Just a quick note - I had some brief correspondance recently with Cedric Cochin who has written a tool that does some of the same stuff as my SQLBrute tool called SQLiX.
I've had a quick look at the tool, and there is some interesting stuff there - it does a lot of the testing by taking a different approach to what I have done. It's built as a scanner, has a spidering function, and can take an input file for doing scanning (which appears to be a similar format to that produced by IEnterceptor).
I'll be trying this out on some other sample applications to see how this can fit into my toolbox, and to see what I would add or change about the tool. In the meantime, see a sample run of the tool below to see it run against the Acunetix sample vulnerable site.
| Demo of SQLiX tool |
perl SQLiX.pl -crawl http://test.acunetix.com/ -exploit -all -v=2
======================================================
-- SQLiX --
© Copyright 2006 Cedric COCHIN, All Rights Reserved.
======================================================
Analysing URI obtained by crawling [http://test.acunetix.com/]
http://test.acunetix.com/
http://test.acunetix.com/privacy.php
http://test.acunetix.com/userinfo.php
http://test.acunetix.com/login.php
http://test.acunetix.com/signup.php
http://test.acunetix.com/AJAX/index.php
http://test.acunetix.com/guestbook.php
http://test.acunetix.com/cart.php
http://test.acunetix.com/disclaimer.php
http://test.acunetix.com/artists.php
http://test.acunetix.com/comment.php?aid=3
[X] working on aid
[X] Method: MS-SQL error message
[X] Method: SQL error message
[X] Method: SQL Blind Integer Injection
[X] Method: SQL Blind Statement Injection
[X] Method: SQL Blind String Injection
http://test.acunetix.com/artists.php?artist=3
[X] working on artist
[X] Method: MS-SQL error message
[X] Method: SQL error message
[X] Method: SQL Blind Integer Injection
[FOUND] Blind SQL Injection: Integer based
[FOUND] Database type: MySQL Server
[INFO] Current function: version()
[INFO] length: 9
4.0.25-nt
[FOUND] SQL Blind Integer Injection
http://test.acunetix.com/listproducts.php?artist=3
[X] working on artist
[X] Method: MS-SQL error message
[X] Method: SQL error message
[WARNING] Match found in reference(NULL) - You have an error in your SQL syntax
[FOUND] SQL error message
http://test.acunetix.com/comment.php?aid=2
[X] working on aid
[X] Method: SQL Blind Integer Injection
[X] Method: SQL Blind Statement Injection
[X] Method: SQL Blind String Injection
http://test.acunetix.com/artists.php?artist=2
http://test.acunetix.com/listproducts.php?artist=2
http://test.acunetix.com/comment.php?pid=7
[X] working on pid
[X] Method: MS-SQL error message
[X] Method: SQL error message
[X] Method: SQL Blind Integer Injection
[X] Method: SQL Blind Statement Injection
[X] Method: SQL Blind String Injection
http://test.acunetix.com/showimage.php?file=./pictures/7.jpg
[X] working on file
[X] Method: MS-SQL error message
[X] Method: SQL error message
[X] Method: SQL Blind Statement Injection
[WARNING] both A HREF trees are identical
[X] Method: SQL Blind String Injection
[WARNING] both A HREF trees are identical
http://test.acunetix.com/product.php?pic=7
[X] working on pic
[X] Method: MS-SQL error message
[X] Method: SQL error message
[X] Method: SQL Blind Integer Injection
[FOUND] Blind SQL Injection: Integer based
[FOUND] Database type: MySQL Server
[INFO] Current function: version()
[INFO] length: 9
4.0.25-nt
[FOUND] SQL Blind Integer Injection
http://test.acunetix.com/comment.php?aid=1
[X] working on aid
http://test.acunetix.com/artists.php?artist=1
http://test.acunetix.com/listproducts.php?artist=1
http://test.acunetix.com/comment.php?pid=6
[X] working on pid
[X] Method: SQL Blind Integer Injection
[X] Method: SQL Blind Statement Injection
[X] Method: SQL Blind String Injection
http://test.acunetix.com/showimage.php?file=./pictures/6.jpg
http://test.acunetix.com/product.php?pic=6
http://test.acunetix.com/comment.php?pid=5
[X] working on pid
http://test.acunetix.com/showimage.php?file=./pictures/5.jpg
http://test.acunetix.com/product.php?pic=5
http://test.acunetix.com/comment.php?pid=4
http://test.acunetix.com/showimage.php?file=./pictures/4.jpg
http://test.acunetix.com/product.php?pic=4
http://test.acunetix.com/comment.php?pid=3
http://test.acunetix.com/showimage.php?file=./pictures/3.jpg
http://test.acunetix.com/product.php?pic=3
http://test.acunetix.com/comment.php?pid=2
http://test.acunetix.com/showimage.php?file=./pictures/2.jpg
http://test.acunetix.com/product.php?pic=2
http://test.acunetix.com/comment.php?pid=1
http://test.acunetix.com/showimage.php?file=./pictures/1.jpg
http://test.acunetix.com/product.php?pic=1
http://test.acunetix.com/categories.php
http://test.acunetix.com/listproducts.php?cat=4
[X] working on cat
[X] Method: MS-SQL error message
[X] Method: SQL error message
[WARNING] Match found in reference(NULL) - You have an error in your SQL syntax
[FOUND] SQL error message
http://test.acunetix.com/listproducts.php?cat=3
http://test.acunetix.com/listproducts.php?cat=2
http://test.acunetix.com/listproducts.php?cat=1
http://test.acunetix.com/index.php
RESULTS:
The variable [artist] from [http://test.acunetix.com/artists.php?artist=3] is vulnerable to SQL Injection [Integer without quote - MySQL].
The variable [artist] from [http://test.acunetix.com/listproducts.php?artist=3] is vulnerable to SQL Injection [Error message (NULL) - MySQL].
The variable [pic] from [http://test.acunetix.com/product.php?pic=7] is vulnerable to SQL Injection [Integer without quote - MySQL].
The variable [cat] from [http://test.acunetix.com/listproducts.php?cat=4] is vulnerable to SQL Injection [Error message (NULL) - MySQL].
|
Found this useful? Then Digg It.
Comments (1)
Have you had any problems getting SQLiX to run? I'm getting a ton of errors. I like the functionality though.
Posted by psychorugger | November 15, 2007 6:19 AM
Posted on November 15, 2007 06:19