Using Sqlmap and Nginx to detect web SQL Injection Vulnerabilities

Using Sqlmap and Nginx to detect web SQL Injection Vulnerabilities

From the perspective of security defense, the breadth of Defense has a higher priority than the depth, which is also a manifestation of the working principle of cask in information security.

Sqlmap is an open-source SQL injection vulnerability detection tool, and Nginx is a high-performance WEB server. Today, we will combine the two to implement "blanket" Detection of website SQL Injection Vulnerabilities!

Ideas
Sqlmap can import http Proxy logs in batches and analyze and detect each request in the logs. (Refer to the sqlmap help document)
Therefore, we can configure nginx to record all the http request information of the website and provide it to sqlmap after formatting, so that sqlmap can detect each request of the website, to achieve the most comprehensive detection results.

Procedure

Lab environment: centos 6.5 + nginx + sqlmap

1. Configure nginx to record request information
Nginx cannot record the complete request information (I did not find it anyway). Only corresponding fields can be specified for record, but the key information is basically available.
Here is a detail. Note that the log accepted by sqlmap has a certain format, so we need to piece it together.
Modify the log_format in the nginx configuration file as follows:

Log_format main '========================================== ========================================================== =============================$ requestCookie: $ http_cookieUser-Agent: $ http_user_agentContent-Type: $ content_typeContent-Length: $ content_lengthHost: $ host $ request_body ====================================== ======================= '; # at this end, pay attention to the empty rows above

The record fields are: request line, cookie, agent, content-type, content-length, host, and post parameters.

In this way, the post request parameters can also be detected. In fact, if it is a get request, only the request line can be recorded.

After configuring nginx, remember to restart nginx.

Now the log looks like this:

 

2. format the log
In linux, The linefeed is LF, and the line feed required in HTTP is CRLF. Therefore, replace the linefeed with CRLF;

Method 1

Terminal execution

perl -p -i -e 's/\n/\r\n/' access.log

Method 2

Use the vi editor to edit access. log. In command mode, enter: set ff = dos and save and exit.

3. Perform Detection Based on logs
Terminal execution:

sqlmap.py  -l  access.log  --batch  -smart

We can see that the request record in the log is detected:

 

Summary

The advantage of this solution is that we can use normal Website access to help us inject and detect the website to achieve the "everyone for me" effect. This is also an Internet thinking.