The idea of sqlmap processing sign encryption
我对公司的APP进行测试的时候发现,我们是将所有的参数内容加上一个32位字符最后在进行MD5加密。由于APP处理的流程首先是验证sign是不是正确,如果验签失败,根本就进不去数据库,为了要使用SQLMAP对其进行测试,于是就写了一个代理数据的脚本,在拦截到数据包之后,对其参数内容和32字符进行加密替换。
注:该脚本适用于公司内部系统,因为能够知道加密的流程;或者能够拿到前端JS的加密方式。
首先我使用Django写了一个程序来模拟公司的系统,流程是获取POST的id和token,并加上自定义加密的字符,由于Django获取到数据是已经经过URLDECODE,所以我用了quote对参数id的内容进行URLENCODE,再进行MD5加密,最后验证请求过来的token是否和参数内容一致。
views.py
from django.shortcuts import render
from django.http import JsonResponse
# Create your views here.
import hashlib
import MySQLdb
import urllib
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def index(request):
id = request.POST.get("id")
token = request.POST.get("token")
str = urllib.quote(id+"test")
print(str)
hl = hashlib.md5()
hl.update(str)
token1 = hl.hexdigest()
print token1
if token == token1:
db = MySQLdb.connect("localhost", "root", "123456", "testdb", charset='utf8')
cursor = db.cursor()
cursor.execute("select * from t_userinfo where id="+id)
data = cursor.fetchone()
print "Database version : %s " % data
db.close()
return JsonResponse({"msg":"verity ok"})
else:
return JsonResponse({"msg":"verity error."})
models.py
class userinfo(models.Model):
name = models.CharField(max_length=100)
age = models.CharField(max_length=100)使用BP进行抓包,可以看到当验证正确和验证错误返回的状态。
使用SQLMAP进行测试,发现无法测试。
于是我使用mitmproxy,mitmproxy是一个交互式的中间代理HTTP和HTTPS的控制台界面,具体详情可以看这里。
如果要修改的话,只修改wsproxy_request_handle函数,因为这个函数是拦截数据并且篡改数据的过程,其他的代码都是配置过程和运行过程,不用修改。
from mitmproxy.proxy.server import ProxyServer
from mitmproxy import flow, controller
from mitmproxy import flow, proxy, controller, options
import hashlib
import re
def md5cr(str):
hl = hashlib.md5()
hl.update(str.encode(encoding='utf-8'))
return hl.hexdigest()
class WSProxy(flow.FlowMaster):
def __init__(self, opts, server, state, unsave_data):
super(WSProxy, self).__init__(opts, server, state)
self.unsave_data = unsave_data
def run(self):
try:
print("start")
flow.FlowMaster.run(self)
except KeyboardInterrupt:
self.shutdown()
@controller.handler
def request(self, f):
wsproxy_request_handle(f)
@controller.handler
def response(self, f):
wsproxy_response_handle(f)
# parser = ResponseParser(f)
# insert_result(parser.parser_data())
def wsproxy_request_handle(flow):
"""wyproxy send data to server before processing"""
try:
data = flow.request.content.split("&")
t = ""
for i in data:
if i.split("=")[0] != "token":
t = t+i.split("=")[1]
str = t+"test"
sign = md5cr(str)
print(str)
data1 = re.match("(.*?)token=",flow.request.content).group()
flow.request.content = data1+sign
print(flow.request.content)
except IndexError:
pass
def wsproxy_response_handle(flow):
pass
port = 8888 #
mode = 'regular' #mode=regular
opts = options.Options(
listen_port=int(port),
mode=mode,
cadir="./ssl/",
)
unsave_data = False
config = proxy.ProxyConfig(opts)
state = flow.State()
server = ProxyServer(config)
m = WSProxy(opts, server, state, unsave_data)
m.run()运行上面的脚本使用SQLMAP代理到上http://IP:8888上面,然后脚本会自动处理sqlmap的payload和生成对应的sign。
python sqlmap.py -r e:\\1.txt -p id --dbms=mysql --batch --proxy=http://192.168.1.240:8888
上面是生成payload和sign的过程,下面是我请求一个payload报错的过程。
The above is the detailed content of The idea of sqlmap processing sign encryption. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1378
52
How to use the SIGN function in Excel to determine the sign of a value
May 07, 2023 pm 10:37 PM
The SIGN function is a very useful function built into Microsoft Excel. Using this function you can find out the sign of a number. That is, whether the number is positive. The SIGN function returns 1 if the number is positive, -1 if the number is negative, and zero if the number is zero. Although this sounds too obvious, if you have a large column containing many numbers and we want to find the sign of all the numbers, it is very useful to use the SIGN function and get the job done in a few seconds. In this article, we explain 3 different methods on how to easily use the SIGN function in any Excel document to calculate the sign of a number. Read on to learn how to master this cool trick. start up
Sample analysis of Sqlmap automated injection
May 13, 2023 pm 03:31 PM
Use sqlmap to automate injection into dvwa, set the dvwa level to low, open dvwa's SQLInjection (SQLInjection(Blind)), open browser debugging, enter the userid and submit, and view the intercepted requests. You can see that it is a GET request, the url "http://192.168.1.222:8089/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" We put it directly into salmap to test it, use the -u command -u"http ://192.168.1.22
How to analyze problems with sqlmap
May 27, 2023 pm 01:07 PM
