SQL Injection Online Detection (sqlmapapi)

SQL Injection Online Detection (sqlmapapi)
A previous penetration engineer asked me about sqlmapapi. what is py? I guess a lot of people have played sqlmap, but I think there should be fewer sqlmapapi games. Today, let's take a look at how to use it and some beautiful places.

To put it bluntly, sqlmapapi. py provides an interface for checking SQL injection. We can directly scan SQL Injection by sending http requests and obtain scan results.

The following example shows how to use it:

1. Start the server

The backend server uses the bottle, a Python Web microframework.

2. We use the requests library to send requests.

. Send scan option, enable Scan

: The cd92e4e99406715b is the taskid returned by the new task.

3. View scan status

The task has ended. You can get the scan result.

4. View scan results

We can see that SQL Injection exists.

Hey, isn't it very simple, but it's very powerful? In fact, if you go deep into the source code, you will find it very simple.

For example, to start a task,

def engine_start(self):        self.process = Popen("python sqlmap.py --pickled-options %s" % base64pickle(self.options),                             shell=True, stdin=PIPE, close_fds=False)

Others are also clear at a glance,

Def engine_stop (self): if self. process: return self. process. terminate () else: return None def engine_kill (self): if self. process: return self. process. kill () else: return None def engine_get_returncode (self): if self. process: self. process. poll () return self. process. returncode else: return None def engine_has_terminated (self): # if the task is not finished, the return value of returncode is None return isinstance (self. engine_get_returncode (), int)

Our restful api design is also very exquisite. Generally, we use less verbs, but use http methods to represent actions. For example, obtaining the status is not getstatus, but the get method, which is very relevant to the status name.

But sometimes the verb is inevitable. How to say start, stop, etc. In fact, the author of the api design of the new task is also very tangled. If the new task has parameters, you can directly post the method without the verb "new. However, because the new task does not require any parameters and the post method is not appropriate, the get method is changed. This also complies with the above enable the task to use post, and stop the task to use get.

For more details, you need to go to the document or source code. We just take this opportunity to analyze the subprocess module and the bottle framework. Later, we will also analyze this issue.