duanfoumi5620 2011-03-21 09:28
浏览 34
已采纳

寻找一个在线sql注入工具检查器[关闭]

I recover an old website which is full of sql injection, I would need a tool if it exists, that crawl the whole site just by followings existing links on it, then try to put some sql injection contents into weak inputs.

I can check by myself but the site is rather big so I would prefer a crawler, to be sure i do not forget an entry...

thx

Ok after typing this post, I realize that I'm asking for an hacking tool, which is not the case of course :p, so any white hat techno available ?

  • 写回答

1条回答 默认 最新

  • dta38159 2011-03-21 09:41
    关注

    You should fix your known problems before you look for automated tools.

    You need to take the following steps:

    1. If the site uses a framework, is the framework up to date and patched? The framework is primarily what automated tools will attack, so rather than test it, just get it up to date.
    2. Where the site does its own SQL, you need to check every single SQL statement, by hand, to ensure none of them are vulnerable. That means, in every case, either converting to parameterised statements (best) or using mysql_real_escape_string() or similar if that is not practical.

    You should treat the above as a much higher priority than testing tools. Don't even spend time looking for automated scanning tools until those are complete.

    An automated SQL Injection tool is just not going to find all your problems, even those which are obvious to a competent attacker.

    Until you have done both of the above, you will be wasting your time on automated tools.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 Unity接入微信SDK 无法开启摄像头
  • ¥20 有偿 写代码 要用特定的软件anaconda 里的jvpyter 用python3写
  • ¥20 cad图纸,chx-3六轴码垛机器人
  • ¥15 移动摄像头专网需要解vlan
  • ¥20 access多表提取相同字段数据并合并
  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算
  • ¥15 powerbuilder中的datawindow数据整合到新的DataWindow
  • ¥20 有人知道这种图怎么画吗?
  • ¥15 pyqt6如何引用qrc文件加载里面的的资源