但是我觉得这个不是很合理,所以我推荐大家把后面那几个的level都改成1,这样子实际使用效果将会非常好。
2.clause这个属性,这是一个条件属性,test编辑中是可以多选的
写道
Sub-tag: <clause>
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
大家可以看<title>MySQL UNION query (NULL) - 1 to 10 columns</title>所举得例子中, <clause>1,2,3,4,5</clause>,即union可以在 where/having子句中,group by ,order by limit offset子句中使用,后面比较多的test中,也可以看到基本上也就前面的几个常用些,特别是1-5,当然你要吃不准你自创的sql的话,就标注成1吧。。。
3.where 这个属性,
写道
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.
A comma separated list of these values is also possible.
这是他的boudary中的注释,我估计写错了,test中的注释是
写道
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
Where to add our '<prefix> <payload><comment> <suffix>' string.
Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
这个估计是对的,实际上就是1 附加到原始的变量值后面,类似id=1 ’这个概念,而2就是 id=31231 ‘这个概念。3就是id=’这个概念,细微之处大家可以体会下。具体sql具体对待。
下来就是各自独有的概念了,
4 <boudary>中的ptype属性
写道
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
实际上就是bandary的值是什么属性,数字,单引号字符串,或者双引号字符串。
5 <boudary>中的ptype属性<prefix> <suffix>这一对,就是前缀和后缀了,举个例子因为在实际中payload可能有重复迭代,例如那个union null,所以把select之类可以设成前缀,
6. <test>中的独有概念
<title>显示用的,没啥大用,但也别起个没意义的,例如Microsoft SQL Server/Sybase error-based - Parameter replace,就比较好,指出数据库名,注入类型,具体功能。
<stype> 比较重要的一个属性
写道
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
这是一个分类,就是你写的这个test具体属于那个功能模块的是盲注呢,还是union注入呢,还是基于时间的呢,这个也很直白。
<risk>这个属性也很重要,
写道
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
0: No risk
1: Low risk
2: Medium risk
3: High risk
实质就是,如果你的sql注入语句包含了update,insert,delete之类的或者更猛的操作,那么请不要设置为0,而且自己在用sqlmap的时候也不要轻易的设置--risk为高值,因为risk较高的操作都带有ddl的性质,容易引起数据库数据上的改变。谨慎,慎重。
<vector> 就是要执行的sql注入句式 例如在上面那个例子中就是<vector>[UNION]</vector>,实际上是union all select句型,这个细节我也需要继续学习。。
<response>和<request>这个是sql注入中最关键的一个部分,他们被设计的赋予了很大的灵活性和技巧,下次再说吧。。。。。
分享到:
发表评论
-
metasploit 图形化界面和自动化exploit脚本
2013-10-21 16:25 77590x01 最新版的metasploit没了图形化界面, ... -
APKTool签名的一个问题
2013-10-14 21:19 25180x01 昨天写了反编译,今天就写下签名的问题 0 ... -
APKTool打包的一个小问题
2013-10-13 20:23 248230x01,又开始写blog了,好久没有网络了,最近终于可以开 ... -
struts2远程执行漏洞学习(四)
2013-05-23 00:12 23410x01 最近又有了一个新的struts2漏洞,http:/ ... -
CVE-2013-1493 学习
2013-03-25 16:06 30000x01 这个又是一个java CVE,效果前几个一样, ... -
python调用 bing api search接口 技术
2013-01-24 23:42 95100x01 微软bing的api现在也 ... -
CVE-2013-0422 分析2
2013-01-11 23:47 34980x01 http://wcf1987.iteye.c ... -
CVE-2013-0422 学习
2013-01-11 16:26 41630x01 这个是这两天爆出来的,我构建了一个本地测试代码,主 ... -
CVE 2012 0507 分析
2012-12-17 16:00 35680x01 https://github.com/wche ... -
android 无权限 伪造短信
2012-11-06 09:15 35760x01 这个有是大名鼎鼎的蒋教授发现的,原理简单,有点意思 ... -
A new way to hack android app info
2012-11-06 01:04 1663最近新研究了一种android攻击手段,blog发到团队那里的 ... -
一次被黑追凶(未完待续)
2012-10-15 19:52 25100x01,某天师妹告诉我们某台服务器疑似被人干掉了,我果断远程 ... -
<找工作 八>整数分解为连续整数相加
2012-09-13 17:14 1550整数分解为连续整数相加,最长列表 def ... -
<找工作 五> 子数组之和最大值
2012-09-13 16:22 1202实现了两种,一种是算出最大值,一种是把最大值的子数组打印出来, ... -
python 反编译 pyc 一些心得
2012-09-06 10:59 538310x01 , 现在用python的人也多了起来,代码安全始终是 ... -
关于web渗透中得一些记录
2012-08-24 23:31 36161. 当得到linux root shell时 ... -
mail xss
2012-08-11 21:57 17121 最近迷上了xss,感觉各种飘逸,特别是http://www ... -
XSS学习二
2012-07-31 15:48 12651.xss学习到今天算是告一个段落了,发现了一个sohu邮箱 ... -
我的sinaapp
2012-07-27 22:10 1276我的sinapp小家终于成型了 http://icefish ... -
phpcms v9的补充
2012-07-25 21:28 1203前一篇留了个疑问: 为什么 file_get_conten ...
