sqlmap

package
v0.2.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 4, 2023 License: AGPL-3.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	SimilarityRatio = 0.9  // 页面相似度
	UpperRatioBound = 0.98 // 上边界
	LowerRatioBound = 0.02 // 下边界

	DiffTolerance = 0.05 // 容差

	// MaxDifflibSequenceLength 用于检测页面相似度的最大长度
	MaxDifflibSequenceLength = 10 * 1024 * 1024

	CloseType = map[int]string{0: `'`, 1: `"`, 2: ``, 3: `')`, 4: `")`}

	// FormatExceptionStrings 用于检测格式错误的字符串
	FormatExceptionStrings = []string{
		"Type mismatch", "Error converting", "Please enter a", "Conversion failed",
		"String or binary data would be truncated", "Failed to convert", "unable to interpret text value",
		"Input string was not in a correct format", "System.FormatException", "java.lang.NumberFormatException",
		"ValueError: invalid literal", "TypeMismatchException", "CF_SQL_INTEGER", "CF_SQL_NUMERIC",
		"for CFSQLTYPE ", "cfqueryparam cfsqltype", "InvalidParamTypeException",
		"Invalid parameter type", "Attribute validation error for tag", "is not of type numeric",
		"<cfif Not IsNumeric(", "invalid input syntax for integer", "invalid input syntax for type",
		"invalid number", "character to number conversion error", "unable to interpret text value",
		"String was not recognized as a valid", "Convert.ToInt", "cannot be converted to a ",
		"InvalidDataException", "Arguments are of the wrong type",
	}

	// DummyNonSqliCheckAppendix String used for dummy non-SQLi (e.g. XSS) heuristic checks of a tested parameter value
	DummyNonSqliCheckAppendix = "<'\">"

	//FiErrorRegex Regular expression used for recognition of file inclusion errors
	FiErrorRegex = `(?i)[^\n]{0,100}(no such file|failed (to )?open)[^\n]{0,100}`

	// DbmsErrors 用于报错检查的字典
	DbmsErrors = map[string][]string{}
)

Functions

func Scan 

func Scan(c *input.CrawlResult)

Types

type Sqlmap 

type Sqlmap struct {
	Method      string
	Url         string
	RequestBody string
	Headers     map[string]string
	ContentType string
	Variations  *httpx.Variations

	OriginalBody    string // 原始请求页面
	TemplateBody    string // 经过处理去除动态部分的模板页面
	TemplateCode    int
	DynamicPara     []string          // 动态参数
	DynamicMarkings map[string]string // 动态标记内容
	DBMS            string            // 数据库类型
}

func (*Sqlmap) HeuristicCheckSqlInjection 

func (sql *Sqlmap) HeuristicCheckSqlInjection()

HeuristicCheckSqlInjection 启发式检测 sql 注入, 先过滤出有效参数,即不存在转型的参数, 之后在进行闭合检测

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.