本文共 9386 字,大约阅读时间需要 31 分钟。
Making OWASP SQLiX module
| Contents [] · · 获取OWASP SQLiX的源码 · · 创建fakeroot需要的目录 · · 创建并转移模块文件到fakeroot目录 · · 生成.lzm模块 · · 添加这些模块到ISO 构建目录 · · 测试新的模块 · · 清理和归档 |
Get the source for OWASP SQLiX
获取OWASP SQLiX的源码
Go to the OWASP SQLiX and navigate to the . In the downloads section, you'll see two links to download the source.Only one of those worked for me - the one . Grab the latest version which is SQLiX_v1.0.tar.tar atthe time of this writing. BTW, the file extensions are wrong, it should be atar.gz file not a tar.tar.
前往OWASP SQLiX网站,并且找到这个页面。在下载的页面中,你可以看到两个下载的链接地址。对我来说只有一个可以下载到(注:我两个都没有任何响应,我是在google中搜这个压缩包的名字,找到了一个服务器上的备份,不知道是不是墙的原因。)截止写稿时SQLiX的最新版本是V1.0。顺便说一句,这个文件的扩展名是错误的,应该是.tar.gz而不是.tar.tar。(注:我在下载的时候并没有看到这个问题,下载后就是.tar.gz,不知道是不是官方改正了还是说那个服务器的上传者改正过。)
Go ahead and extract the download into the working/temp directory:
把下载的文件解压到/temp目录下:
$ cp/home/mtesauro/owasp-live-cd/tools-in-SoC-release/SQLiX_v1.0.tar.tar temp/
$ $ filetemp/SQLiX_v1.0.tar.tar
temp/SQLiX_v1.0.tar.tar: gzip compressed data, from Unix,last modified: Thu Aug 17 08:06:20 2006
$ mvtemp/SQLiX_v1.0.tar.tar temp/SQLiX_v1.0.tar.gz
$ cd temp/
$ tar -xjvfSQLiX_v1.0.tar.gz
$ cd ../
Create the needed directories in fakeroot
创建fakefoot需要的目录
Eventually, we'll use dir2lzm to make the module, so lets get thedirectories created that we need:
最后,我们将要使用dir2lzm来构建这个模块,现在让我们先创建我们需要的目录吧!
$ mkdir -p./fakeroot/opt/owasp/
$ mkdir -p./fakeroot/usr/bin
$ mkdir -p./fakeroot/usr/share/aplications
$ mkdir -p./fakeroot/usr/share/pixmaps
Create and put the module's files into the fakerootdirectory
创建并转移模块文件到fakeroot目录
Since we are getting a interpreted source, lets get the Perl source whereit needs to go.
因为我们要“解释”这个源代码(注:我觉得Perl是解释型语言,所以这样翻译了。),所以我们要提供Perl源码安装的位置。
$ mvtemp/SQLiX_v1.0 fakeroot/opt/owasp/
$ mvfakeroot/opt/owasp/SQLiX_v1.0/ fakeroot/opt/owasp/sqlix
Next, well need a script to start SQLiX in fakeroot/usr/bin. This one isvery easy:
接下来,我们需要在fakeroot/usr/bin目录下写一个脚本来启动SQLiX,这是非常简单的:
$ vifakeroot/usr/bin/sqlix
[create script]
$ catfakeroot/usr/bin/sqlix
#!/bin/sh
cd /opt/owasp/sqlix/
perl SQLiX.pl "$@"
Because SQLiX is a command line tool, we're going to create a startupscript to be used by the menu item below.
因为SQLiX是一个命令行工具,我们将要通过下面的代码来创建一个启动脚本。
$ vifakeroot/usr/bin/startup-sqlix
[create script]
$ catfakeroot/usr/bin/startup-sqlix
#/bin/sh
echo " "
echo " "
echo " OWASP SQLiX - SQL Injection Scanner"
echo " (part of the OWASP Live CD 2008)"
echo " "
echo "======================================================"
echo " -- SQLiX --"
echo " ©Copyright 2006 Cedric COCHIN, All Rights Reserved."
