[NSE] SQL Injection

["Eddie Bell" <ejlbell () gmail com>]

Hey all

I've added an experimental SQL Injection script to SVN. It spiders a
http server looking for URLs containing queries. It then proceeds to
combine crafted SQL commands with susceptible urls in order to obtain
errors. The errors are analysed to see if the url is vulnerable to
attack

Running it against a site with a classic SQL injection vulnerability
yields the following output

PORT   STATE SERVICE
80/tcp open  http
|  sql-inject: Host might be vulnerable
| /view.php?page=blog&pid=3'%20OR%20sqlspider
|_/view.php?page=blog&pid=2'%20OR%20sqlspider

If we go to one of the addresses returned by the script we get the
following error message

"Invaild query : You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ' OR sqlspider' at line 1"

This suggests that the 'pid' argument is used directly in an SQL query
and by modifying the argument to 'pid' we can execute arbitrary SQL
commands

It has a depth limit of 10 so it does not spider for to long and it
will never leave the site it started on. If an in-depth analysis is
need you can change the 'maxdepth' variable. It supports http/meta
redirects and uses the new strbuf, url and listop nselibs.

This is probably not a script you want to run against a large number
of unknown hosts. It is more suited to audits against specific web
servers. The script is in the vulnerability category so won't be run
with a default script scan.

cheers
 - eddie

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org