Jun 01, 2021 Article blog
SQL注入
is one of the more common methods of network attack, mainly for
WEB
applications, taking advantage of the programmer's negligence in writing code, and for applications that connect to the database, by reorganizing
SQL
statements, the server executes malicious
SQL
code to obtain unauthorized permissions and materials. J
D.com disclosed 12G user account information on December 10, 16.
SQL注入
ranks first in
OWASP2013
and
2017
(Recommended course: SQL tutorial.) )
For
get
requests with integer parameters, the request parameter:
?id=1'
if the page reports sql running incorrectly, there may be SQL injection.
Defective code statement:
select * from table where id=3
If the commit parameter
?id= x and 1=1
is constructed as follows
SQL
select * from table where id=1 and 1=2
If the page
SQL
is running incorrectly, there may be
SQL注入
Defective code statement:
select * from table where id='x'
If the commit parameter
?id=x' and '1'='1
is constructed as follows
SQL
select * from table where id= 'x' and '1'='1'
If the page
SQL
is running incorrectly, there may be
SQL注入
(Recommended micro-class: SQL micro-class.) )
github.com/BCable/sqlier
./sqlier.sh -s 10 URL
-c [host]
clear site information.
-o [file]
outputs the cracked password.
-s [seconds]
interval for each request.
-u [usernames]
brute force guess username, separated by comma.
-w [options]
wget parameter.
--table-names [table_names]
guess the name of the table, separated by a comma.
--user-fields [user_fields]
guess the user name field, comma separated.
--pass-fields [pass_fields]
guess the password field, comma separated.
A tool for detecting and exploiting SQL injection vulnerabilities.
Installation:
pip install sqlmap
Where SQL statements can be submitted is the SQL injection point. To enter SQL injection, first find the SQL injection point.
python sqlmap.py -u " http://test/test.aspx?id=123 "
Domestic Shenzhen Yusay Nosai company produced a WEB vulnerability scanning tool, fee-paying software.
It is also a product of Yusin Norsay, which specializes in SQL injection scanning.
Online free website vulnerability detection platform, can detect SQL injection vulnerabilities, cross-site vulnerabilities and so on.
Web protection, web protection, load balancing, application delivery as one of the overall WEB security equipment.
Ah d injection tool Alibaba Cloud online vulnerability scanning
The above is about the commonly used attack methods - SQL injection related to the introduction, I hope to help you.