SQLiScanner:又一款基于SQLMAP和Charles的被动SQL 注入漏洞扫描工具
2016-09-21 17:05
796 查看
项目地址:SQLiScanner
叕一款基于SQLMAP和Charles的被动SQL 注入漏洞扫描工具
从内部安全平台 分离出来的一个模块, 支持
Har 文件的扫描(搭配 Charles 使用: Tools=>Auto Save)
邮箱通知
任务统计
sqlmap 复现命令生成
Python 3.x
Django 1.9
PostgreSQL
Celery
sqlmap
redis
Linux
osx
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/6fbec9f0bcb1fe4636fd43328e180e60)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/d55426b099a622996a5b09053fc66b8e)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/73504feed1a76adbeac53805cbbd91cd)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/d768721e14302fa830d509826a2587ee)
克隆项目到本地
配置 sqlmap:
SQLiScanner 支持 Python version 3.x on Linux and osx.
安装依赖
创建数据库(需要配置数据库)
创建 superuser
数据库设置
邮件通知配置
*本文投稿作者:Blur,转载须注明来自FreeBuf.COM
收藏该文
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur1篇文章等级:1级
这家伙太懒,还未填写个人描述!
个人主页 发私信
上一篇:DBPwAudit:数据库密码审计工具
下一篇:动手打造Bypass
UAC自动化测试小工具,可绕过最新版Win10
发表评论
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/cae1decace7adba52149f35fa435e725.png)
中国公民 (2级) 2016-09-18回复1楼
这个必须实名顶。
亮了(2)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/b7e1ef9d254aa65a935e92bd3a09b4cd.png)
Ra1lGun 2016-09-18回复2楼
被动sql扫描和主动有什么区别?
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/23e3766825a9a8952349e90e0224371b.png)
攻城师killkill 2016-09-18回复3楼
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/63f89e84a04cc76e71346690e8ebf553.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/63f89e84a04cc76e71346690e8ebf553.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/63f89e84a04cc76e71346690e8ebf553.gif)
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/490badf72a445c65b6a72f7a9112be25.jpg)
shentouceshi (4级)http://www.cnblogs.com/SEC-fsq... 2016-09-18回复4楼
是不是跟之前freebuf发的那个foxscan差不多。
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-19回复
@ shentouceshi 还是有很多区别的,体验一下就知道了
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/a3bf35ed783adce09c52e6a2949b73c0.png)
Any3ite 2016-09-18回复5楼
略微有点懵逼。。mac 貌似还要装一个python 3? 撸主弄个视频可好?
亮了(1)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-19回复
@ Any3ite 不是必须py3,只是考虑到后期维护直接就上3了
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/a3bf35ed783adce09c52e6a2949b73c0.png)
青宇家的瓜皮小幺儿 2016-09-18回复6楼
爸爸
亮了(4)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/38d6dbb1c645c3a67e059379e8291b9c.jpg)
chenglei (2级) 2016-09-19回复7楼
good!
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
纠结师 (1级) 2016-09-19回复8楼
这让我想起360那套被动系统
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/e8bd7195d06f5fbe05fa63680faec486.png)
test111 2016-09-19回复9楼
python3是必须 还是支持python3 ?
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-19回复
@ test111 不是必须,只是考虑到后期维护直接就上3了
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/fa842869b7f4dfb79bb1f45594bb3d47.png)
跳跳龙 2016-09-19回复10楼
这是我师傅
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
张冰倩 (1级) 2016-09-19回复11楼
围观~
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/1d0b17951d4336045012738d1317881c.jpg)
死宅10086 (5级) 2016-09-19回复12楼
做沙发
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/c9d6adf0d501c7aa976b72207ffdbaef.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/c9d6adf0d501c7aa976b72207ffdbaef.gif)
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
张冰倩 (1级) 2016-09-19回复13楼
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/1346d1eab158a0a17f5293edaaddcc0c.gif)
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
aimet (1级) 2016-09-19回复14楼
撸个视频可好
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/e8bd7195d06f5fbe05fa63680faec486.png)
test 2016-09-19回复15楼
安装好了以后运行 上传har到底是什么东西? 不能直接输入url吗
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-20回复16楼
@ test 用Charles 做代理工具,把请求导出保存为 har格式的文件
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/9d3b43e34148eed9055cdf9559027fe4.jpg)
taylorwin (5级) 2016-09-20回复17楼
说说被动和主动的区别别?谢谢楼主。
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-20回复
@ taylorwin 被动-听,等待目标;主动-搜,爬取发现目标
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/bc06ab7fb1715d5b03dcde8676d4c525.jpg)
Error404 (1级) 2016-09-20回复18楼
做个 安装视频呗 楼主
![](https://oscdn.geek-share.com/Uploads/Images/Content/201608/8762da02b4bd0f72c53b2ec64efadd68.gif)
亮了(2)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/a554f1d36d6230438975925350ee4f88.jpg)
lx277856602 (3级) 2016-09-21回复19楼
不错,mark下
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201608/5f1876af07a6042ebbe16ed1d05fb5e8.png)
河蟹 2016-09-21回复20楼
跪求楼主做个安装视频
简介
叕一款基于SQLMAP和Charles的被动SQL 注入漏洞扫描工具从内部安全平台 分离出来的一个模块, 支持
Har 文件的扫描(搭配 Charles 使用: Tools=>Auto Save)
特性
邮箱通知任务统计
sqlmap 复现命令生成
依赖
Python 3.xDjango 1.9
PostgreSQL
Celery
sqlmap
redis
支持平台
Linuxosx
截图
安装
克隆项目到本地git clone https://github.com/0xbug/SQLiScanner.git --depth 1
配置 sqlmap:
git clone https://github.com/sqlmapproject/sqlmap.git --depth 1
SQLiScanner 支持 Python version 3.x on Linux and osx.
安装依赖
cd SQLiScanner/ virtualenv --python=/usr/local/bin/python3.5 venv source venv/bin/activate pip install -r requirements.txt
创建数据库(需要配置数据库)
python manage.py makemigrations scanner python manage.py migrate
创建 superuser
python manage.py createsuperuser
设置
数据库设置SQLiScanner/settings.py:85
DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': '', 'USER': '', 'PASSWORD': '', 'HOST': '127.0.0.1', 'PORT': '5432', } }
邮件通知配置
SQLiScanner/settings.py:152
# Email EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' EMAIL_USE_TLS = False EMAIL_HOST = '' EMAIL_PORT = 25 EMAIL_HOST_USER = '' EMAIL_HOST_PASSWORD = '' DEFAULT_FROM_EMAIL = ''
scanner/tasks.py:13
class SqlScanTask(object): def __init__(self, sqli_obj): self.api_url = "http://127.0.0.1:8775" self.mail_from = "" self.mail_to = [""]
运行
redis-server python sqlmapapi.py -s -p 8775 python manage.py celery worker --loglevel=info python manage.py runserver
*本文投稿作者:Blur,转载须注明来自FreeBuf.COM
收藏该文
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur1篇文章等级:1级
这家伙太懒,还未填写个人描述!
个人主页 发私信
上一篇:DBPwAudit:数据库密码审计工具
下一篇:动手打造Bypass
UAC自动化测试小工具,可绕过最新版Win10
发表评论
已有 24 条评论
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/cae1decace7adba52149f35fa435e725.png)
中国公民 (2级) 2016-09-18回复1楼
这个必须实名顶。
亮了(2)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/b7e1ef9d254aa65a935e92bd3a09b4cd.png)
Ra1lGun 2016-09-18回复2楼
被动sql扫描和主动有什么区别?
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/23e3766825a9a8952349e90e0224371b.png)
攻城师killkill 2016-09-18回复3楼
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/63f89e84a04cc76e71346690e8ebf553.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/63f89e84a04cc76e71346690e8ebf553.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/63f89e84a04cc76e71346690e8ebf553.gif)
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/490badf72a445c65b6a72f7a9112be25.jpg)
shentouceshi (4级)http://www.cnblogs.com/SEC-fsq... 2016-09-18回复4楼
是不是跟之前freebuf发的那个foxscan差不多。
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-19回复
@ shentouceshi 还是有很多区别的,体验一下就知道了
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/a3bf35ed783adce09c52e6a2949b73c0.png)
Any3ite 2016-09-18回复5楼
略微有点懵逼。。mac 貌似还要装一个python 3? 撸主弄个视频可好?
