教 sqlmap 使用已经找到的注入
序言:
我在自己的旧私人应用中发现了SQL注入。由于Hibernate的较旧版本和setComment(格式(“我的评论。用户输入是:%s”,userInput));
渲染查询看起来像这样:
/* my comment. User input is: foo */
select a, b, c, d, e, f, h, i, j, k, l from cooltable where a = 'FOO' and ....
注射可以:一个注射可以可以:这样:
userInput = "*/ select pg_sleep(42); /*"
响应导致302重定向到错误页面。
我想使用SQLMAP进一步利用这种注入。我可以在数据库日志中看到SQLMAP尝试最好的,但是找不到任何注入点:
sqlmap -r fromburp.txt --dbms=obfuscatedForStackeOverflow --level 5 --proxy http://localhost:8080
问题: 我如何教SQLMAP找到注射?
其他想法: 我认为SQLMAP找不到注入,因为它主要是在Whewer子句中注射。我没有找到任何可以像本示例那样结束评论的请求。
Prologue:
I found a SQL injection in my own old private application. The injection is possible thanks to an older version of hibernate and the setComment(format("my comment. User input is: %s",userInput));
The rendered query looks like this:
/* my comment. User input is: foo */
select a, b, c, d, e, f, h, i, j, k, l from cooltable where a = 'FOO' and ....
An injection could like this:
userInput = "*/ select pg_sleep(42); /*"
The response results into an 302 redirect to the error page.
I would like to use sqlmap to further exploit this injection. I can see within the database log, that sqlmap tries it's best, but it cannot find any injection point:
sqlmap -r fromburp.txt --dbms=obfuscatedForStackeOverflow --level 5 --proxy http://localhost:8080
Question:
How can I teach sqlmap to find the injection?
Additional thoughts:
I think sqlmap cannot find the injection, because it mostly looks for injections into the where clause. I didn't find any request that would try to end a comment like in this example.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论