0x00 Foreword
Because yet to find a more suitable tool for batch testing sql injection point (proxy + batch sql injection detection sqlmapapi way batch testing and the like), my eyes turned to sqlmap. Although sqlmap not support pseudo-static test injection point (need to manually add injection mark), because it is written in python, it can be quickly and easily for secondary development.
0x01 ideas
My idea is to modify the url .html suffix like .html or neither or contain "?" Is.
Pseudo-static injection point generally in the numbers, so I would add injected mark after the number. Pseudo-static string to engage, and engage in a lot of the workload will be added.
Test with the following URL
#!bash
http://www.site.com/index.php/index/id/14
http://www.site.com/index.php/newsContent/id/341.html
http://www.site.com/show/?29-575.html
The results are as follows
#!bash
http://www.site.com/index.php/index/id/14*
http://www.site.com/index.php/newsContent/id/341*.html
http://www.site.com/show/?29*-575*.html
code show as below:
#!python
if re.search('html|htm|sthml',url) or url.find("?") == -1:
flag = 0
suffix = ""
if re.search('html|htm|sthml',url):
suffix = "." + re.search('html|htm|sthml',url).group()
urlList = url.split("/")
returnList = []
for i in urlList:
i = re.sub('\.html|\.htm','', i)
if i.isdigit():
returnList.append(i + "*")
flag = 1
else:
returnList.append(i)
url = '/'.join(returnList) + suffix
returnList = []
if flag == 0:
for i in urlList:
if re.search('html|htm|sthml',i):
digitList = re.findall('\d+',i)
for digit in digitList:
i = i.replace(digit, digit + "*")
returnList.append(i)
else:
returnList.append(i)
url = '/'.join(returnList)
print url
0x02 sqlmap support automatic detection of a single pseudo-static
Related documents
- https://github.com/sqlmapproject/sqlmap/blob/master/sqlmap.py
- https://github.com/sqlmapproject/sqlmap/blob/master/lib/controller/controller.py
- https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/target.py
Process
Sqlmap.py 116行start()->controller.py 256行setupTargetEnv()->target.py 72行_setRequestParams()->target.py 117行
#!python
if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data:
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "'--data'. Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
if kb.processUserMarks:
kb.testOnlyCustom = True
Here detecting whether the injection mark.
After completion of sqlmap get all the information you specified, before beginning formal detect whether there is injected, detects whether the injection marks ' *
', if any, on the first point of this process is injected labeled for testing.
This injection understand the process mark, as long as the deal before _setRequestParams function call URL, you can support automatic injection of pseudo-static testing.
As long as the added line 260
#!python
if re.search('html|htm|sthml',conf.url) or conf.url.find("?") == -1:
flag = 0
suffix = ""
if re.search('html|htm|sthml',conf.url):
suffix = "." + re.search('html|htm|sthml',conf.url).group()
urlList = conf.url.split("/")
returnList = []
for i in urlList:
i = re.sub('\.html|\.htm','', i)
if i.isdigit():
returnList.append(i + "*")
flag = 1
else:
returnList.append(i)
conf.url = '/'.join(returnList) + suffix
returnList = []
if flag == 0:
for i in urlList:
if re.search('html|htm|sthml',i):
digitList = re.findall('\d+',i)
for digit in digitList:
i = i.replace(digit, digit + "*")
returnList.append(i)
else:
returnList.append(i)
conf.url = '/'.join(returnList)
logger.info(conf.url)
that's it.
Renderings
Here are just a single, batch testing to support the injection point. Modify here is not enough.
0x03 sqlmap support batch automatically detect the pseudo-static
Relevant documents
https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/option.py
583 line at
#!python
for line in getFileItems(conf.bulkFile):
if re.match(r"[^ ]+\?(.+)", line, re.I) or CUSTOM_INJECTION_MARK_CHAR in line:
found = True
kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None))
Read the file line by line inside the url. As long as there is a question mark to match "?" Or have injected marked "*" before testing.
Add 583
#!python
if re.search('html|htm|sthml',line) or line.find("?") == -1:
flag = 0
suffix = ""
if re.search('html|htm|sthml',line):
suffix = "." + re.search('html|htm|sthml',line).group()
urlList = line.split("/")
returnList = []
for i in urlList:
i = re.sub('\.html|\.htm','', i)
if i.isdigit():
returnList.append(i + "*")
flag = 1
else:
returnList.append(i)
line = '/'.join(returnList) + suffix
returnList = []
if flag == 0:
for i in urlList:
if re.search('html|htm|sthml',i):
digitList = re.findall('\d+',i)
for digit in digitList:
i = i.replace(digit, digit + "*")
returnList.append(i)
else:
returnList.append(i)
line = '/'.join(returnList)
Renderings: