[NSE] http-blindsql-injection.nse

[George Chatzisofroniou <sophron () latthi com>]

The attached script finds blind SQL injections using two common methods:
Content-based and Time-based. You can disable a technique with the use of
'timebased' and 'contentbased' options.

More info about the techniques: https://www.owasp.org/index.php/Blind_SQL_Injection

The script, by default, checks for SQLi on both URLs and forms unless you don't
want to where you can use checkurls and checkforms boolean options.

There is also a singlepages option to test it against specific pages and a
diffratio option to manually set the least ratio of content length difference
between the HTML responses when testing for content-based blind SQLi.

You run it like this:

./nmap -p80 -n -Pn --script http-blindsql-injection some-random-page.com

And the output looks like this:

 PORT   STATE SERVICE REASON
 80/tcp open  http    syn-ack
 | http-blindsql-injection: 
 |   Found the following possible blind SQL injection vulnerabilities: 
 |   
 |     
 |       Path: http://some-random-page.com:80/
 |       Field: password
 |       Method: POST
 |       Submission: http://some-random-page.com:80//search.php
 |     
 |       SQLi: 1' or SLEEP(10) and '1'='1
 |       Time difference: 8.0084838867188
 |     
 |       SQLi true response: 1' OR '1'='1
 |       SQLi false response: 1' AND '1'='2
 |_      Responses diff ratio: 0.25

I've tested it against a simple web app of my own and it worked good.

Hope you like it,

-- 
George Chatzisofroniou

Attachment: http-blindsql-injection.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/