Nmap Development mailing list archives
[NSE] SQL Injection
From: "Eddie Bell" <ejlbell () gmail com>
Date: Thu, 19 Jul 2007 11:35:22 +0100
Hey all I've added an experimental SQL Injection script to SVN. It spiders a http server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible urls in order to obtain errors. The errors are analysed to see if the url is vulnerable to attack Running it against a site with a classic SQL injection vulnerability yields the following output PORT STATE SERVICE 80/tcp open http | sql-inject: Host might be vulnerable | /view.php?page=blog&pid=3'%20OR%20sqlspider |_/view.php?page=blog&pid=2'%20OR%20sqlspider If we go to one of the addresses returned by the script we get the following error message "Invaild query : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' OR sqlspider' at line 1" This suggests that the 'pid' argument is used directly in an SQL query and by modifying the argument to 'pid' we can execute arbitrary SQL commands It has a depth limit of 10 so it does not spider for to long and it will never leave the site it started on. If an in-depth analysis is need you can change the 'maxdepth' variable. It supports http/meta redirects and uses the new strbuf, url and listop nselibs. This is probably not a script you want to run against a large number of unknown hosts. It is more suited to audits against specific web servers. The script is in the vulnerability category so won't be run with a default script scan. cheers - eddie _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] SQL Injection Eddie Bell (Jul 19)
- [NSE] SQL Injection Eddie Bell (Jul 19)
- Re: [NSE] SQL Injection Arturo 'Buanzo' Busleiman (Jul 19)