Sqlmap+nginx "Carpet" test Site SQL Injection Vulnerability Tutorial

From the point of view of security defender, the breadth of defense is more priority than depth, which is also the embodiment of the principle of cask in information security.

Sqlmap is an open source SQL Injection Vulnerability Detection Tool, Nginx is a high-performance Web server. Today we will combine the two, to the site's SQL injection vulnerability to achieve "carpet-type" detection!

Ideas

Sqlmap can bulk import the HTTP proxy logs and analyze and probe each request in the log. (Refer to Sqlmap Help documentation)

Therefore, we can configure Nginx to record all the HTTP request information of the website, format the processing to provide to sqlmap, so that Sqlmap can be based on the site of each request for detection, so as to achieve the most comprehensive detection effect.

Operation Steps

Experimental environment: CentOS 6.5 + nginx + sqlmap

1. Configure Nginx, log request information

Nginx Unable to record the full request information (I did not find it anyway), can only specify the corresponding fields to record, but enough, the key information is basically.

Here's a little bit of detail to note that Sqlmap's accepted log log is in a certain format, so you have to piece together this format.

Modify the contents of the Log_format in the Nginx configuration file as follows:

Log_format Main ' =====================================================


=====================================================
$request
Cookie: $http _cookie
User-agent: $http _user_agent
Content-type: $content _type
Content-length: $content _length
Host: $host

$request _body
=====================================================


'; #到这结束, pay attention to the empty line above

The fields of the record are: request line, cookie, agent, Content-type, Content-length, host, post parameters.

This allows the post request parameter to be detected, and the request line is actually logged only if it is a GET request.

Remember to restart Nginx when configured.

Now the log should look like this:

2. Format log

In Linux, the newline character is LF, and the line character required in the HTTP protocol is CRLF, so replace the newline character as CRLF;

Method 1

Terminal execution

Perl-p-i-e ' s/n/rn/' Access.log

Method 2

Use the vi Editor to edit access.log in command mode enter: Set Ff=dos and then save exit

3. According to the log, the implementation of detection

Terminal execution:

Sqlmap.py-l Access.log--batch-smart

You can see the detection for the request record in the log:

Summarize

The advantage of this scheme is that you can use the site's normal access to help us to the site for injection detection.