Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
Test ID: | 1.3.6.1.4.1.25623.1.0.104126 |
Category: | Nmap NSE net |
Title: | Nmap NSE net: sql-injection |
Summary: | Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.;;The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine;crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analysed to see;if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more;complicated is better suited to a standalone tool. Both meta-style and HTTP redirects are supported.;;We may not have access to the target web server's true hostname, which can prevent access to;virtually hosted sites. This script only follows absolute links when the host name component is the;same as the target server's reverse-DNS name.;;SYNTAX:;;http.pipeline: If set, it represents the number of HTTP requests that'll be;pipelined (ie, sent in a single request). This can be set low to make;debugging easier, or it can be set high to test how a server reacts (its;chosen max is ignored).;;sql-injection.start: The path at which to start spidering, default '/'.;;http-max-cache-size: The maximum memory size (in bytes) of the cache.;;sql-injection.maxdepth: The maximum depth to spider, default 10. |
Description: | Summary: Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analysed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool. Both meta-style and HTTP redirects are supported. We may not have access to the target web server's true hostname, which can prevent access to virtually hosted sites. This script only follows absolute links when the host name component is the same as the target server's reverse-DNS name. SYNTAX: http.pipeline: If set, it represents the number of HTTP requests that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored). sql-injection.start: The path at which to start spidering, default '/'. http-max-cache-size: The maximum memory size (in bytes) of the cache. sql-injection.maxdepth: The maximum depth to spider, default 10. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
Copyright | Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH |
This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |