SQLMAP Part 1 by evil0x00

View this thread on: hive.blog | peakd.com | ecency.com

cn · @evil0x00 · Sep 13 '18

$0.06

SQLMAP Part 1

### <center>SQLMAP Part 1</center>

<center>![](https://cdn.steemitimages.com/DQmQ2LNT1quvZ4ywpQQicSxtHSf6SnVPqbMQv5BqaT8B4wD/image.png)</center>

放上大佬写的一个流程图

<center>![](https://cdn.steemitimages.com/DQmYBaBMZkS2qDxQy9ttL6vAdG2kfaTnYWmwEGZdkfP2CSr/image.png)</center>


em .... 这篇文章 只写自己注入的一个方式 error-based injection

error-based也有叫做DOUBLE QUERY INJECTION,即双查询注入

### <center><B>Error-based tests - WHERE or HAVING clause</B> </center>

payload 如下:

```
AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
```


其中  

SELECT (ELT([RANDNUM]=[RANDNUM],1))

会返回NULL 如下:

<center>![](https://cdn.steemitimages.com/DQmVned9DgTG5ocw3DSV9rDYsVuvFMy5atZh2ksm5GHJ3JH/image.png)</center>

```
SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x')
```


ELT() 函数使用方法如下: 这张图 能很好地解释了

<center>![](https://cdn.steemitimages.com/DQmdACX4Pwek7jK9vBeF4j93ZdER4oTubE4zM2CUDnckrfD/image.png)</center>


CONCAT() 函数 如下:

```
mysql> SELECT CONCAT(’My’, ‘S’, ‘QL’);

-> ‘MySQL’

```

if() 函数用法如下:

```
if(expr1,expr2,expr3) 
如果 expr1 是TRUE ，则if()的返回值为expr2; 否则返回值则为 expr3。
if() 的返回值为数字值或字符串值，具体情况视其所在语境而定。

```

至于为什么会报错 你只要在mysql中 执行如下命令 就可以就明白了:

select 3 * 8446744073709551610;


```
mysql> select 3 * 8446744073709551610;
ERROR 1690 (22003): BIGINT value is out of range in '(3 * 8446744073709551610)'
mysql>
```

👍 root0x00, evil0x00, haiyangdeperci, lynnhua, spammy

`author`	evil0x00
`permlink`	sqlmap-part-1
`category`	cn
`json_metadata`	{"tags":["cn","cn-reader","blog","cn-curation","cn-malaysia"],"image":["https://cdn.steemitimages.com/DQmQ2LNT1quvZ4ywpQQicSxtHSf6SnVPqbMQv5BqaT8B4wD/image.png","https://cdn.steemitimages.com/DQmYBaBMZkS2qDxQy9ttL6vAdG2kfaTnYWmwEGZdkfP2CSr/image.png","https://cdn.steemitimages.com/DQmVned9DgTG5ocw3DSV9rDYsVuvFMy5atZh2ksm5GHJ3JH/image.png","https://cdn.steemitimages.com/DQmdACX4Pwek7jK9vBeF4j93ZdER4oTubE4zM2CUDnckrfD/image.png"],"app":"steemit/0.1","format":"markdown"}
`created`	2018-09-13 09:32:24
`last_update`	2018-09-13 09:32:24
`depth`	0
`children`	3
`last_payout`	2018-09-20 09:32:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.050 HBD
`curator_payout_value`	0.005 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,464
`author_reputation`	106,257,240,660
`root_title`	"SQLMAP Part 1"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	71,161,462
`net_rshares`	51,293,978,629
`author_curate_reward`	""

properties (23)vote details (5)

voter	rshares	pct
haiyangdeperci	6,942,235,660	20%
evil0x00	16,892,421,460	100%
root0x00	26,797,366,576	100%
lynnhua	610,390,398	100%
spammy	51,564,535	20%

@lynnhua · Sep 13 '18

Hi ~ I'm a robot of lynnhua.I just upvoted your post! 
 Please come visit me here: https://steemit.com/@lynnhua 
 Thanks so much~!!

properties (22)

`author`	lynnhua
`permlink`	re-sqlmap-part-1-20180913t100040
`category`	cn
`json_metadata`	"{"app": "piston-lib/0.5.7"}"
`created`	2018-09-13 10:00:42
`last_update`	2018-09-13 10:00:42
`depth`	1
`children`	1
`last_payout`	2018-09-20 10:00:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	133
`author_reputation`	38,886,868,214
`root_title`	"SQLMAP Part 1"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	71,163,231
`net_rshares`	0

@evil0x00 · Sep 13 '18

$0.05

thanks

👍 root0x00, evil0x00

`author`	evil0x00
`permlink`	re-lynnhua-re-sqlmap-part-1-20180913t100040-20180913t113203039z
`category`	cn
`json_metadata`	{"tags":["cn"],"app":"steemit/0.1"}
`created`	2018-09-13 11:32:06
`last_update`	2018-09-13 11:32:06
`depth`	2
`children`	0
`last_payout`	2018-09-20 11:32:06
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.035 HBD
`curator_payout_value`	0.010 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	6
`author_reputation`	106,257,240,660
`root_title`	"SQLMAP Part 1"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	71,169,063
`net_rshares`	42,848,307,230
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
evil0x00	0 B		16,618,080,687	100%
root0x00	0 B		26,230,226,543	100%

@root0x00 · Sep 13 '18

$0.05

我们都是脚本小子

👍 root0x00, evil0x00

`author`	root0x00
`permlink`	re-evil0x00-sqlmap-part-1-20180913t142809478z
`category`	cn
`json_metadata`	{"tags":["cn"],"app":"steemit/0.1"}
`created`	2018-09-13 14:28:18
`last_update`	2018-09-13 14:28:18
`depth`	1
`children`	0
`last_payout`	2018-09-20 14:28:18
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.043 HBD
`curator_payout_value`	0.002 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	8
`author_reputation`	75,627,896,971
`root_title`	"SQLMAP Part 1"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	71,183,746
`net_rshares`	41,634,908,502
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
evil0x00	0 B		15,971,821,993	100%
root0x00	0 B		25,663,086,509	100%