SQLmap注入启发式检测算法
1、经过setTargetEnv()就进入了checkWaf()的环节
def
checkWaf():
"""
Reference: http://seclists.org/nmap-dev/2011/q2/att-1005/http-waf-detect.nse
"""
if
any
((conf.string, conf.notString, conf.regexp, conf.dummy, conf.offline, conf.skipWaf)):
return
None
_
=
hashDBRetrieve(HASHDB_KEYS.CHECK_WAF_RESULT,
True
)
if
_
is
not
None
:
if
_:
warnMsg
=
"previous heuristics detected that the target "
warnMsg
+
=
"is protected by some kind of WAF/IPS/IDS"
logger.critical(warnMsg)
return
_
infoMsg
=
"checking if the target is protected by "
infoMsg
+
=
"some kind of WAF/IPS/IDS"
logger.info(infoMsg)
retVal
=
False
payload
=
"%d %s"
%
(randomInt(), IDS_WAF_CHECK_PAYLOAD)
value
=
""
if
not
conf.parameters.get(PLACE.GET)
else
conf.parameters[PLACE.GET]
+
DEFAULT_GET_POST_DELIMITER
value
+
=
agent.addPayloadDelimiters(
"%s=%s"
%
(randomStr(), payload))
pushValue(conf.timeout)
conf.timeout
=
IDS_WAF_CHECK_TIMEOUT
try
:
retVal
=
Request.queryPage(place
=
PLACE.GET, value
=
value, getRatioValue
=
True
, noteResponseTime
=
False
, silent
=
True
)[
1
] < IDS_WAF_CHECK_RATIO
except
SqlmapConnectionException:
retVal
=
True
finally
:
kb.matchRatio
=
None
conf.timeout
=
popValue()
if
retVal:
warnMsg
=
"heuristics detected that the target "
warnMsg
+
=
"is protected by some kind of WAF/IPS/IDS"
logger.critical(warnMsg)
if
not
conf.identifyWaf:
message
=
"do you want sqlmap to try to detect backend "
message
+
=
"WAF/IPS/IDS? [y/N] "
if
readInput(message, default
=
'N'
, boolean
=
True
):
conf.identifyWaf
=
True
if
conf.timeout
=
=
defaults.timeout:
logger.warning(
"dropping timeout to %d seconds (i.e. '--timeout=%d')"
%
(IDS_WAF_CHECK_TIMEOUT, IDS_WAF_CHECK_TIMEOUT))
conf.timeout
=
IDS_WAF_CHECK_TIMEOUT
hashDBWrite(HASHDB_KEYS.CHECK_WAF_RESULT, retVal,
True
)
return
retVal
def
heuristicCheckSqlInjection(place, parameter):
if
kb.nullConnection:
debugMsg
=
"heuristic check skipped because NULL connection used"
logger.debug(debugMsg)
return
None
origValue
=
conf.paramDict[place][parameter]
paramType
=
conf.method
if
conf.method
not
in
(
None
, HTTPMETHOD.GET, HTTPMETHOD.POST)
else
place
prefix
=
""
suffix
=
""
randStr
=
""
if
conf.prefix
or
conf.suffix:
if
conf.prefix:
prefix
=
conf.prefix
if
conf.suffix:
suffix
=
conf.suffix
while
randStr.count(
'\''
) !
=
1
or
randStr.count(
'\"'
) !
=
1
:
randStr
=
randomStr(length
=
10
, alphabet
=
HEURISTIC_CHECK_ALPHABET)
kb.heuristicMode
=
True
payload
=
"%s%s%s"
%
(prefix, randStr, suffix)
payload
=
agent.payload(place, parameter, newValue
=
payload)
page, _, _
=
Request.queryPage(payload, place, content
=
True
, raise404
=
False
)
kb.heuristicPage
=
page
kb.heuristicMode
=
False
parseFilePaths(page)
result
=
wasLastResponseDBMSError()
infoMsg
=
"heuristic (basic) test shows that %s parameter "
%
paramType
infoMsg
+
=
"'%s' might "
%
parameter
def
_(page):
return
any
(_
in
(page
or
"")
for
_
in
FORMAT_EXCEPTION_STRINGS)
casting
=
_(page)
and
not
_(kb.originalPage)
if
not
casting
and
not
result
and
kb.dynamicParameter
and
origValue.isdigit():
randInt
=
int
(randomInt())
payload
=
"%s%s%s"
%
(prefix,
"%d-%d"
%
(
int
(origValue)
+
randInt, randInt), suffix)
payload
=
agent.payload(place, parameter, newValue
=
payload, where
=
PAYLOAD.WHERE.REPLACE)
result
=
Request.queryPage(payload, place, raise404
=
False
)
if
not
result:
randStr
=
randomStr()
payload
=
"%s%s%s"
%
(prefix,
"%s.%d%s"
%
(origValue, random.randint(
1
,
9
), randStr), suffix)
payload
=
agent.payload(place, parameter, newValue
=
payload, where
=
PAYLOAD.WHERE.REPLACE)
casting
=
Request.queryPage(payload, place, raise404
=
False
)
kb.heuristicTest
=
HEURISTIC_TEST.CASTED
if
casting
else
HEURISTIC_TEST.NEGATIVE
if
not
result
else
HEURISTIC_TEST.POSITIVE
if
casting:
errMsg
=
"possible %s casting "
%
(
"integer"
if
origValue.isdigit()
else
"type"
)
errMsg
+
=
"detected (e.g. \"$%s=intval($_REQUEST['%s'])\") "
%
(parameter, parameter)
errMsg
+
=
"at the back-end web application"
logger.error(errMsg)
if
kb.ignoreCasted
is
None
:
message
=
"do you want to skip those kind of cases (and save scanning time)? %s "
%
(
"[Y/n]"
if
conf.multipleTargets
else
"[y/N]"
)
kb.ignoreCasted
=
readInput(message, default
=
'Y'
if
conf.multipleTargets
else
'N'
, boolean
=
True
)
elif
result:
infoMsg
+
=
"be injectable"
if
Backend.getErrorParsedDBMSes():
infoMsg
+
=
" (possible DBMS: '%s')"
%
Format
.getErrorParsedDBMSes()
logger.info(infoMsg)
else
:
infoMsg
+
=
"not be injectable"
logger.warn(infoMsg)
kb.heuristicMode
=
True
randStr1, randStr2
=
randomStr(NON_SQLI_CHECK_PREFIX_SUFFIX_LENGTH), randomStr(NON_SQLI_CHECK_PREFIX_SUFFIX_LENGTH)
value
=
"%s%s%s"
%
(randStr1, DUMMY_NON_SQLI_CHECK_APPENDIX, randStr2)
payload
=
"%s%s%s"
%
(prefix,
"'%s"
%
value, suffix)
payload
=
agent.payload(place, parameter, newValue
=
payload)
page, _, _
=
Request.queryPage(payload, place, content
=
True
, raise404
=
False
)
paramType
=
conf.method
if
conf.method
not
in
(
None
, HTTPMETHOD.GET, HTTPMETHOD.POST)
else
place
if
value.lower()
in
(page
or
"").lower():
infoMsg
=
"heuristic (XSS) test shows that %s parameter "
%
paramType
infoMsg
+
=
"'%s' might be vulnerable to cross-site scripting attacks"
%
parameter
logger.info(infoMsg)
for
match
in
re.finditer(FI_ERROR_REGEX, page
or
""):
if
randStr1.lower()
in
match.group(
0
).lower():
infoMsg
=
"heuristic (FI) test shows that %s parameter "
%
paramType
infoMsg
+
=
"'%s' might be vulnerable to file inclusion attacks"
%
parameter
logger.info(infoMsg)
break
kb.heuristicMode
=
False
return
kb.heuristicTest
首先是对sql注入的检测
1
|
payload = "%s%s%s" % (prefix, randStr, suffix) |
randStr就是随机生成的可导致sql语句因闭合问题而报错的字符,这个payload不是用来注入的,而是将其产生的页面作为启发式注入标准页面(kb.heuristicPage),与不注入产生的正常页面(kb.originalPage)作为一个基准性对比。
接下来是一个关键变量casting
1
|
casting = _(page) and not _(kb.originalPage) |
_()函数如下
1
2
|
def _(page): return any (_ in (page or "") for _ in FORMAT_EXCEPTION_STRINGS) |
FORMAT_EXCEPTION_STRINGS 是一些在Web服务中常见的sql语句关于变量类型出错的报错
('Type mismatch', 'Error converting', 'Conversion failed', 'String or binary data would be truncated', 'Failed to convert', 'unable to interpret text value', 'Input string was not in a correct format', 'System.FormatException', 'java.lang.NumberFormatException', 'ValueError: invalid literal', 'DataTypeMismatchException', 'CF_SQL_INTEGER', ' for CFSQLTYPE ', 'cfqueryparam cfsqltype', 'InvalidParamTypeException', 'Invalid parameter type', 'is not of type numeric', '<cfif Not IsNumeric(', 'invalid input syntax for integer', 'invalid input syntax for type', 'invalid number', 'character to number conversion error', 'unable to interpret text value', 'String was not recognized as a valid', 'Convert.ToInt', 'cannot be converted to a ', 'InvalidDataException')
casting为false就代表这种注入样例因为变量类型不统一而无法使用,所以用户可以选择跳过这些样例
第二个关键变量 result
1
|
result = wasLastResponseDBMSError() |
函数如下
1
2
3
4
5
6
|
def wasLastResponseDBMSError(): """ Returns True if the last web request resulted in a (recognized) DBMS error page """ threadData = getCurrentThreadData() return threadData.lastErrorPage and threadData.lastErrorPage[ 0 ] = = threadData.lastRequestUID |
如果启发式注入标准页面是可识别的,则返回ture,否则返回false
这也作为sqlmap启发性测试结果的标志,为true就代表可能存在注入,为false就可能不存在注入
接下来就是对于非sql注入漏洞的检测,sqlmap会随机生成可引发其他类型漏洞报错的字符,然后进行注入测试,在sqlmap源码中可以看出除了sql注入,还测试了xss与文件包含漏洞
1、内部类,java编译器生成的内部类的字节码文件的名字和通常的不同,内部类对应的字节码文件名字的格式是“外嵌类名&内部类类名”,如果将内部类添加修饰词static,则可以这样调用, RedCowForm.RedCow redCow=new RedCowForm.RedCow(122,232,333);
public class NeiBuLai {
public static void main(String[] args) {
// TODO Auto-generated method stub
RedCowForm form=new RedCowForm("德纳司");
form.showMessage();
RedCowForm.RedCow redCow=new RedCowForm.RedCow(122,232,333);
}
}
class RedCowForm{
static String formName;
RedCow cow;
RedCowForm(){
}
RedCowForm(String s){
cow=new RedCow(12,23,34);
formName=s;
}
public void showMessage(){
cow.speak();
}
static class RedCow{
String cowName="bed wos";
int height,weight,price;
// int t=0;int w=0;int p=0;
RedCow(int h, int w,int p){
height=h;
weight=w;
price=p;
}
void speak(){
System.out.println("mingzi"+cowName+"shenggao"+height+"tizhong"+weight+"shenghuozai"+formName);
}
}
}
2、匿名类匿名类继承父类的方法一个可以重写父类的方法,匿名类必须是内部类。用匿名类创建对象时直接使用父类的构造方法。
public class NiMingLei {
public static void main(String[] args) {
// TODO Auto-generated method stub
ShowBoard board=new ShowBoard();
board.showMessge(new OutPutEnglish());//这是一个OutPutAlpaabe的子类对象
board.showMessge(new OutPutAlphabe(){ public void output(){
for(char c='@';c<'*';c++)
System.out.printf("%3c",c);
}
}
);//这里是OutPutAlphabe的一个匿名类也是他的一个子类对象
}
}
abstract class OutPutAlphabet{
public abstract void output();
}
class OutPutEnglish extends OutPutAlphabet{
public void output(){
for(char c='a';c<'z';c++){
System.out.printf("%3c",c);
}
}
}
class ShowBoard{
void showMessge(OutPutAlphabet show){
show.output();
}
}
3、接口匿名类
public class JieKouNiMIng {
public static void main(String[] args) {
// TODO Auto-generated method stub
HelloMachine machine=new HelloMachine();
machine.turnON(new SpeakHello(){
public void spaek(){
System.out.println("Hello ,you are wellcome");
}
@Override
public void speak() {
// TODO Auto-generated method stub
}
});
machine.turnON(new SpeakHello(){
public void spaek(){
System.out.println("Hello ");
}
@Override
public void speak() {
// TODO Auto-generated method stub
}
});
}
}
interface SpeakHello{
void speak();
}
class HelloMachine{
public void turnON(SpeakHello hello){
hello.speak();
}
}
4、异常类的处理以及自定义异常类使用
SQLmap注入启发式检测算法的更多相关文章
- sqlmap注入入门
sqlmap注入入门 sqlmap的用法: linux中: sqlmap [选项] Windows中: python sqlmap [选项] 常用的参数及含义: 目标 -d DIRECT ...
- SQLMAP注入教程-11种常见SQLMAP使用方法详解
sqlmap也是渗透中常用的一个注入工具,其实在注入工具方面,一个sqlmap就足够用了,只要你用的熟,秒杀各种工具,只是一个便捷性问题,sql注入另一方面就是手工党了,这个就另当别论了.今天把我一直 ...