0x00 Overview Recently, I encountered a strange phenomenon when using sqlmap injection testing. The higher version of sqlmap cannot detect the injection, but the lower version can detect the injection, and the data can be run out, which is not a false positive. After comparative testing and viewing the sqlmap source code, Found two small holes. 0x01 scenario reproduction injection point format: json..."whereparams":[{"name":"keyWord","value":"test"}]} Injectable parameters: valuesqlmap command: pythonsqlmap.py-rsqlpk.txt– flush-session-vvsqlmapv1.2.11 cannot inject s
How to analyze SQLMap and SQLi injection defense
May 11, 2023 pm 06:37 PM
Part One: Using Sqlmap 1.1 Introduction to sqlmap 1. I mentioned some basic statements of sql injection, but manual injection is very troublesome. We can use sqlmap, a powerful sql injection tool, to obtain data. 2. Introduction to sqlmap (1)# sqlmap is an open source penetration testing tool that can automatically detect and exploit SQL injection vulnerabilities and servers connected to the database. It has a very powerful detection engine, a penetration tester with multiple features, access the underlying file system through database fingerprinting and execute commands over an out-of-band connection. Official website: sqlmap.org(2)#Supported databases: MySQL, Oracle, PostgreS
What is the onion mode proxy of SQLMAP?
May 26, 2023 am 09:56 AM
Because it is necessary to conduct penetration testing on external websites, most websites have access frequency control. Once this frequency is exceeded, the IP will be banned directly. Especially when SQLMAP is running, it is even more "aunty red", and an error is reported and exited before SQLMAP is finished running. So I started to study the proxy mode of SQLMAP. SQLMAP has two proxy modes, one is a normal proxy (HTTP proxy) and the other is an onion proxy. I originally wanted to write about the application of ordinary agents, but Baidu saw that this article was detailed enough and stopped talking nonsense. Sqlmap extension - External IP proxy pool implementation Let’s focus on the onion proxy. At the beginning, when onion was used directly for injection, there was no “aunt red” report. Later, as the number of penetrated websites increased,
How to implement analysis of sqlmap time-based inject
May 12, 2023 pm 12:10 PM
1. Preface How to detect SQL injection? My answer is: When Party A is doing security, SQL injection detection is relatively easy to do. 1) Error injection detection. 2) Don’t inject bool error reports as false positives are relatively high. 3) Do time-based time injection, contact operation and maintenance to do slow log db recording, monitor sleep, and benchmark keyword monitoring. You can add the ID number of the scanning task to the decimal point of the sleep time to facilitate positioning. (p.s. This method can find 99% of SQL injections) Therefore, when doing time-based time injection, I limit the time error very harshly. However, @chengable is doing security-related work in Party B, based on t
What is the sqlmap _dns injection configuration method?
May 12, 2023 pm 12:25 PM
There are too few related articles on dns injection for sqlmap on the Internet. They only briefly introduce the --dns-domain parameter. The relevant practical articles are either vague or mentioned in one stroke, which is confusing (mainly dishonest, the key is not yet Big boss). Then I did it again by referring to the methods on the Internet. Things that need to be prepared include one sqlmap, windows blind injection, two domain names, and an external network server. One time when I was doing something, I came across a time blind injection. It happened to be a Windows machine, and I remembered the method of dns injection. Before starting, I plan to use the --sql-shell command of sqlmap to test the dns injection payload. First, go to burpsuite.
The idea of sqlmap processing sign encryption
May 14, 2023 am 11:52 AM
When I tested the company's APP, I found that we added a 32-bit character to all parameter contents and finally performed MD5 encryption. Since the APP processing process first verifies whether the sign is correct, if the signature verification fails, it will not be able to enter the database at all. In order to use SQLMAP to test it, I wrote a script for proxy data. After intercepting the data packet , perform encrypted replacement of its parameter content and 32 characters. Note: This script is suitable for the company's internal system, because you can know the encryption process; or you can get the encryption method of the front-end JS. First, I wrote a program using Django to simulate the company's system. The process was to obtain the POST ID and token, and add a custom encrypted word.
