使用|使用 sqlmap 进行 SQL 注入检测
为什么80%的码农都做不了架构师?>>>
文章图片
最近在看《白帽子讲 Web 安全》,讲服务器端注入攻击时提到一个神器 sqlmap。
到 Github:sqlmap 下载工具,到目录下运行
python sqlmap.py -u "https://my.oschina.net/lvyi/blog?catalog=423226&temp=1476090615355"
【使用|使用 sqlmap 进行 SQL 注入检测】即可开始分析有没有 SQL 注入的可能。
[17:10:41] [INFO] GET parameter 'catalog' is dynamic
[17:10:42] [INFO] heuristic (basic) test shows that GET parameter 'catalog' might be injectable
[17:10:42] [INFO] testing for SQL injection on GET parameter 'catalog'
[17:10:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:11:00] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[17:11:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:11:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:11:24] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:11:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:11:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:11:35] [INFO] testing 'MySQL inline queries'
[17:11:36] [INFO] testing 'PostgreSQL inline queries'
[17:11:37] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:11:38] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:11:38] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as
high value for option '--time-sec' as possible (e.g. 10 or
more)
[17:11:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:11:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:11:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:11:51] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:11:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[17:11:56] [INFO] testing 'Oracle AND time-based blind'
[17:12:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:12:01] [WARNING] using unescaped version of the test because of zero knowledge of the back-
end DBMS. You can try to explicitly set it with option '--dbms'
[17:12:52] [WARNING] GET parameter 'catalog' does not seem to be injectable
[17:12:52] [INFO] testing if GET parameter 'temp' is dynamic
[17:12:52] [WARNING] GET parameter 'temp' does not appear dynamic
[17:12:52] [WARNING] heuristic (basic) test shows that GET parameter 'temp' might not be injectable[17:12:53] [INFO] testing for SQL injection on GET parameter 'temp'
[17:12:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:13:20] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[17:13:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (FLOOR)'
[17:13:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:13:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
(IN)'
[17:13:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:13:38] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:13:41] [INFO] testing 'MySQL inline queries'
[17:13:42] [INFO] testing 'PostgreSQL inline queries'
[17:13:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:13:43] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:13:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:14:10] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:14:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:14:19] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:14:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[17:14:31] [INFO] testing 'Oracle AND time-based blind'
[17:14:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:15:46] [WARNING] GET parameter 'temp' does not seem to be injectable
[17:15:46] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk'
values to perform more tests. Also, you can try to r
erun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is
some kind of protection mechanism involved (e.g. WAF)
maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[17:15:46] [WARNING] HTTP error codes detected during run:
534 (?) - 2 times
可以看到 log 中进行了各种 SQL 拼接,可惜没找到 OSChina 的漏洞。
参考 http://www.returnone.cn/post/1d1243f3_a940d60
转载于:https://my.oschina.net/lvyi/blog/756446
推荐阅读
- 由浅入深理解AOP
- 【译】20个更有效地使用谷歌搜索的技巧
- mybatisplus如何在xml的连表查询中使用queryWrapper
- MybatisPlus|MybatisPlus LambdaQueryWrapper使用int默认值的坑及解决
- MybatisPlus使用queryWrapper如何实现复杂查询
- iOS中的Block
- Linux下面如何查看tomcat已经使用多少线程
- 使用composer自动加载类文件
- android|android studio中ndk的使用
- 使用协程爬取网页,计算网页数据大小