AutoSqli icon indicating copy to clipboard operation
AutoSqli copied to clipboard

Published 20 hours ago verified publisher icon LeeHDsniper

post注入如何测试

Open zuoshouzz opened this issue 8 years ago • 5 comments

import requests,json

r = requests.get('http://127.0.0.1:8775/task/new')

r=requests.post('http://127.0.0.1:8775/scan/6ce468f0f48ab1b9/start',data=json.dumps({'url':'http://testphp.vulnweb.com/artists.php?artist=1'}),headers={'Content-Type':'application/json'})

r = requests.get('http://127.0.0.1:8775/scan/6ce468f0f48ab1b9/status')

r = requests.get('http://127.0.0.1:8775/scan/6ce468f0f48ab1b9/data')

a=r.json() print type(a) print a

,post的参数和值在哪里设置?

zuoshouzz avatar Aug 09 '16 02:08 zuoshouzz

sqlmapapi在客户端命令行模式下,如果要测试post注入,需要写一个txt文档类似这样: ` POST /example/example.jsp?act=query HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=5EB95E1F7BC47569058C53D0B9CA7261 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 159

cp1Sel=%E8%B4%B5&cp2Sel=A&cp3=23232&cph=%E8%B4%B5A23232&select=%E8%BD%A6%E8%BE%86%E8%AF%86%E5%88%AB%E4%BB%A3%E5%8F%B7%E5%90%8E6%E4%BD%8D&clbs=121212* 然后用-r参数将这个txt文件作为注入参数 如果是在Autosqli这个模式下以json传递的话,应该是 {"sqlFile":"./path"} ` 这样

LeeHDsniper avatar Aug 09 '16 07:08 LeeHDsniper

autosql的如何用,完整的?

zuoshouzz avatar Aug 10 '16 02:08 zuoshouzz

你需要自己在Autosqli的代码中支持sqlFile参数并修改前端js代码使其可以发送包含sqlFile参数

LeeHDsniper avatar Aug 11 '16 07:08 LeeHDsniper

autosql的如何用,完整的?

表哥,你这个post注入解决了吗?求解~

ExploreZone avatar Dec 25 '18 01:12 ExploreZone

sqlmapapi在客户端命令行模式下,如果要测试post注入,需要写一个txt文档类似这样: ` POST /example/example.jsp?act=query HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=5EB95E1F7BC47569058C53D0B9CA7261 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 159

cp1Sel=%E8%B4%B5&cp2Sel=A&cp3=23232&cph=%E8%B4%B5A23232&select=%E8%BD%A6%E8%BE%86%E8%AF%86%E5%88%AB%E4%BB%A3%E5%8F%B7%E5%90%8E6%E4%BD%8D&clbs=121212* 然后用-r参数将这个txt文件作为注入参数 如果是在Autosqli这个模式下以json传递的话,应该是 {"sqlFile":"./path"} ` 这样

表哥,我使用sqlfile这个参数,没有起作用呀是不是我姿势不对?

ExploreZone avatar Dec 25 '18 01:12 ExploreZone