如何使用脚本或程序自动测试我的网站的SQL注入攻击?

时间:2022-10-05 08:44:17

I've searched and found a good discussion here on SO, but it is several years old.

我已经搜索过并在SO上找到了一个很好的讨论,但它已有几年了。

What programs are there, or is there a simple script I can run, to find the SQL injection holes in the URLs in my entire site?

有什么程序,或者我可以运行一个简单的脚本,在我的整个站点的URL中找到SQL注入漏洞?

Preferably, I'd like to run a script (PHP) or program that crawls my site, bouncing from link to link, attempting to find holes, and upon discovery, stores that URL so I have a list of URLs I need to fix.

我希望运行一个脚本(PHP)或程序来抓取我的网站,从链接跳转到链接,试图找到漏洞,并在发现时存储该URL,以便我有一个我需要修复的URL列表。

Does this exist?

这存在吗?

6 个解决方案

#1


16  

Yes and no. First i'll preface this by saying I'm not just posting links but have done security audits professionally using all of these tools and not as a developer on a project but an external resource. Note that generally sqlserver injection is different than mysql as well.

是的,不是。首先,我要说的是,我不只是发布链接,而是使用所有这些工具专业地进行安全审计,而不是作为项目的开发人员而是外部资源。请注意,通常sqlserver注入也不同于mysql。

Free tools like paros proxy [crawls] (previously mentioned),

免费工具,如paros proxy [crawls](前面提到的),

burpsuite (previously mentioned [crawls] but active attacks requires pro): http://portswigger.net/burp/

burpsuite(之前提到[爬行]但主动攻击需要亲):http://portswigger.net/burp/

sqlninja (sqlserver only) http://sqlninja.sourceforge.net/

sqlninja(仅限sqlserver)http://sqlninja.sourceforge.net/

google rat proxy: [crawls] http://code.google.com/p/ratproxy/

google rat proxy:[抓取] http://code.google.com/p/ratproxy/

websecurify: [crawls] http://www.websecurify.com/

websecurify:[抓取] http://www.websecurify.com/

wapiti: [crawls but takes work to set up - can be used specifically for sqli with spider] http://wapiti.sourceforge.net/

wapiti:[爬行但需要设置工作 - 可以专门用于蜘蛛的sqli] http://wapiti.sourceforge.net/

nikto: [crawls but not for sqli...]

nikto:[爬行但不适用于sqli ...]

are great! They can help you identify problems but take a great deal of human analysis due to large amounts of false positives. Commercial tools are available like:

真棒!它们可以帮助您发现问题,但由于大量的误报,需要进行大量的人工分析。商业工具如下:

NTOSpider (one of the best [crawls!]) : http://www.ntobjectives.com/software/ntospider

NTOSpider(最好的之一[抓取!]):http://www.ntobjectives.com/software/ntospider

are very expensive but talking to a rep will get you a free copy for a period of time (which I have done with them). They make sorting through results faster by providing validation links in the reports but you STILL need a trained eye and analysis as I have found false positives.

是非常昂贵的,但与代表交谈将获得一段时间的免费副本(我已经与他们做了)。他们通过在报告中提供验证链接来更快地对结果进行排序,但您仍然需要经过训练的眼睛和分析,因为我发现了误报。

Ultimately the correct answer to this question is: You can use tools to help you identify if there are security (sqli) vulnerabilities but only a trained eye using the tools can validate them. Further only a proper code review and analysis can identify vulnerabilities that an app (even a very good one) may miss.

最终,这个问题的正确答案是:您可以使用工具来帮助您确定是否存在安全(sqli)漏洞,但只有经过培训的人员才能使用这些工具对其进行验证。此外,只有正确的代码审查和分析才能识别应用程序(即使是非常好的应用程序)可能会遗漏的漏洞。

Tools can help but you need human time and analysis to do this correctly. Proxies and request manglers are the real tools for hitting the app with injection and are done with careful intention of trained testers or those with a curious mind.

工具可以提供帮助,但您需要人工时间和分析来正确执行此操作。代理和请求管理器是用注入点击应用程序的真正工具,并且经过培训的测试人员或有好奇心的人的仔细意图完成。

#2


8  

I have two favorite tools (both free):

我有两个最喜欢的工具(都是免费的):

  1. sqlmap - You give it a URL, and it automatically scans for vulnerabilities. If it gets in, it gives you a SQL prompt.
  2. sqlmap - 你给它一个URL,它会自动扫描漏洞。如果它进入,它会给你一个SQL提示符。
  3. Paros Proxy - This one takes a little longer to set up. You have to configure your browser to use a proxy and then use your site (log in, navigate to other pages, etc.). Once you're done, it will analyze its cache of all the requests you made and show a report of the potential vulnerabilities it found.
  4. Paros Proxy - 这个设置需要更长的时间。您必须将浏览器配置为使用代理,然后使用您的站点(登录,导航到其他页面等)。完成后,它将分析其所有请求的缓存,并显示其发现的潜在漏洞的报告。

#3


3  

The Burp Scanner works extremely well for finding SQL injection as well as a variety of other things. You have to shell out $300 for the scanner though, but that is fairly cheap when looking at other scanners in the market.

