Installation and test environment of the Sqlmap
1.sqlmap on the official website http://sqlmap.org/can be downloaded to the latest Sqlmap version
2. Need to install python2.7 can go to the official website to download https://www.python.org/, note the configuration environment variables
3. Test whether the Sqlmap is installed successfully, unzip the SQLMAP, make its directory, go to cmd, run Python sqlmap.py
Test environment Construction Note use Google Chrome as much as possible, as it makes it easy to use the check options on the shortcut menu to see the specifics of the HTML request
1. Download Wampserver x64 Note You need to install DirectX repair to repair to install successfully
2. Download Vawa, whose website is http://www.dvwa.co.uk/, on GitHub Https://github.com/ethicalhack3r/DVWA
3. Unzip the add 127.0.0.1 in the system's hosts file under directory E:\www\my\dvwa dvwa.localhost
4. Add after Wampserver's httpd.conf file
<virtualhost *:80> documentroot "E:\www\my\dvwa" ServerName dvwa.localhost <directory "E:\www\my\dvwa" > Op tions Indexes followsymlinks allowoverride all Require all granted </Directory> </VirtualHost> 5. Modify the following fields in the configuration file under E:\www\my\dvwa\config\config.inc.php $_dvwa[' db_server '] = ' 127.0.0.1 '; $_dvwa[' db_database '] = ' DVWA '; $_dvwa[' db_user ' = ' root '; $_dvwa[' db_password '] = ';
# only used with Postgresql/pgsql database selection. $_dvwa[' db_port '] = ' 3306 ';
6. Run Wampserver 7. Enter the localhost username as admin in the browser, password is password
Sqlmap learning is primarily a command line parameter learning and using-H displays a brief help-hh display all help Documents-U after the url-r after the header of the TXT file--cookie followed by the cookie string--dbs Show all the database--tab Les shows all data tables--dump show all library data--dump_all Show all database data-t specified table--current_table current data table--current_db current database-D Specify database--batch auto-Select Choose the default prompt parameter--smart Smart Select the default prompt parameter-G use Google to search URLs that can be SQL injected
How to Google can be modified by the system's Hosts file can refer to this https://laod.cn/hosts/2017-google-hosts.html or can purchase VPN
ways to prevent SQL injection
1. Firewalls
Use NGX_LUA_WAF firewall can, protect the website, effectively prevent SQL injection attack, this firewall is open source, HTTPS use NGX_LUA_WAF firewall can, protect the website, effectively prevent SQL injection attack, this firewall is open source, https:// Github.com/loveshell/ngx_lua_waf
2. Code review There is also the background code in the server, note that the POST request string is not directly used for parameters submitted to the SQL query statement
Installation and test environment of the Sqlmap