亮了(1)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-19回复
@ Any3ite 不是必须py3,只是考虑到后期维护直接就上3了
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/a3bf35ed783adce09c52e6a2949b73c0.png)
青宇家的瓜皮小幺儿 2016-09-18回复6楼
爸爸
亮了(4)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/38d6dbb1c645c3a67e059379e8291b9c.jpg)
chenglei (2级) 2016-09-19回复7楼
good!
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
纠结师 (1级) 2016-09-19回复8楼
这让我想起360那套被动系统
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/e8bd7195d06f5fbe05fa63680faec486.png)
test111 2016-09-19回复9楼
python3是必须 还是支持python3 ?
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-19回复
@ test111 不是必须,只是考虑到后期维护直接就上3了
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/fa842869b7f4dfb79bb1f45594bb3d47.png)
跳跳龙 2016-09-19回复10楼
这是我师傅
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
张冰倩 (1级) 2016-09-19回复11楼
围观~
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/1d0b17951d4336045012738d1317881c.jpg)
死宅10086 (5级) 2016-09-19回复12楼
做沙发
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/c9d6adf0d501c7aa976b72207ffdbaef.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/c9d6adf0d501c7aa976b72207ffdbaef.gif)
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
张冰倩 (1级) 2016-09-19回复13楼
![](https://oscdn.geek-share.com/Uploads/Images/Content/201701/1346d1eab158a0a17f5293edaaddcc0c.gif)
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
aimet (1级) 2016-09-19回复14楼
撸个视频可好
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/e8bd7195d06f5fbe05fa63680faec486.png)
test 2016-09-19回复15楼
安装好了以后运行 上传har到底是什么东西? 不能直接输入url吗
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-20回复16楼
@ test 用Charles 做代理工具,把请求导出保存为 har格式的文件
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201609/9d3b43e34148eed9055cdf9559027fe4.jpg)
taylorwin (5级) 2016-09-20回复17楼
说说被动和主动的区别别?谢谢楼主。
亮了(0)
![](http://www.freebuf.com/buf/plugins/wp-user-avatar/images/wp-user-avatar-96x96.png)
Blur (1级) 2016-09-20回复
@ taylorwin 被动-听,等待目标;主动-搜,爬取发现目标
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/bc06ab7fb1715d5b03dcde8676d4c525.jpg)
Error404 (1级) 2016-09-20回复18楼
做个 安装视频呗 楼主
![](https://oscdn.geek-share.com/Uploads/Images/Content/201608/8762da02b4bd0f72c53b2ec64efadd68.gif)
亮了(2)
![](https://oscdn.geek-share.com/Uploads/Images/Content/202003/20/a554f1d36d6230438975925350ee4f88.jpg)
lx277856602 (3级) 2016-09-21回复19楼
不错,mark下
亮了(0)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201608/5f1876af07a6042ebbe16ed1d05fb5e8.png)
河蟹 2016-09-21回复20楼
跪求楼主做个安装视频
相关文章推荐
- Inprotect 基于web界面到漏洞扫描工具
- IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称
- SQL注入自动扫描工具中的语句
- SQL注入自动扫描工具中的语句
- 漏洞扫描和注入工具
- Nikto是一款Web安全扫描工具,可以扫描指定主机的web类型,主机名,特定目录,cookie,特定CGI漏洞,XSS漏洞,SQL注入漏洞等,非常强大滴说。。。
- Whitewidow:SQL 漏洞自动扫描工具
- 推荐一款免费的SQL脚本格式化工具--SQLinForm
- 新装的操作系统.给金山一扫描,才知道漏洞太多了,还没装好masql呢,估计装了那个还很多
- 使用漏洞扫描工具评估网络系统安全
- 不需xp_cmdshell支持在有注入漏洞的SQL服务器上运行CMD命令
- Sql语句注入漏洞,看看你存在吗
- 动网8.0sql最新注入漏洞+利用工具
- Sql通用防注入系统3.1β版的跨站漏洞
- 推荐一款免费的SQL脚本格式化工具--SQLinForm
- 不需xp_cmdshell支持在有注入漏洞的sql服务器上运行cmd命令_数据库安全
- 轻量级网页安全漏洞扫描工具-Wapiti
- SQL 注入天书 - ASP 注入漏洞全接触
- 如何使用Nikto漏洞扫描工具检测网站安全 推荐
- 不需xp_cmdshell支持在有注入漏洞的SQL服务器上运行CMD命令