修复会话管理存在的sql注入风险 #1299

[nick2wang]

修复会话管理存在的sql注入风险 #1299

[codecov]

Codecov Report

Merging #1300 (867ee92) into master (3eb7d5c) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##           master    #1300   +/-   ##
=======================================
  Coverage   77.90%   77.90%           
=======================================
  Files          77       77           
  Lines       12046    12046           
=======================================
  Hits         9385     9385           
  Misses       2661     2661           

Impacted Files	Coverage Δ
sql/db_diagnostic.py	16.27% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3eb7d5c...867ee92. Read the comment docs.

[nick2wang]

修改后：

[root@m1 sqlmap]# sqlmap -r req.txt  -flush-session
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.12.3#dev}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[*] starting @ 16:21:50 /2021-12-27/

[16:21:50] [INFO] parsing HTTP request from 'req.txt'
[16:21:54] [INFO] flushing session file
[16:21:54] [INFO] testing connection to the target URL
[16:21:54] [INFO] checking if the target is protected by some kind of WAF/IPS
[16:21:56] [INFO] testing if the target URL content is stable
[16:21:56] [INFO] target URL content is stable
[16:21:56] [INFO] testing if POST parameter 'instance_name' is dynamic
[16:21:56] [INFO] POST parameter 'instance_name' appears to be dynamic
[16:21:56] [WARNING] heuristic (basic) test shows that POST parameter 'instance_name' might not be injectable
[16:21:56] [INFO] testing for SQL injection on POST parameter 'instance_name'
[16:21:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:21:56] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[16:21:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[16:21:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[16:21:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[16:21:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[16:21:57] [INFO] testing 'Generic inline queries'
[16:21:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[16:21:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[16:21:57] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[16:21:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[16:21:57] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[16:21:57] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[16:21:57] [INFO] testing 'Oracle AND time-based blind'
[16:21:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:21:59] [WARNING] POST parameter 'instance_name' does not seem to be injectable
[16:21:59] [INFO] testing if POST parameter 'ThreadIDs' is dynamic
[16:21:59] [WARNING] POST parameter 'ThreadIDs' does not appear to be dynamic
[16:22:00] [WARNING] heuristic (basic) test shows that POST parameter 'ThreadIDs' might not be injectable
[16:22:00] [INFO] testing for SQL injection on POST parameter 'ThreadIDs'
[16:22:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:22:00] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[16:22:00] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[16:22:01] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[16:22:01] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[16:22:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[16:22:01] [INFO] testing 'Generic inline queries'
[16:22:01] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[16:22:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[16:22:02] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[16:22:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[16:22:02] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[16:22:02] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[16:22:02] [INFO] testing 'Oracle AND time-based blind'
[16:22:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:22:03] [WARNING] POST parameter 'ThreadIDs' does not seem to be injectable
[16:22:03] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[16:22:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 72 times

[*] ending @ 16:22:03 /2021-12-27/

[kongxinling]

显示是在 v1.8.3 版本修复的该漏洞，为什么在 v1.8.2版本中复现不出来呢