Burp Scanner非常适合查找SQL注入以及其他各种内容。你必须为扫描仪支付300美元,但是在查看市场上的其他扫描仪时这相当便宜。

To elaborate, what you are looking for is a web application vulnerability scanner. These will crawl your site and send attack vectors into various parameters. Of all the scanners that I have used, Burp has given me the best results and has great performance. If you are looking for a free alternative you can try Grendel Scan It has not been updated in a while but still works pretty well. Especially for a free tool.

详细说明,您正在寻找的是Web应用程序漏洞扫描程序。这些将抓取您的网站并将攻击媒介发送到各种参数。在我使用的所有扫描仪中,Burp给了我最好的结果并且具有很好的性能。如果你正在寻找一个免费的替代品,你可以尝试Grendel扫描它有一段时间没有更新,但仍然很好。特别是对于免费工具。

Here is a list of some the other vulnerability scanners that are out there. I am sure you will find something to meet your needs.

以下列出了其他一些漏洞扫描程序。我相信你会找到满足你需求的东西。

#4


1  

There are programs to detect SQL injections, for example:

有一些程序可以检测SQL注入,例如:

#5


1  

There are enormous tools present in market for crawling all pages and detecting SQL injections. You should read this discussion it's never late How can I prevent SQL injection in PHP? and Testing for security vulnerabilities in web applications: Best practices?.

市场上有大量工具可用于抓取所有页面并检测SQL注入。你应该阅读这个讨论,它永远不会迟到如何在PHP中阻止SQL注入?和测试Web应用程序中的安全漏洞:最佳实践?

I would suggest Wapiti for finding web application vulnerabilities. Acunetix is over priced.

我建议Wapiti查找Web应用程序漏洞。 Acunetix价格过高。

See more:

查看更多:

#6


0  

What I test in my sites :

我在我的网站上测试的内容:

If you have log-in form for example try to enter:

如果您有登录表单,请尝试输入:

username field : anytext or 1=1'

用户名字段:anytext或1 = 1'

Password field : anypassword

密码字段:anypassword

if you didn't cover sql injection in your code , you can login by that .

如果你没有在你的代码中覆盖sql注入,你可以通过它登录。

Thanks

谢谢

#1


16  

Yes and no. First i'll preface this by saying I'm not just posting links but have done security audits professionally using all of these tools and not as a developer on a project but an external resource. Note that generally sqlserver injection is different than mysql as well.

是的,不是。首先,我要说的是,我不只是发布链接,而是使用所有这些工具专业地进行安全审计,而不是作为项目的开发人员而是外部资源。请注意,通常sqlserver注入也不同于mysql。

Free tools like paros proxy [crawls] (previously mentioned),

免费工具,如paros proxy [crawls](前面提到的),

burpsuite (previously mentioned [crawls] but active attacks requires pro): http://portswigger.net/burp/

burpsuite(之前提到[爬行]但主动攻击需要亲):http://portswigger.net/burp/

sqlninja (sqlserver only) http://sqlninja.sourceforge.net/

sqlninja(仅限sqlserver)http://sqlninja.sourceforge.net/

google rat proxy: [crawls] http://code.google.com/p/ratproxy/

google rat proxy:[抓取] http://code.google.com/p/ratproxy/

websecurify: [crawls] http://www.websecurify.com/

websecurify:[抓取] http://www.websecurify.com/

wapiti: [crawls but takes work to set up - can be used specifically for sqli with spider] http://wapiti.sourceforge.net/

wapiti:[爬行但需要设置工作 - 可以专门用于蜘蛛的sqli] http://wapiti.sourceforge.net/

nikto: [crawls but not for sqli...]

nikto:[爬行但不适用于sqli ...]

are great! They can help you identify problems but take a great deal of human analysis due to large amounts of false positives. Commercial tools are available like:

真棒!它们可以帮助您发现问题,但由于大量的误报,需要进行大量的人工分析。商业工具如下:

NTOSpider (one of the best [crawls!]) : http://www.ntobjectives.com/software/ntospider

NTOSpider(最好的之一[抓取!]):http://www.ntobjectives.com/software/ntospider

are very expensive but talking to a rep will get you a free copy for a period of time (which I have done with them). They make sorting through results faster by providing validation links in the reports but you STILL need a trained eye and analysis as I have found false positives.

