Waraxe IT Security Portal

murdock · Advanced user

I'm planning to make a PHP SQL injection scanner.
First, It will simply search recursivly all the php pages linked in a specified host, then It will catch all the variables that uses every php page, and finally, it will test SQL Injections in all variables of all php pages found examining the response page to check if it worked.

I don't know what language to use. I need a nice gui because I want to make nice listing of the php and variables found. Maybe should I use VisualBasic? (yes, I know it sucks, but is so simple making a dumb program with a nice gui!), Delphi? (the same advantatges but less lame), a portable language?

What you think guys? Nice idea? Lame idea? Already made? Thanks.
Any help in project will be wellcome! Very Happy

Salut!

murdock · Advanced user

Ooops! I think that the PhpBB subforum is not the place for my topic, can be moved?

Sorry!

waraxe · Site admin

Your idea is great by my opinion. There are some sql injection automation tools allready developed in wild world, some of them as freeware and some as component from the high priced pentest package. But this field is not yet fully covered, so go on and give a try Smile

By the way, i am currently developing a tool, called SqlAxe - it is not a scanner, but exploiter. I mean, it will suppose, that pentester have allready found sql injection case and now wants to get maximum information from that security hole. So SqlAxe will try to enumerate databases/tables/fields, in case of M$Sql it will try to get access to shell etc ...

y3dips · Valuable expert

have you read a paper from blackhat conference at USa in 2004

there is one speaker "cameron hotchkies" form 0x90.org presented a paper with title " bvlind Sql injection automation techniques" also included the tools

maybe u could refer to that

y3dips · Valuable expert

sorry i forgot,
for doing some scanning to the whole of sites, i think u can see httrack (httrack.com) script (coz im learning it too for my project)

*fyi : httrack is a web mirroring program Smile

maybe it is usefull for u too
if your project work perfect, maybe i can request some help from u , to combine with my "wxf" project. Wink

LINUX · Moderator

exellent project, exist one scanner developed by TCPTEAM is very good

this scanner is fast but need more options

good idea murdock Wink

murdock · Advanced user

Ok!
I'm already working in it.
I finally use VisualBasic because a saw an ActiveX Control called "msinet.ocx" that is very simple to implement for grabbing the source code of a specific server, and good news: has PROXY SUPPORT! Very Happy

So a big lazy part is already made!
I explain how it works, alert me if there's an error on the "planning" (the way it works) please!:

It's a recursive algorithm that:
The first "current page" is the one who the user entered in the input box as target:

1- Grabs the html code of the "current" page.
2- Parses the code to extract all local links (php pages, html, etc..like a "Web Spider/Crawler" ), saves all the links in a list (both php and html, to check recursivly for more links). If the link points to a php page (with variables or not) it will save in a "special list" the page with his variables.
3-Loads the next page in the links list to check it recursivly.

After the algorithm finishes, we have a list with all php pages and his variables detected.
Now it's time to "check" all the php pages and all the variables of each one.

Sample:
If we detected the page:
"/info.php?name=Me&age=20&op=all"
It will try:
"/info.php?name=[SQL Injection]&age=20&op=all"
"/info.php?name=Me&age=[SQL Injection]&op=all"
"/info.php?name=Me&age=20&op=[SQL Injection]"

We "analyze" the returned code to view if the injection had worked.

What do you think guys?
Just a question: What I can use as "[SQL Injection]"? Any recommendation?

Thanks!

devn00b · Regular user

for mysql db's i find that a simple "show databases;" is a good query to run

murdock · Advanced user

Hi to all and thanks for the replys/information!
I searched more about the 0x90.org group and I found an interesting tool named "Absinthe" which look nice but is not exactly a scanner and I didn't found the tools that appears at the published papers.
If anyone founds a tool similar at the one I want to make alert me!

Y3dips: Sure!, it will be nice to combine it with your tool!

Waraxe: Maybe combine it with SqlAxe tool also? Wink

LINUX: Are you talking about rpvs? I tried it, seems good, but I scanned some sites without success Sad

Thanks to everybody for the support!
I'm very happy to be part of that forum with so nice people! Smile

P.D. Sorry for my baaaaad english!!!

Murdock

waraxe · Site admin

y3dips · Valuable expert

Murdock:

http://blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies-tools-refs.zip

there the zip file, the program was written for windows and linux also some reference, n i think iot was very interesting to research

btw, it is a tool to automated the injection, maybe u can use it in injection phase Smile

for scanning, i suggect u to use crawler method , for exampe httrack Smile

murdock · Advanced user

Httrack....very very nice tool Very Happy

Thanks y3dips!!!

shai-tan · Valuable expert

Yes very good idea.
I'll take a look when it's finished.

Very busy...... drinking, smoking, exploiting, programming, eating, being lazy, and Wink

shai-tan · Valuable expert

And whats even funnier is in my country it doesnt matter that Im 17

murdock · Advanced user

In New Zealand? Neutral