五大著名的免费SQL注入漏洞扫描工具(国外英语资料).doc

五大著名的免费SQL注入漏洞扫描工具 Five famous free SQL injection vulnerability scanning tools One, SQLIer SQLIer can find a URL with a SQL injection vulnerability on its Web site and generate SQL exploit vulnerabilities based on the relevant information, but it does not require user interaction. In this way, it generates a UNION Select query, which can then strongly attack database passwords. This program does not use quotes when it exploits vulnerabilities, which means it can be adapted to multiple sites. SQLIer uses true/false SQL to inject vulnerabilities and powerful passwords. With the help of the true/false SQL injection vulnerability, strong password, the user can not query data from the database, can only query a return true, false value statement. According to statistics, a eight character password (including any character in the decimal ASCII code) only takes about 1 minutes to break. Its syntax is as follows, sqlier [options] [URL] The options are as follows: -c:[host clears the hosts vulnerability and exploits information -s:[seconds] the number of seconds waiting between web requests U:[username] strong attacks from the database user name, separated by commas. [w:[options] [options] to WGet In addition, this program also supports guessing field names with the following choices: --table-names [table name]: a table name that can be guessed, separated by commas. --user-fields [user field]: the user name field name that can be guessed, separated by commas. --pass-fields [password field]: the name of the password field that can be guessed, separated by commas. Heres the basic usage: For example, suppose there is a SQL injection vulnerability in the following URL: Http:///sqlihole.php? Id=1? We run the following command: Sqlier -s 10 /sqlihole.php id=1 gets enough information from the database to use its password, where the number 10 means waiting for 10 seconds between each query. If the table, user name field, password field name is guessed correctly, then the vulnerabil