w3af扫描DVWA中sql漏洞

使用burp拦截请求，删除请求中

GET /dvwa/vulnerabilities/fi/?page=include.php HTTP/1.1
Host: 192.168.59.142

root@kali:~# cat w3af.txt
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.59.142/dvwa/vulnerabilities/sqli/?id=12345&Submit=Submit
Cookie: security= low; PHPSESSID=2efb28ea69e34344dd07fb72d06684bd
Connection: keep-alive

root@kali:~# w3af_console
w3af>>> plugins
w3af/plugins>>> output console
w3af/plugins>>>  audit sqli
w3af/plugins>>> back
w3af>>> http-settings
w3af/config:http-settings>>> set headers_file /root/w3af.txt
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> back
The configuration has been saved.
w3af>>> target
w3af/config:target>>> set target 192.168.59.142/dvwa/vulnerabilities/sqli/?id=23456&Submit=Submit
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "You have an error in your SQL syntax;". The error was found on response with id 36.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "MySQL server version for the right syntax to use". The error was found on response with id 36.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "You have an error in your SQL syntax;". The error was found on response with id 35.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "MySQL server version for the right syntax to use". The error was found on response with id 35.
SQL injection in a MySQL database was found at: "http://192.168.59.142/dvwa/vulnerabilities/sqli/", using HTTP method GET. The sent data was: "id=a'b"c'd"&Submit=Submit". This vulnerability was found in the request with id 36.
SQL injection in a MySQL database was found at: "http://192.168.59.142/dvwa/vulnerabilities/sqli/", using HTTP method GET. The sent data was: "id=a%27b%22c%27d%22&Submit=Submit". The modified parameter was "id". This vulnerability was found in the request with id 35.
Scan finished in 17 seconds.
Stopping the core...
w3af>>>

从burp拦截的流量中查看w3af发送的各种请求