Wednesday 20 March 2013

[EN] Modules in your own webscanner - SQL injection module

Here I will present a simple idea of how to get to know if your site is vulnerable to SQL Injection.

This code is working on POST requests (idea is grabbed from XSS-ver-POST module).

Code was released because durning few tests I found an 0day vulnerability (sql injection) in one of Joomla's modules (I won't tell you which one was that ;) try it at your own!)

Code is here:

#!/usr/bin/env python
# try_POST_sqli.py
#
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
#
# enjoy.

import urllib
import urllib2
import re
import sys
import httplib

host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'

url_file = url+path_file

payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'

print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
print

# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' (to test) string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()

print 'Status of requested page: ',status


# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)

#############################################################
# hm ;] one idea to test right now. ;D
poc = open('log_file_with_sql_output.txt','w')

#############################################################

# func to send POST to target url+found parameter
def do_post_now(url):
  params = urllib.urlencode ( { results[i] : payload } )
  headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
  connect = httplib.HTTPConnection(url)
  connect.request('POST', path_file, params, headers)
  response = connect.getresponse()
  print response.status, response.reason # 200 OK?
  data = response.read()
  connect.close() # end of test this parameter at this URL
  y=0
  line = data.find('MySQL')
  if line != -1:
    print '\t[+- (  POST SQLI alert!  ) -+]'
    print '\t [+] Found sqli in line:' ,line
    print data[y]
    print poc.writelines(data)
    #poc.close() # write&save simple p0c file. ;7
    y=y+1
   
# end of do_post_now(url)
# ---

# MAIN:
if len(sys.argv) < 2:
  sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
  sys.exit(1)
else:

  # if result found:
  if (len(results)>0):
    print '-------------------------------------------------------------'
    print 'Got some results :) Now we can try to exploit parameters.\n'

    i = 0 # next in list
    while i < len(results):
      print 'Found param called: ',results[i] 
   
      print 'Do POST now, for URL: ', url, ' with param: ', results[i]
      do_post_now(url)
      # end of this POST for this parameter

    # and next line:
      i=i+1
    # end of while i loop


You can also find this code at pastebin.

Let me know if you have any questions. ;)

Cheers o/

No comments:

Post a Comment

What do You think...?