echo"======================================================"
echo " "
echo " **Type 'sqlix --help' for command-line options **"
echo " "
echo "** Maximize the window to aid reading the helpoutput **"
echo " "
Creating SQLiX's menu file is a bit more complicated since it opens in aterminal. Use a text editor and create the file sqlix.desktop
创建SQLiX的菜单文件是有些复杂的,因为它需要在终端中操作。使用一个文本编辑器来创建一个文件sqlix.desktop
$ vifakeroot/usr/share/applications/sqlix.desktop
[create thefile]
$ catfakeroot/usr/share/applications/sqlix.desktop
[Desktop Entry]
Categories=Application;Network;
Comment=
Encoding=UTF-8
Exec[$e]=startup-sqlix; bash
GenericName=SQLiX
Icon=/usr/share/pixmaps/sqlix-icon.png
MimeType=text/html
Name=SQL Injection Scanner
Path[$e]=
StartupNotify=false
Terminal=1
TerminalOptions=-T "SQLiX - SQL InjectionScanner"
Type=Application
X-KDE-StartupNotify=true
X-KDE-SubstituteUID=false
X-KDE-Username=
For the icon, there were no images in the source download. Also, sincethis is a text based application, there's nothing to screen capture. Idefaulted to an OWASP icon I have since its an OWASP tool. I then moved thatinto fakeroot.
至于图标,下载的源码里并没有提供图标。此外,因为这是一个基于文本的应用,所以并没有屏幕截图。因为这是一个OWASP工具,所以我用了一个OWASP的图标做默认图标。然后把它移动到fakeroot目录。
$ cptemp/owasp-icon.png fakeroot/usr/share/pixmaps/sqlix-icon.png
SQLiX requires Perl. Fortunately for me, Perl is already part of SLAX.Unfortunately for me, there are few to no Perl modules on the disk - certainlynot the ones needed for SQLiX. Also unfortunately, I didn't find this out untilafter I installed the first, non-working version of this module. I had to addthose Perl modules, here's how I did it:
SQLiX是需要Perl的。幸运的是,Perl早就是SLAX系统的一部分。不幸的是,这里并没有包含所需要的Perl模块。更加不幸的是,我在第一次安装完之后才知道,缺少这些工作的模块。因为没有这些模块,我必须添加这些Perl模块,接下来就是我是怎么做的。
NOTE: The testing below was done in a Live CD environment after Iinstalled the first version of this module.
注意:下面的测试都是在我安装这个模块的第一个版本的Live CD环境下通过的。
# sqlix
Can't locateWWW/CheckSite/Spider.pm in @INC (@INC contains: ...[bunch of junk removed]
OK. I'm missing some Perl modules. Time for the CPAN dance:
好了,我缺少一些Perl模块,现在是CPAN出场的时间了!
# find / >/root/pre-cpan
# perl -MCPAN -eshell
[snip]
cpan> install WWW::CheckSite::Spider
[snip]
Writing Makefile for WWW::CheckSite
---- Unsatisfied dependencies detected during [A/AB/ABELTJE/WWW-CheckSite-0.018.tar.gz]-----
WWW::Mechanize
HTML::Template
WWW::RobotRules
LWP
[snip]
Writing Makefile for WWW::Mechanize
---- Unsatisfied dependencies detected during[P/PE/PETDANCE/WWW-Mechanize-1.34.tar.gz] -----
HTML::Form
HTML::HeadParser
HTTP::Status
HTML::TokeParser
LWP::UserAgent
HTML::Parser
HTTP::Daemon
HTTP::Request
LWP
[snip]
Writing Makefile for LWP
---- Unsatisfied dependencies detected during [G/GA/GAAS/libwww-perl-5.814.tar.gz]-----
Compress::Zlib
HTML::Tagset
HTML::Parser
[snip]
Writing Makefile for Compress::Zlib
---- Unsatisfied dependencies detected during[P/PM/PMQS/Compress-Zlib-2.012.tar.gz] -----
IO::Uncompress::Gunzip
IO::Compress::Gzip
Compress::Raw::Zlib
IO::Uncompress::Base
IO::Compress::Gzip::Constants
IO::Compress::Base
IO::Compress::Base::Common
[snip]
Writing Makefile for IO::Compress::Zlib
---- Unsatisfied dependencies detected during[P/PM/PMQS/IO-Compress-Zlib-2.012.tar.gz] -----
IO::Uncompress::Base
IO::Compress::Base
Compress::Raw::Zlib
[snip]
# sqlix
Can't locate HTML/TreeBuilder.pm in @INC (@INC contains:...[bunch of junk removed]
# perl -MCPAN -eshell
[snip]
cpan> install HTML::TreeBuilder
[snip]
# sqlix
Can't locate Tie/CharArray.pm in @INC (@INC contains:...[bunch of junk removed]
[snip]
# perl -MCPAN -e shell
[snip]
cpan> install Tie::CharArray
[snip]
# sqlix
Can't locate Algorithm/Diff.pm in @INC (@INC contains:...[bunch of junk removed]
[snip]
# perl -MCPAN -e shell
[snip]
cpan> install Algorithm::Diff
[snip]
# sqlix
======================================================
-- SQLiX --
© Copyright 2006Cedric COCHIN, All Rights Reserved.