相关推荐
收录了SQLmap使用笔记,使用方法,以及讲解实例,是学习使用sqlmap应用工具的好材料
4.iBatis2学习笔记:SqlMap的配置总结(18条).doc 5.iBatis2学习笔记:入参和返回值的问题.doc 6.iBatis2学习笔记:一对多映射(双向).doc 7.iBatis2学习笔记:多对多映射(双向) .doc 8.iBatis2学习笔记:总结与...
这个"SQLMAP系列课程视频.txt"可能是课程的目录或笔记,包含每一课的主题概要,帮助学习者跟踪进度和回顾关键点。通过深入学习这个课程,你可以掌握SQLMAP的强大功能,同时提高对Web安全的理解,这对于网络安全专业...
### ibatis教程学习笔记 #### 一、ibatis简介与特点 ibatis 是一个基于 Java 的持久层框架,它提供了一种将 SQL 映射到 Java 对象的方式,简化了 JDBC 的复杂操作。ibatis 通过 XML 配置文件或者注解的形式来描述 ...
标题中的“Spring技术内幕 学习笔记”表明这是一份关于深入理解Spring框架核心机制的资料集合,主要关注Spring框架的内部工作原理和高级用法。描述中的“NULL”没有提供额外信息,但我们可以通过标签“源码”和...
### iBatis 学习笔记知识点总结 #### 一、iBatis 概念与特点 **1.1 iBatis 定义** - **iBatis** 是一个基于 Java 的开源持久层框架,它专注于 SQL 映射,提供了一种将对象与数据库交互过程中的 SQL 语句进行分离的...
标题《BackTrack渗透测试学习笔记》指明了文档的主要内容,它是关于BackTrack操作系统在渗透测试领域的应用以及学习经验的集合。BackTrack是一个专门设计用于网络安全评估和渗透测试的Linux发行版。它包含了大量的...
### iBatis学习笔记 #### 一、iBatis简介 iBatis,又被称为SqlMap,是一款开源的“半自动”对象关系映射(Object Relational Mapping, ORM)框架,它通过将SQL语句与Java代码进行解耦,简化了数据库操作。与全自动...
在提供的学习笔记中,主要涉及了iBatis配置文件`sql-map-config.xml`、SQL映射文件`Employee.xml`以及一个简单的Java Pojo类`Employee.java`。以下是对这些内容的详细解释: 1. **`sql-map-config.xml`配置文件**:...
<sqlMap resource="User.xml"/> ``` `User.xml`是具体的SQL Map文件,其中定义了与用户相关的SQL语句映射。 总的来说,iBATIS以其简单易用和灵活性著称,允许开发者编写自定义SQL,同时提供数据访问的抽象层,使得...
### IBATIS学习笔记知识点详解 #### 一、IBATIS简介 iBatis是一个用于Java的数据持久化框架,类似于Hibernate、JDO和EJB等技术。它的主要特点是将对象映射为SQL语句,这使得开发人员可以更加灵活地控制SQL的执行,...
### ibatis 学习小结笔记 #### 一、ibatis 概述 ibatis 是一个基于 Java 的持久层框架,它提供了一种简便的方式来处理关系型数据库与 Java 对象之间的映射(O/R Mapping)。ibatis 在设计上强调的是 SQL 语句的...
【SQL注入漏洞与SQLmap工具】 SQL注入是一种常见的网络安全漏洞,攻击者通过在Web表单中插入恶意SQL语句,欺骗服务器执行非预期的数据库操作。这种漏洞可能导致数据泄露、非法权限获取,甚至整个数据库系统的瘫痪。...
此系列文章是本人关于学习 Web/Cloud/Docker 安全、渗透测试、安全建设等时记录的一些笔记,部分原创,部分是对网上文章的理解整理。如果可以找到原始参考链接时则会在文末贴出(如 乌云很多链接已失效,或者记不起...