SQL injection Online detection (SQLMAPAPI)

Source: Internet
Author: User
Tags sql injection online

Before a infiltration of colleagues asked me, sqlmapapi.py is what, I guess a lot of people have played Sqlmap, but played sqlmapapi should be relatively few, today and everyone to see how to use and some beautiful place.

To put it bluntly, sqlmapapi.py is providing an interface for checking SQL injection, and we can scan SQL injection directly by sending an HTTP request to get a series of operations such as scan results.

The following example shows how to use:

I. Start the server side


The server backend uses bottle, a Python web micro-framework.


Two. We use requests this library to send requests

1. New Task

2. Send scan option to open scan

Note: The cd92e4e99406715b is the TaskID returned by the new task.

3. View scan Status

the task is over and the scan results are available.

4. View Scan Results

We clearly see that there is a SQL injection


Hey, is not very simple, but very powerful ah, in fact, if the depth of the source view, you will find it is also very simple.

such as starting a task,

def engine_start (self):        self.process = Popen ("Python sqlmap.py--pickled-options%s"% Base64pickle (self.options),                             shell=true, Stdin=pipe, Close_fds=false)
Others are also at a glance,

   def engine_stop (self):        if self.process:            return self.process.terminate ()        else:            return None    def Engine_kill (self):        if self.process:            return Self.process.kill ()        else:            return None    def engine_ Get_returncode (self):        if self.process:            self.process.poll ()            return Self.process.returncode        else: return            none    def engine_has_terminated (self):        #如何任务没有结束, the return value of ReturnCode is None return        Isinstance (Self.engine_get_returncode (), int)

Our RESTful API design is also very fastidious, generally less with verbs, but through the method of HTTP to represent the action. Getting a state, for example, is not a getstatus, but a get method, and a status name is appropriate.

But sometimes the verb is unavoidable, how to say start,stop and so on. In fact, look at the new task API design author must also be very tangled, originally if the new task has parameters, the direct post method can be, do not need the new verb. However, because the new task does not require any parameters, using the Post method is not appropriate, so the Get method is changed. This also conforms to the above open task using post, while the stop task is using get.


More detailed questions need to see the document or source code, just take advantage of this opportunity to analyze the next subprocess module and bottle framework, the latter will have this aspect of the analysis.





SQL injection Online detection (SQLMAPAPI)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.