文章 标签 分类 关于

[开源工具] - Ghauri跨平台可自动执行检测和利用SQL注入

izy avatarizy  收录于  类别 信息安全  系列
     约 1108 字   预计阅读 5 分钟 
系列 - Information Security

一种先进的跨平台工具,可自动执行检测和利用 SQL 注入安全漏洞的过程。

  • python3
  • pip3

text

git clone https://gitee.com/secrole/ghauri.git
python3 -m pip install --upgrade -r requirements.txt
python3 setup.py install

install

install

json

ghauri --help

支持以下 DBMS 的 SQL 注入。

  • MySQL
  • Microsoft SQL Server
  • Postgres
  • Oracle
  • Microsoft Access (only supports fingerprint for now in case of boolean * based blind)
  • Boolean based.
  • Error Based
  • Time Based
  • Stacked Queries
  • GET/POST Based injections
  • Headers Based injections
  • Cookies Based injections
  • Mulitipart Form data injections
  • JSON based injections
  • SOAP/XML based injections
  • 支持代理选项 –Proxy
  • 支持来自TXT文件的解析请求:使用参数 -r file.txt
  • 支持限制dbs/tables/columns/dump转储的数据提取:使用参数 –start 1 –stop 2
  • 增加了对所有阶段恢复的功能支持
  • 添加了跳过urlencoding的支持:–skip-urlencode
  • 对于基于布尔/时间的注入,添加了支持以验证提取的字符
  • 添加了对根据用户需求处理重定向的支持
  • 添加了sql-shell的支持:–sql-shell
  • 添加了对新查询的支持:–fresh-queries
  • 添加了主机名提取的支持:–honstname
  • 添加了从GitHub更新Ghauri的开关: –update
    • 注意:必须从github克隆/安装ghauri,此开关才能用于future更新,对于旧版本用户,他们必须运行git pull(如果使用 git 安装)来获取此更新,对于future更新,可以通过以下方式进行更新:ghauri –update命令获取最新版本的ghauri。

json

usage: ghauri -u URL [OPTIONS]

A cross-platform python based advanced sql injections detection & exploitation tool.

General:
  -h, --help          Shows the help.
  --version           Shows the version.
  --update            update ghauri
  -v VERBOSE          Verbosity level: 1-5 (default 1).
  --batch             Never ask for user input, use the default behavior
  --flush-session     Flush session files for current target
  --fresh-queries     Ignore query results stored in session file
  --test-filter       Select test payloads by titles (experimental)

Target:
  At least one of these options has to be provided to define the
  target(s)

  -u URL, --url URL   Target URL (e.g. 'http://www.site.com/vuln.php?id=1).
  -r REQUESTFILE      Load HTTP request from a file

Request:
  These options can be used to specify how to connect to the target URL

  -A , --user-agent   HTTP User-Agent header value
  -H , --header       Extra header (e.g. "X-Forwarded-For: 127.0.0.1)
  --host              HTTP Host header value
  --data              Data string to be sent through POST (e.g. "id=1)
  --cookie            HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..)
  --referer           HTTP Referer header value
  --headers           Extra headers (e.g. "Accept-Language: fr\nETag: 123)
  --proxy             Use a proxy to connect to the target URL
  --delay             Delay in seconds between each HTTP request
  --timeout           Seconds to wait before timeout connection (default 30)
  --retries           Retries when the connection related error occurs (default 3)
  --confirm           Confirm the injected payloads.
  --skip-urlencode    Skip URL encoding of payload data
  --force-ssl         Force usage of SSL/HTTPS

Optimization:
  These options can be used to optimize the performance of ghauri

  --threads THREADS   Max number of concurrent HTTP(s) requests (default 1)

Injection:
  These options can be used to specify which parameters to test for, 
  provide custom injection payloads and optional tampering scripts

  -p TESTPARAMETER    Testable parameter(s)
  --dbms DBMS         Force back-end DBMS to provided value
  --prefix            Injection payload prefix string
  --suffix            Injection payload suffix string
  --safe-chars        Skip URL encoding of specific character(s): (e.g:- --safe-chars="[])
  --fetch-using       Fetch data using different operator(s): (e.g: --fetch-using=between/in)

Detection:
  These options can be used to customize the detection phase

  --level LEVEL       Level of tests to perform (1-3, default 1)
  --code CODE         HTTP code to match when query is evaluated to True
  --string            String to match when query is evaluated to True
  --not-string        String to match when query is evaluated to False
  --text-only         Compare pages based only on the textual content

Techniques:
  These options can be used to tweak testing of specific SQL injection
  techniques

  --technique TECH    SQL injection techniques to use (default "BEST)
  --time-sec TIMESEC  Seconds to delay the DBMS response (default 5)

Enumeration:
  These options can be used to enumerate the back-end database
  management system information, structure and data contained in the
  tables.

  -b, --banner        Retrieve DBMS banner
  --current-user      Retrieve DBMS current user
  --current-db        Retrieve DBMS current database
  --hostname          Retrieve DBMS server hostname
  --dbs               Enumerate DBMS databases
  --tables            Enumerate DBMS database tables
  --columns           Enumerate DBMS database table columns
  --dump              Dump DBMS database table entries
  -D DB               DBMS database to enumerate
  -T TBL              DBMS database tables(s) to enumerate
  -C COLS             DBMS database table column(s) to enumerate
  --start             Retrieve entries from offset for dbs/tables/columns/dump
  --stop              Retrieve entries till offset for dbs/tables/columns/dump
  --sql-shell         Prompt for an interactive SQL shell (experimental)

Example:
  ghauri -u http://www.site.com/vuln.php?id=1 --dbs

相关内容

[安全运营] - 基于特定的场景服务优化Tips

[开源工具] - Burp一款新扩展:JWT-scanner

[开源工具] - BypassFuzzer

[开源工具] - chromedb读取本地Chromium数据

[开源工具] - Cookie-Monster

更新于 2024-09-13
阅读原始文档
 开源工具信息安全
 | 主页