======================================================
Error: you need to specify a target.
Success (finally). Time to figure out what I installed and put it into theSQLiX module:
最终成功了,是时候找出我们安装了什么并且把它引入SQLiX的模块中。
# find / >post-cpan
# diff pre-cpanpost-cpan | grep changes > changes-cpan
# cp changes-cpanscript-to-pull-cpan
# viscript-to-pull-cpan
[edit this fileand change it into a shell script to copy the installed CPAN stuff into adirectory]
# headscript-to-pull-cpan
#!/bin/sh
mkdir -p /root/fakeroot/usr/bin
cp -a /usr/bin/checksite /root/fakeroot/usr/bin
cp -a /usr/bin/mech-dump /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-mirror /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-download /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-rget /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-request /root/fakeroot/usr/bin
mkdir -p /root/fakeroot/usr/lib/perl5/site_perl/5.8.8
# chmod u+xscript-to-pull-cpan
Before running this script, lets turn the not-quite-working sqlix-1.0.lzmback into a directory structure:
在运行脚本之前,让我们把不能正常工作的SQLiX转移到正确的目录结构。
# mkdir/root/fakeroot
# lzm2dirsqlix-1.0.lzm fakeroot/
[snip]
#./script-to-pull-cpan
# dir2lzmfakeroot/ sqlix-1.0.lzm
Note: Since the above CPAN dance was in the Live CD after Ihad installed the first version of the module you can skip some of the stepsbelow on your second go round. Just don't forget to move the new module off theLive CD via USB drive, scp, etc.
注意:因为CPAN的安装是我在安装第一个版本失败之后的执行步骤,你可以跳过这些步骤,直接进行下一步。不要忘了移除Live CD中的USB驱动器。
Everything is in place to create the modules, a quick final check:
创建模块的全部准备都OK了,最后再快速检查一下:
$ find fakeroot
fakeroot/
fakeroot/opt
fakeroot/opt/owasp
fakeroot/opt/owasp/sqlix
fakeroot/opt/owasp/sqlix/SQLiX.pl
...
Generate the .lzm module
创建.lzm模块
This is the easy part.
这是很简单的一步:
$ ./dir2lzm./fakeroot sqlix-1.0.lzm
Add the modules to the ISO build directory
添加模块到ISO构建目录
Also cake
(这是什么,我真的不知道这是什么意思)
$ cp -isqlix-1.0.lzm ../contents/slax/base/
$ chmod 775../contents/slax/base/sqlix-1.0.lzm
Testthe new module
测试这个新模块
I like scp'ing the new modules into a running Live CD and using the ModuleManager to . I typicallyhave the Live CD running in a VM while I create modules so its already up andready.
我喜欢scp一个新模块到正在运行的Live CD中,并且使用模块管理器添加这个模块到一个正在运行的系统中。我通常在我早就准备好的虚拟机中创建。
You can also gen a new ISO and run it in a VM of your choice.
你也可以创建一个新的ISO并且在你选择的虚拟机上运行它。
$ cd../contents/slax/
$ ./make_iso.sh/home/mtesauro/isos/new-owasp.iso
If anything doesn't work as expected, make the changes needed to./fakeroot and try again.
如果没有达到预期效果,对./fakeroot做一些必要的更改,再试一次。
Cleanup and archive
清理和归档
Once you've got a working module, lets clean up a bit.
一旦你得到了一个可以运行的模块,那就做一下清理吧!
$ $ mkdir./completed_modules/sqlix
$ mv sqlix-1.0.lzm./completed_modules/sqlix/
$ mvtemp/SQLiX_v1.0.tar.gz ./completed_modules/sqlix/
$ rm -rf ./temp/*
I usually delete anything under ./fakeroot also.
我通常把./fakeroot目录下的所有东西都删除掉。
$ rm -rf./fakeroot/*
转载地址:http://biqai.baihongyu.com/