mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-07-03 06:51:08 +00:00
Updated Techniques (markdown)
parent
116956ec47
commit
802c2e72f8
1 changed files with 10 additions and 1 deletions
|
|
@ -1,6 +1,6 @@
|
|||
# Techniques
|
||||
|
||||
sqlmap is able to detect and exploit five different SQL injection **types**:
|
||||
sqlmap is able to detect and exploit six different SQL injection **types**:
|
||||
|
||||
* **Boolean-based blind**: sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a `SELECT` sub-statement, or any other SQL statement whose the user want to retrieve the output. For each HTTP response, by making a comparison between the HTTP response headers/body with the original request, the tool inference the output of the injected statement character by character. Alternatively, the user can provide a string or regular expression to match on True pages. The bisection algorithm implemented in sqlmap to perform this technique is able to fetch each character of the output with a maximum of seven HTTP requests. Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output.
|
||||
* **Time-based blind**: sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds. For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. Like for boolean-based technique, the bisection algorithm is applied.
|
||||
|
|
@ -8,3 +8,12 @@ sqlmap is able to detect and exploit five different SQL injection **types**:
|
|||
* **UNION query-based**: sqlmap appends to the affected parameter a syntactically valid SQL statement starting with an `UNION ALL SELECT`. This technique works when the web application page passes directly the output of the `SELECT` statement within a `for` loop, or similar, so that each line of the query output is printed on the page content. sqlmap is also able to exploit **partial (single entry) UNION query SQL injection** vulnerabilities which occur when the output of the statement is not cycled in a `for` construct, whereas only the first entry of the query output is displayed.
|
||||
* **Stacked queries**, also known as **piggy backing**: sqlmap tests if the web application supports stacked queries and then, in case it does support, it appends to the affected
|
||||
parameter in the HTTP request, a semi-colon (`;`) followed by the SQL statement to be executed. This technique is useful to run SQL statements other than `SELECT`, like for instance, **data definition** or **data manipulation** statements, possibly leading to file system read and write access and operating system command execution depending on the underlying back-end database management system and the session user privileges.
|
||||
* **Inline queries**: sqlmap embeds the injected statement inside the original (sub)query (e.g. `SELECT (SELECT <injected>) FROM ...`), so that the output of the embedded statement is returned in-band within the page response. This is useful when the affected parameter sits in a position where a nested `SELECT` is evaluated and reflected.
|
||||
|
||||
Besides classic SQL injection, sqlmap is also able to detect and exploit several other server-side injection **types**. Each one is self-contained: it confirms the injection and extracts what that particular vector can reach, so the database, table, user and banner enumeration described for SQL injection does not apply to these.
|
||||
|
||||
* **NoSQL injection**: sqlmap injects operators (MongoDB and CouchDB `$`-operators), Lucene `query_string` syntax (Elasticsearch and Solr), Cypher/N1QL/AQL string break-outs and MongoDB `$where` time-based payloads, also catching error-based cases. On a confirmed parameter it dumps the records exposed in-band by an always-true payload and blindly recovers the targeted field character by character.
|
||||
* **GraphQL injection**: sqlmap locates the GraphQL endpoint, recovers the schema through introspection or, when introspection is disabled, through field-suggestion inference, enumerates the injectable query and mutation argument slots, confirms a boolean-based oracle, exposes in-band data, fingerprints the back-end database management system and dumps the reachable tables.
|
||||
* **LDAP injection**: sqlmap breaks out of the application's LDAP search filter and recovers directory attributes character by character through a boolean-based oracle.
|
||||
* **XPath injection**: sqlmap breaks out of an XPath/XQuery expression and walks the back-end XML document blindly, retrieving its content character by character.
|
||||
* **Server-Side Template Injection**: sqlmap fingerprints the underlying template engine (such as Jinja2, Mako, Twig, ERB, Pug, Handlebars, Thymeleaf, FreeMarker and Velocity) and, where the engine allows it, executes arbitrary operating system commands on the underlying server.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue