使用 sqlmap 进行 SQL 注入检测

为什么80%的码农都做不了架构师？>>>   

最近在看《白帽子讲 Web 安全》，讲服务器端注入攻击时提到一个神器 sqlmap。

到 Github:sqlmap 下载工具，到目录下运行

python sqlmap.py -u "https://my.oschina.net/lvyi/blog?catalog=423226&temp=1476090615355"

即可开始分析有没有 SQL 注入的可能。

[17:10:41] [INFO] GET parameter 'catalog' is dynamic
[17:10:42] [INFO] heuristic (basic) test shows that GET parameter 'catalog' might be injectable
[17:10:42] [INFO] testing for SQL injection on GET parameter 'catalog'
[17:10:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:11:00] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[17:11:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:11:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:11:24] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:11:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:11:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:11:35] [INFO] testing 'MySQL inline queries'
[17:11:36] [INFO] testing 'PostgreSQL inline queries'
[17:11:37] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:11:38] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:11:38] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as 
high value for option '--time-sec' as possible (e.g. 10 or
 more)
[17:11:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:11:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:11:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:11:51] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:11:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[17:11:56] [INFO] testing 'Oracle AND time-based blind'
[17:12:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:12:01] [WARNING] using unescaped version of the test because of zero knowledge of the back-
end DBMS. You can try to explicitly set it with option '--dbms'
[17:12:52] [WARNING] GET parameter 'catalog' does not seem to be injectable
[17:12:52] [INFO] testing if GET parameter 'temp' is dynamic
[17:12:52] [WARNING] GET parameter 'temp' does not appear dynamic
[17:12:52] [WARNING] heuristic (basic) test shows that GET parameter 'temp' might not be injectable

[17:12:53] [INFO] testing for SQL injection on GET parameter 'temp'
[17:12:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:13:20] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[17:13:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY 
clause (FLOOR)'
[17:13:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:13:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause 
(IN)'
[17:13:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:13:38] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:13:41] [INFO] testing 'MySQL inline queries'
[17:13:42] [INFO] testing 'PostgreSQL inline queries'
[17:13:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:13:43] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:13:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:14:10] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:14:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:14:19] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:14:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[17:14:31] [INFO] testing 'Oracle AND time-based blind'
[17:14:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:15:46] [WARNING] GET parameter 'temp' does not seem to be injectable
[17:15:46] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' 
values to perform more tests. Also, you can try to r
erun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is 
some kind of protection mechanism involved (e.g. WAF)
 maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[17:15:46] [WARNING] HTTP error codes detected during run:
534 (?) - 2 times

可以看到 log 中进行了各种 SQL 拼接，可惜没找到 OSChina 的漏洞。

参考

http://www.returnone.cn/post/1d1243f3_a940d60

转载于:https://my.oschina.net/lvyi/blog/756446