- 基于候选区域的深度学习目标检测算法R-CNN,Fast R-CNN,Faster R-CNN
参考文献 [1]Rich feature hierarchies for accurate object detection and semantic segmentation [2]Fast R-C ...
- sqlmap 注入的方法及技巧
sqlmap 注入的方法及技巧 当给 sqlmap 这么一个 url 的时候,它会: 1.判断可注入的参数 2.判断可以用那种 SQL 注入技术来注入 3.识别出哪种数据库 4.根据用户选择,读取哪些 ...
- Sqlmap注入工具
Sqlmap注入工具 http://sqlmap.org/ Sqlmap是国外的一个免费的注入工具,基于python开发,支持现在几乎所有的数据库,支持get.post.cookie注入,可以添加co ...
- 在windows系统和kali中通过sqlmap注入
第1章 在windows系统中通过sqlmap注入 1.1 环境搭建 Sqlmap是目前功能最强大,使用最为广泛的注入类工具,是一个开源软件,被集成于kaliLinux, 由于sqlmap是基于Pyt ...
- 并行Louvain社区检测算法
因为在我最近的科研中需要用到分布式的社区检测(也称为图聚类(graph clustering))算法,专门去查找了相关文献对其进行了学习.下面我们就以这篇论文IPDPS2018的文章[1]为例介绍并行 ...
- 浅谈Virtual Machine Manager(SCVMM 2012) cluster 过载状态检测算法
在我们使用scvmm2012的时候,经常会看到群集状态变成了这样 点开看属性后,我们发现是这样 . 发现了吗?Over-committed,如果翻译过来就是资源过载,或者说资源过量使用了,那么这个状态 ...
- 异常检测算法--Isolation Forest
南大周志华老师在2010年提出一个异常检测算法Isolation Forest,在工业界很实用,算法效果好,时间效率高,能有效处理高维数据和海量数据,这里对这个算法进行简要总结. iTree 提到森林 ...
随机推荐
- 网址,域名,IP,主机名的区别
域名 通常 Internet 主机域名的一般结构为:主机名.三级域名.二级域名.顶级域名(又称为一级域名). 二级域名及其以上级别的域名,统称为子域名,有多少个点就是几级域名 顶级域名分为两类 ...
- 遍历系统中所有的进程,可根据名字或ID查找某一个线程
我们这根据名字查找进程,获取其ID /*@brief 获取找到的与指定进程名相符的第一个进程ID * @param [in] cpszExeFileName 进程可执行文件名(不带路径) * @par ...
- no plugin found for prefix 'tomcat 7' in the current project
使用maven build编译出错 “no plugin found for prefix 'tomcat 7' in the current project..........” 参照下面方法 ht ...
- 20165237 2017-2018-2 《Java程序设计》第十周考试补做及编程题
20165237 2017-2018-2 <Java程序设计>第十周考试补做及编程题 知识点 1.链表是由若干个称作节点的对象组成的一种数据结构,每个节点含有一个数据和下一个节点的引用 . ...
- SQLServer语法常用总结
1. 有时候查看SQL的时候表名或者字段名需要加[],这是因为有时候你的表名或者字段名正好与sqlserver的保留字段重了 比如:有一个user表,直接select会报错 select * from ...
- oracle监听的动态注册和静态注册
参考资料: https://blog.csdn.net/tianlesoftware/article/details/5543166 https://www.cnblogs.com/guilingya ...
- Keepalived详解(三):Keepalived基础功能应用实例【转】
Keepalived基础功能应用实例: 1.Keepalived基础HA功能演示: 在默认情况下,Keepalived可以实现对系统死机.网络异常及Keepalived本身进行监控,也就是说当系统出现 ...
- 解决win10中chm内容显示为空白的问题
在win10中打开chm文件,一般会是这个效果,内容显示为空白: 解决这个问题的方法是,在打开chm文件时,会有个安全警告的询问对话框,如下: 将[打开此文件前总是询问(W)]复选框的勾去掉,就OK了 ...
- hostapd修改beacon帧和probe response帧
在AP模式下,热点会不断定期地发送Beacon帧来宣告自己存在,告知设备可以加入网络: Probe Response帧是用于应答Probe Request帧,Probe Request帧是移动工作站用 ...
- GO 新开发者要注意的陷阱和常见错误
转自:http://colobu.com/2015/09/07/gotchas-and-common-mistakes-in-go-golang/ 初级 开大括号不能放在单独的一行 未使用的变量 未使 ...