Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scanning for SQL Injection

From: "rajat swarup" <rajats () gmail com>
Date: Thu, 28 Jun 2007 21:27:02 -0400
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ron Johnson - Adhost
Sent: Thursday, June 28, 2007 11:07 PM
To: pen-test () securityfocus com
Cc: listbounce () securityfocus com
Subject: Scanning for SQL Injection

Hi. I need to scan about 350+ sites from three different web servers that
all connect to one MS SQL server for SQL injection. Any ideas on how to make
this not take a long long time?

I like the Priamos tool but you can only scan one site at a time, and you
can't load a list of any sort, etc.

Any input is appreciated


Hi,
Paros spider + scanner should be able to do stuff without much
intervention.  However, Paros will need a starting seed URL list.  I'd
suggest write up a script in curl that loops through all the sites
using paros as a local proxy.  This would give the seeds to Paros.
Once that is done, spider all URLs and then scan them.

HTH,
Rajat Swarup.

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: