检测SQL注入工具:SQLi-Hunter
2015-07-01 21:44
106 查看
http://zone.wooyun.org/content/19049
from:https://github.com/zt2/sqli-hunter
封装了一个http代理跟sqlmap的api配合检测SQLi。
需要:
安装:
sqlmap
from:https://github.com/zt2/sqli-hunter
封装了一个http代理跟sqlmap的api配合检测SQLi。
需要:
Ruby > 2.0.0 sqlmap
安装:
sqlmap
git clone https://github.com/sqlmapproject/sqlmap.git[/code]
gemcd sqli-hunter gem install bundle bundle install
使用:sqli-hunter git:(master) ruby sqli-hunter.rb _____ _____ __ _ _____ _ | __| | | |_|___| | |_ _ ___| |_ ___ ___ |__ | | | |__| |___| | | | | _| -_| _| |_____|__ _|_____|_| |__|__|___|_|_|_| |___|_| |__| Usage: sqli-hunter.rb [options] Common options: -s, --server Act as a Proxy-Server -p, --port=<PORT> Port of the Proxy-Server (default is 8888) --api-host=<HOST> Host of the sqlmapapi (default is localhost:8775) --version Show version SQLMap options --random-agent Use randomly selected HTTP User-Agent header value --threads=<THREADS> Max number of concurrent HTTP(s) requests (default 10) --dbms=<DBMS> Force back-end DBMS to this value --os=<OS> Force back-end DBMS operating system to this value --tamper=<TAMPER> Use given script(s) for tampering injection data --level=<LEVEL> Level of tests to perform (1-5, default 1) --risk=<RISK> Risk of tests to perform (0-3, default 1) --batch Never ask for user input, use the default behaviour --mobile Imitate smartphone through HTTP User-Agent header --smart Conduct through tests only if positive heuristic(s)
开启sqlmapapipython sqlmapapi.py -s
开启代理服务ruby sqli-hunter.rb -s -p 8888
配置浏览器的代理~/Code/SQLi-Hunter(master) ruby sqli-hunter.rb -s -p 8888 [2015-01-08 17:17:27] INFO WEBrick 1.3.1 [2015-01-08 17:17:27] INFO ruby 2.1.3 (2014-09-19) [x86_64-linux] [2015-01-08 17:17:27] INFO WEBrick::HTTPProxyServer#start: pid=9533 port=8888 192.168.3.98 - - [08/Jan/2015:17:17:31 HKT] "GET http://testphp.vulnweb.com/artists.php?artist=1 HTTP/1.1" 200 5384 - -> http://testphp.vulnweb.com/artists.php?artist=1 [+] Vulnerable: e2f84b1494893827 requestFile: /tmp/c94863efe7bf03459aea27877426dada
然后开搞python sqlmap.py -r /tmp/c94863efe7bf03459aea27877426dada
相关文章推荐
- PLSQL developer 连接不上64位Oracle 的解决方法
- 第5天-sql计算字段的创建与基础函数的使用
- OCR File and Voting Disk Administration by Example - (Oracle 10g)
- Java如何连接Access数据库(两种方式实例代码)
- SQL SERVER的事务未提交与死锁问题。
- mysql远程连接 Host * is not allowed to connect to this
- 数据库拆分:横向拆分和纵向拆分
- Oracle 如何删除1000w条数据?
- MySQL 启动报错-ERROR 2002 (HY000)
- 错误号码2003 Can't connect to MySQL server 'localhost' (0)
- 错误号码2003 Can't connect to MySQL server 'localhost' (0)
- .net使用memcached
- SQL SERVER ->> CXPacket等待类型
- 树状结构在关系型数据库的存储
- MySQL学习笔记
- SQL 远程过程调用失败【0x800706be】或正在关闭 【0x80041033】解决方法
- Sql Server 事务日志
- 数据库技术进化路线
- SQL字符串转Int类型
- oracle运用(三) oracle数据库解锁