From a00b104f4392eba4ac00238dc5725dbd02721b28 Mon Sep 17 00:00:00 2001 From: perdo Date: Sat, 30 Jun 2012 12:30:41 +0000 Subject: [PATCH] Modified http-sql-injection to load the error strings to search for from a file. --- scripts/http-sql-injection.nse | 59 ++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/scripts/http-sql-injection.nse b/scripts/http-sql-injection.nse index f2153ae55..27f15f474 100644 --- a/scripts/http-sql-injection.nse +++ b/scripts/http-sql-injection.nse @@ -1,5 +1,6 @@ local http = require "http" local httpspider = require "httpspider" +local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" @@ -27,15 +28,21 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "vuln"} --- --- @args sql-injection.maxpagecount the maximum amount of pages to visit. +-- @args http-sql-injection.maxpagecount the maximum amount of pages to visit. -- A negative value disables the limit (default: 20) --- @args sql-injection.url the url to start spidering. This is a URL +-- @args http-sql-injection.url the url to start spidering. This is a URL -- relative to the scanned host eg. /default.html (default: /) --- @args sql-injection.withinhost only spider URLs within the same host. +-- @args http-sql-injection.withinhost only spider URLs within the same host. -- (default: true) --- @args sql-injection.withindomain only spider URLs within the same +-- @args http-sql-injection.withindomain only spider URLs within the same -- domain. This widens the scope from withinhost and can -- not be used in combination. (default: false) +-- @args http-sql-injection.errorstrings a path to a file containing the error +-- strings to search for (one per line, lines started with # are treated as +-- comments). The default file is nselib/data/http-sql-errors.lst +-- which was taken from fuzzdb project, for more info, see http://code.google.com/p/fuzzdb/. +-- If someone detects some strings in that file causing a lot of false positives, +-- then please report them to nmap-dev@insecure.org. -- -- @output -- PORT STATE SERVICE @@ -58,17 +65,24 @@ Pattern match response from a submitted injection query to see if it is vulnerable --]] +local errorstrings = {} local function check_injection_response(response) - + local body = string.lower(response.body) - + if not (response.status == 200 or response.status ~= 500) then return false end - - return (string.find(body, "invalid query") or - string.find(body, "sql syntax") or - string.find(body, "odbc drivers error")) + + if errorstrings then + for _,e in ipairs(errorstrings) do + if string.find(body, e) then + stdnse.print_debug(2, "%s: error string matched: %s", SCRIPT_NAME, e) + return true + end + end + end + return false end --[[ @@ -191,14 +205,31 @@ local function check_form(form, host, port, path) return vulnerable_fields end +-- load error strings to the errorstrings table +local function get_error_strings(path) + local f = nmap.fetchfile(path) + if f then + for e in io.lines(f) do + if not string.match(e, "^#") then + table.insert(errorstrings, e:lower()) + end + end + end + -- check if we loaded something + if #errorstrings == 0 then + -- if not, then load some default values + errorstrings = {"invalid query", "sql syntax", "odbc drivers error"} + end +end action = function(host, port) - + local error_strings_path = stdnse.get_script_args('http-sql-injection.errorstrings') or 'nselib/data/http-sql-errors.lst' + get_error_strings(error_strings_path) -- crawl to find injectable urls local crawler = httpspider.Crawler:new(host, port, nil, {scriptname = SCRIPT_NAME}) local injectable = {} local results_forms = {name="Possible sqli for forms:"} - + while(true) do local status, r = crawler:crawl() if (not(status)) then @@ -208,7 +239,7 @@ action = function(host, port) break end end - + -- first we try sqli on forms if r.response and r.response.body and r.response.status==200 then local all_forms = http.grab_forms(r.response.body) @@ -232,7 +263,7 @@ action = function(host, port) end end end - + -- try to inject local results_queries = {} if #injectable > 0 then