$usage = function () use($argv) { // usage echo "Welcome to lazy auto sql inject tools\n"; echo "Usage:\n"; echo "php " . $argv[0] . " --url=http://example.com [--method=GET] [--cookies=a] [--post_data='a=b'] [--user_agent=aa] [--refer=xxx] [--headers=yy]\n"; exit(1); }; if (!$all_opt['url']) { $usage(); } define('ROOT', dirname(__FILE__)); require ROOT . '/lib/sqlmap_client.class.php'; // load config file $config_file = ROOT . '/config.ini'; $all_config = parse_ini_file($config_file, true); $sql_map_client = new SqlMapClient($all_config['SqlMapApi']['host'], $all_config['SqlMapApi']['port'], $all_config['SqlMapApi']['admin_token']); $method = $all_opt['method']; // method if (!$method) { $method = 'GET'; } elseif ($method == 'POST') { } elseif ($method == 'GET') { } else { $usage(); } // 此时开始判断url是否含有查询的参数 // 如果不包含查询串的请求直接忽略,因为不会存在注入的漏洞 $parse_url_result = parse_url($all_opt['url']); $exist_query_string = array_key_exists('query', $parse_url_result); if ($method == 'POST' && !$all_opt['post_data'] && !$exist_query_string) { die('None param for detecting');
<?php define('ROOT', dirname(__FILE__)); require ROOT . '/lib/sqlmap_client.class.php'; $all_config = parse_ini_file(ROOT . '/config.ini', true); $sql_map_client = new SqlMapClient($all_config['SqlMapApi']['host'], $all_config['SqlMapApi']['port'], $all_config['SqlMapApi']['admin_token']); // 获取所有的id,扫描result $record_file = ROOT . '/record.txt'; $all_line = explode("\n", file_get_contents($record_file)); foreach ($all_line as $line) { list($url, $id) = explode("\t", $line); if (strstr($url, 't.sinajs.cn')) { continue; } list($useless, $id) = explode(":", $id); $status = $sql_map_client->status_task($id); if ($status['status'] == 'terminated') { //已经结束的状态 $data = $sql_map_client->data_task($id); if ($data['data']) { $str = sprintf("%s, taskid:%s is injectable!\n", $url, $id); echo $str; } } }