python_gdork_sqli: Automatically Finding and Exploiting SQL injection – Penetration Testing in Linux

Find SQL injections

This python script is developed to show, how many vulnerables websites, which are laying around on the web. The main focus of the script is to generate a list of vuln urls. Please use the script with causing and alert the webadmins of vulnerable pages. The SQLmap implementation is just for showcasing.

Installing

git clone http://ift.tt/2qYcPkp
apt-get install python3-dev python3-pip
pip3 install bs4 psutil
cd python_gdork_sqli
python3 findsqlinj.py

Usage

On section 1: In this section you’ll have to provide a search string, which ‘connects’ to the websites database, e.g. ‘php?id=’. The script then crawls Bing or Google for urls containing it. All of the urls can then be saved into a file. (Please be aware that you might get banned for crawling to fast, remember an appropriate break/sleep between request). Example of searchs: php?bookid=, php?idproduct=, php?bookid=, php?catid=, php?action=, php?cart_id=, php?title=, php?itemid= . You can get more sqli dork list here.

On section 2: This section adds a qoute ‘ to the websites url. If the website is prone to SQL injection, we’ll catch this with some predefined error messages. The script will not add websites for blind SQL injections, due to the predefined error messages.

On section 3: This is just an activation of sqlmap with the bulk argument and no user interaction for validation of SQL injection.

Note: You should use tamper on sqlmap for bypassing waf.

DEMO

The post python_gdork_sqli: Automatically Finding and Exploiting SQL injection appeared first on Penetration Testing in Linux. http://ift.tt/2qCCEnd http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s