crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.44b: Improve SQL injection detection 

- Significant improvement to numerical SQL injection detector.
- Minor tweak to SQL message detection rules.
This commit is contained in:
Steve Pinkham 2010-06-29 10:10:17 -04:00
parent 98ffe73aba
commit 7548514234
5 changed files with 48 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,3 +1,10 @@
Version 1.44b:
--------------
- Significant improvement to numerical SQL injection detector.
- Minor tweak to SQL message detection rules.
Version 1.43b:
--------------

3
Makefile
View File

@ -55,7 +55,8 @@ clean:
rm -rf tmpdir
same_test: same_test.c $(OBJFILES) $(INCFILES)
$(CC) same_test.c -o same_test $(CFLAGS_DBG) $(OBJFILES) $(LDFLAGS)
$(CC) same_test.c -o same_test $(CFLAGS_DBG) $(OBJFILES) $(LDFLAGS) \
$(LIBS)
publish: clean
cd ..; tar cfvz ~/www/skipfish.tgz skipfish

2
analysis.c
View File

@ -2257,7 +2257,7 @@ static void check_for_stuff(struct http_request* req,
if (strstr((char*)res->payload, "<b>Warning</b>: MySQL: ") ||
strstr((char*)res->payload, "java.sql.SQLException") ||
strstr((char*)res->payload, "[You have an error in your SQL syntax; ")) {
strstr((char*)res->payload, "You have an error in your SQL syntax; ")) {
problem(PROB_ERROR_POI, req, res, (u8*)"SQL server error", req->pivot, 0);
return;
}

2
config.h
View File

@ -23,7 +23,7 @@
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#define VERSION "1.43b"
#define VERSION "1.44b"
#define USE_COLOR 1 /* Use terminal colors */

42
crawler.c
View File

@ -1066,7 +1066,7 @@ schedule_next:
if (req->user_val != 1) return 0;
/* CHECK 7: SQL injection - 6 requests */
/* CHECK 7: SQL injection - 8 requests */
if (orig_state != PSTATE_CHILD_INJECT) {
u8* pstr = TPAR(RPREQ(req));
@ -1125,6 +1125,25 @@ schedule_next:
n->user_val = 5;
async_request(n);
/* This is a special case to trigger fault on blind numerical injection. */
n = req_copy(RPREQ(req), req->pivot, 1);
if (!is_num) SET_VECTOR(orig_state, n, "9 - 1");
else APPEND_VECTOR(orig_state, n, "- 0 - 0");
n->callback = inject_check7_callback;
n->user_val = 6;
async_request(n);
n = req_copy(RPREQ(req), req->pivot, 1);
if (!is_num) SET_VECTOR(orig_state, n, "9 1 -");
else APPEND_VECTOR(orig_state, n, "0 0 - -");
n->callback = inject_check7_callback;
n->user_val = 7;
async_request(n);
/* TODO: We should probably also attempt cookie injection here. */
return 0;
@ -1150,7 +1169,7 @@ static u8 inject_check7_callback(struct http_request* req,
req->pivot->misc_req[req->user_val] = req;
req->pivot->misc_res[req->user_val] = res;
if ((++req->pivot->misc_cnt) != 6) return 1;
if ((++req->pivot->misc_cnt) != 8) return 1;
/* Got all data:
@ -1160,22 +1179,35 @@ static u8 inject_check7_callback(struct http_request* req,
misc[3] = [orig]\'\"
misc[4] = [orig]'"
misc[5] = [orig]\\'\\"
misc[6] = 9 - 1 (or orig - 0 - 0)
misc[7] = 9 1 - (or orig 0 0 - -)
If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL
injection. If misc[3] != misc[4] and misc[4] != misc[5],
probable text SQL injection.
injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7].
If misc[3] != misc[4] and misc[4] != misc[5], probable text SQL
injection.
*/
if (same_page(&MRES(0)->sig, &MRES(1)->sig) &&
!same_page(&MRES(0)->sig, &MRES(2)->sig)) {
problem(PROB_SQL_INJECT, MREQ(0), MRES(0),
(u8*)"response suggests arithmetic evaluation on server side",
(u8*)"response suggests arithmetic evaluation on server side (type 1)",
req->pivot, 0);
RESP_CHECKS(MREQ(0), MRES(0));
RESP_CHECKS(MREQ(2), MRES(2));
}
if (same_page(&MRES(2)->sig, &MRES(6)->sig) &&
!same_page(&MRES(6)->sig, &MRES(7)->sig)) {
problem(PROB_SQL_INJECT, MREQ(7), MRES(7),
(u8*)"response suggests arithmetic evaluation on server side (type 2)",
req->pivot, 0);
RESP_CHECKS(MREQ(6), MRES(6));
RESP_CHECKS(MREQ(7), MRES(7));
}
if (!same_page(&MRES(3)->sig, &MRES(4)->sig) &&
!same_page(&MRES(3)->sig, &MRES(5)->sig)) {
problem(PROB_SQL_INJECT, MREQ(4), MRES(4),