Skip to content

/ go-sqlmap

Simple Sqlmap Written By Golang

Apache-2.0 License
100 stars 8 forks
Star
Notifications
master
Switch branches/tags
2 branches 1 tag
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

@EmYiQing
EmYiQing Update README.md
625b7a7 Jun 7, 2021
Update README.md
625b7a7

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
api
fix
May 31, 2021
constant
fix
May 31, 2021
core
0.1.0
Jun 3, 2021
img
bug
May 27, 2021
input
fix
May 31, 2021
log
小bug
May 19, 2021
parse
fix
May 31, 2021
start
fix
Jun 2, 2021
test
0.1.0
Jun 3, 2021
util
不必要的依赖
Jun 4, 2021
LICENSE
Create LICENSE
Jun 3, 2021
README.md
Update README.md
Jun 7, 2021
go.mod
不必要的依赖
Jun 4, 2021
go.sum
不必要的依赖
Jun 4, 2021
main.go
fix
Jun 2, 2021
go-sqlmap 介绍 Introduce Instructions 图片 Quick Start API

README.md

go-sqlmap

介绍

  • 请把这个项目当成学习SQL注入的小玩具,它并没有太多的实际价值
  • sqlmap:渗透测试界的神器,这是一个简单的sqlmap
  • 使用Golang重写的原因:高效、生成可执行文件直接运行、无需搭建环境等
  • 测试通过sqli-lab部分关卡
  • 目前仅支持GET请求和MySQL数据库,支持Union注入、报错注入和布尔盲注
  • 检测是否存在SQL注入的部分不准确,希望有大佬可以帮忙改进

Introduce

  • Sqlmap is a famous tool in penetration testing field, and this is a simple sqlmap
  • The reasons for using golang rewriting are: high efficiency, generating executable files to run directly, etc
  • At present, sqli-labs(https://github.com/Audi-1/sqli-labs) can be successfully injected into the first eight levels
  • Union Select Injection,Updatexml and Polygon Error Based Injection and Bool Blind Injection are currently supported

Instructions

  • Use-u http://xxx/index.php?id=1Do Injection(By default, the version and all database names are probed)
  • Use-D securitySpecify the specific database for injection to obtain all tables(such as security database)
  • Use-D security -T usersSpecify database and table names to get all field names(such as users table of security database)
  • Use-D security -T users -C id,username,passwordGet all the data of the three fields in the users table
  • Use--technique USpecifies to use union select injection(sqli-labs 1,2,3,4)
  • Use--technique ESpecifies to use error based injection(sqli-lbs 5,6)
  • Use--technique BSpecifies to use bool blind injection(sqli-labs 8)
  • Use--betaParameter to activate the polygon error function(use updatexml by default because it is more stable)

图片

  • Union Select Injection

  • Error Based Injection

  • Bool Blind Injection

Quick Start

Download

go-sqlmap.exe -u http://sqlilab-ip/Less-1/?id=1 -D security -T users -C id,username,password --technique U

API

  • import
go get github.com/EmYiQing/go-sqlmap

or

go get github.com/EmYiQing/go-sqlmap@v0.1.0
  • code
package main

import (
	sqlmap "github.com/EmYiQing/go-sqlmap/api"
	"github.com/EmYiQing/go-sqlmap/input"
)

func main() {
	opts := input.Input{
		Beta:      false,
		Url:       "http://192.168.222.129:81/Less-1/?id=1",
		Database:  "security",
		Table:     "users",
		Columns:   []string{"id", "username", "password"},
		Technique: []string{"U"},
		Param:     "id",
	}
	instance := sqlmap.NewScanner(opts)
	instance.Run()
}

About

Simple Sqlmap Written By Golang

Topics

sql-injection web-security sqlmap pentest-tool

Resources

Readme

License

Apache-2.0 License

Releases 1

v0.1.0 Latest
Jun 3, 2021

Packages

No packages published

Languages