使用|使用 sqlmap 进行 SQL 注入检测使用sqlmap进行SQL注入检测

为什么80%的码农都做不了架构师？>>>
文章图片

最近在看《白帽子讲 Web 安全》，讲服务器端注入攻击时提到一个神器 sqlmap。
到 Github:sqlmap 下载工具，到目录下运行

python sqlmap.py -u "https://my.oschina.net/lvyi/blog?catalog=423226&temp=1476090615355"

【使用|使用 sqlmap 进行 SQL 注入检测】即可开始分析有没有 SQL 注入的可能。

[17:10:41] [INFO] GET parameter 'catalog' is dynamic [17:10:42] [INFO] heuristic (basic) test shows that GET parameter 'catalog' might be injectable [17:10:42] [INFO] testing for SQL injection on GET parameter 'catalog' [17:10:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [17:11:00] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace' [17:11:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [17:11:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [17:11:24] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [17:11:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [17:11:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [17:11:35] [INFO] testing 'MySQL inline queries' [17:11:36] [INFO] testing 'PostgreSQL inline queries' [17:11:37] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [17:11:38] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [17:11:38] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [17:11:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [17:11:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [17:11:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [17:11:51] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [17:11:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [17:11:56] [INFO] testing 'Oracle AND time-based blind' [17:12:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [17:12:01] [WARNING] using unescaped version of the test because of zero knowledge of the back- end DBMS. You can try to explicitly set it with option '--dbms' [17:12:52] [WARNING] GET parameter 'catalog' does not seem to be injectable [17:12:52] [INFO] testing if GET parameter 'temp' is dynamic [17:12:52] [WARNING] GET parameter 'temp' does not appear dynamic [17:12:52] [WARNING] heuristic (basic) test shows that GET parameter 'temp' might not be injectable[17:12:53] [INFO] testing for SQL injection on GET parameter 'temp' [17:12:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [17:13:20] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace' [17:13:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [17:13:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [17:13:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [17:13:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [17:13:38] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [17:13:41] [INFO] testing 'MySQL inline queries' [17:13:42] [INFO] testing 'PostgreSQL inline queries' [17:13:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [17:13:43] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [17:13:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [17:14:10] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [17:14:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [17:14:19] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [17:14:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [17:14:31] [INFO] testing 'Oracle AND time-based blind' [17:14:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [17:15:46] [WARNING] GET parameter 'temp' does not seem to be injectable [17:15:46] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to r erun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment') [17:15:46] [WARNING] HTTP error codes detected during run: 534 (?) - 2 times

可以看到 log 中进行了各种 SQL 拼接，可惜没找到 OSChina 的漏洞。
参考 http://www.returnone.cn/post/1d1243f3_a940d60
转载于:https://my.oschina.net/lvyi/blog/756446