是非常昂贵的,但与代表交谈将获得一段时间的免费副本(我已经与他们做了)。他们通过在报告中提供验证链接来更快地对结果进行排序,但您仍然需要经过训练的眼睛和分析,因为我发现了误报。

Ultimately the correct answer to this question is: You can use tools to help you identify if there are security (sqli) vulnerabilities but only a trained eye using the tools can validate them. Further only a proper code review and analysis can identify vulnerabilities that an app (even a very good one) may miss.

最终,这个问题的正确答案是:您可以使用工具来帮助您确定是否存在安全(sqli)漏洞,但只有经过培训的人员才能使用这些工具对其进行验证。此外,只有正确的代码审查和分析才能识别应用程序(即使是非常好的应用程序)可能会遗漏的漏洞。

Tools can help but you need human time and analysis to do this correctly. Proxies and request manglers are the real tools for hitting the app with injection and are done with careful intention of trained testers or those with a curious mind.

工具可以提供帮助,但您需要人工时间和分析来正确执行此操作。代理和请求管理器是用注入点击应用程序的真正工具,并且经过培训的测试人员或有好奇心的人的仔细意图完成。

#2


8  

I have two favorite tools (both free):

我有两个最喜欢的工具(都是免费的):

  1. sqlmap - You give it a URL, and it automatically scans for vulnerabilities. If it gets in, it gives you a SQL prompt.
  2. sqlmap - 你给它一个URL,它会自动扫描漏洞。如果它进入,它会给你一个SQL提示符。
  3. Paros Proxy - This one takes a little longer to set up. You have to configure your browser to use a proxy and then use your site (log in, navigate to other pages, etc.). Once you're done, it will analyze its cache of all the requests you made and show a report of the potential vulnerabilities it found.
  4. Paros Proxy - 这个设置需要更长的时间。您必须将浏览器配置为使用代理,然后使用您的站点(登录,导航到其他页面等)。完成后,它将分析其所有请求的缓存,并显示其发现的潜在漏洞的报告。

#3


3  

The Burp Scanner works extremely well for finding SQL injection as well as a variety of other things. You have to shell out $300 for the scanner though, but that is fairly cheap when looking at other scanners in the market.

Burp Scanner非常适合查找SQL注入以及其他各种内容。你必须为扫描仪支付300美元,但是在查看市场上的其他扫描仪时这相当便宜。

To elaborate, what you are looking for is a web application vulnerability scanner. These will crawl your site and send attack vectors into various parameters. Of all the scanners that I have used, Burp has given me the best results and has great performance. If you are looking for a free alternative you can try Grendel Scan It has not been updated in a while but still works pretty well. Especially for a free tool.

详细说明,您正在寻找的是Web应用程序漏洞扫描程序。这些将抓取您的网站并将攻击媒介发送到各种参数。在我使用的所有扫描仪中,Burp给了我最好的结果并且具有很好的性能。如果你正在寻找一个免费的替代品,你可以尝试Grendel扫描它有一段时间没有更新,但仍然很好。特别是对于免费工具。

Here is a list of some the other vulnerability scanners that are out there. I am sure you will find something to meet your needs.

以下列出了其他一些漏洞扫描程序。我相信你会找到满足你需求的东西。

#4


1  

There are programs to detect SQL injections, for example:

有一些程序可以检测SQL注入,例如:

#5


1  

There are enormous tools present in market for crawling all pages and detecting SQL injections. You should read this discussion it's never late How can I prevent SQL injection in PHP? and Testing for security vulnerabilities in web applications: Best practices?.

市场上有大量工具可用于抓取所有页面并检测SQL注入。你应该阅读这个讨论,它永远不会迟到如何在PHP中阻止SQL注入?和测试Web应用程序中的安全漏洞:最佳实践?

I would suggest Wapiti for finding web application vulnerabilities. Acunetix is over priced.

我建议Wapiti查找Web应用程序漏洞。 Acunetix价格过高。

See more:

查看更多:

#6


0  

What I test in my sites :

我在我的网站上测试的内容:

If you have log-in form for example try to enter:

如果您有登录表单,请尝试输入:

username field : anytext or 1=1'

用户名字段:anytext或1 = 1'

Password field : anypassword

密码字段:anypassword

if you didn't cover sql injection in your code , you can login by that .

如果你没有在你的代码中覆盖sql注入,你可以通过它登录。

Thanks

谢谢