Question

Testing for SQL injection manually isn’t scalable. I recommend using tools to help you automate the entire process described in this chapter, from SQL injection discovery to exploitation. For example, sqlmap ( http://sqlmap.org/ ) is a tool written in Python that automates the process of detecting and exploiting SQL injection vulnerabilities. A full tutorial of sqlmap is beyond the scope of this book, but you can find its documentation at https://github.com/sqlmapproject/sqlmap/wiki/ .

手动测试 SQL 注入不具可伸缩性。我建议使用工具来协助您自动化本章所描述的整个过程，从 SQL 注入发现到利用。例如，sqlmap（http://sqlmap.org/）是一种用 Python 编写的工具，可自动化检测和利用 SQL 注入漏洞。sqlmap 的完整教程超出了本书的范围，但您可以在 https://github.com/sqlmapproject/sqlmap/wiki/ 找到它的文档。

Before diving into automating your attacks with sqlmap, make sure you understand each of its techniques so you can optimize your attacks. Most of the techniques it uses are covered in this chapter. You can either use sqlmap as a standalone tool or integrate it with the testing proxy you’re using. For example, you can integrate sqlmap into Burp by installing the SQLiPy Burp plug-in.

在使用 sqlmap 自动化攻击之前，请确保您了解每个技巧，以便优化您的攻击。大多数它使用的技术都在本章中涵盖。您可以使用 sqlmap 作为独立工具，也可以将其与您正在使用的测试代理集成。例如，您可以通过安装 SQLiPy Burp 插件将 sqlmap 集成到 Burp 中。