1.44b: Improve SQL injection detection
- Significant improvement to numerical SQL injection detector. - Minor tweak to SQL message detection rules.
This commit is contained in:
parent
98ffe73aba
commit
7548514234
|
@ -1,3 +1,10 @@
|
|||
Version 1.44b:
|
||||
--------------
|
||||
|
||||
- Significant improvement to numerical SQL injection detector.
|
||||
|
||||
- Minor tweak to SQL message detection rules.
|
||||
|
||||
Version 1.43b:
|
||||
--------------
|
||||
|
||||
|
|
3
Makefile
3
Makefile
|
@ -55,7 +55,8 @@ clean:
|
|||
rm -rf tmpdir
|
||||
|
||||
same_test: same_test.c $(OBJFILES) $(INCFILES)
|
||||
$(CC) same_test.c -o same_test $(CFLAGS_DBG) $(OBJFILES) $(LDFLAGS)
|
||||
$(CC) same_test.c -o same_test $(CFLAGS_DBG) $(OBJFILES) $(LDFLAGS) \
|
||||
$(LIBS)
|
||||
|
||||
publish: clean
|
||||
cd ..; tar cfvz ~/www/skipfish.tgz skipfish
|
||||
|
|
|
@ -2257,7 +2257,7 @@ static void check_for_stuff(struct http_request* req,
|
|||
|
||||
if (strstr((char*)res->payload, "<b>Warning</b>: MySQL: ") ||
|
||||
strstr((char*)res->payload, "java.sql.SQLException") ||
|
||||
strstr((char*)res->payload, "[You have an error in your SQL syntax; ")) {
|
||||
strstr((char*)res->payload, "You have an error in your SQL syntax; ")) {
|
||||
problem(PROB_ERROR_POI, req, res, (u8*)"SQL server error", req->pivot, 0);
|
||||
return;
|
||||
}
|
||||
|
|
2
config.h
2
config.h
|
@ -23,7 +23,7 @@
|
|||
#ifndef _HAVE_CONFIG_H
|
||||
#define _HAVE_CONFIG_H
|
||||
|
||||
#define VERSION "1.43b"
|
||||
#define VERSION "1.44b"
|
||||
|
||||
#define USE_COLOR 1 /* Use terminal colors */
|
||||
|
||||
|
|
42
crawler.c
42
crawler.c
|
@ -1066,7 +1066,7 @@ schedule_next:
|
|||
|
||||
if (req->user_val != 1) return 0;
|
||||
|
||||
/* CHECK 7: SQL injection - 6 requests */
|
||||
/* CHECK 7: SQL injection - 8 requests */
|
||||
|
||||
if (orig_state != PSTATE_CHILD_INJECT) {
|
||||
u8* pstr = TPAR(RPREQ(req));
|
||||
|
@ -1125,6 +1125,25 @@ schedule_next:
|
|||
n->user_val = 5;
|
||||
async_request(n);
|
||||
|
||||
/* This is a special case to trigger fault on blind numerical injection. */
|
||||
|
||||
n = req_copy(RPREQ(req), req->pivot, 1);
|
||||
if (!is_num) SET_VECTOR(orig_state, n, "9 - 1");
|
||||
else APPEND_VECTOR(orig_state, n, "- 0 - 0");
|
||||
n->callback = inject_check7_callback;
|
||||
n->user_val = 6;
|
||||
async_request(n);
|
||||
|
||||
n = req_copy(RPREQ(req), req->pivot, 1);
|
||||
if (!is_num) SET_VECTOR(orig_state, n, "9 1 -");
|
||||
else APPEND_VECTOR(orig_state, n, "0 0 - -");
|
||||
n->callback = inject_check7_callback;
|
||||
n->user_val = 7;
|
||||
async_request(n);
|
||||
|
||||
|
||||
|
||||
|
||||
/* TODO: We should probably also attempt cookie injection here. */
|
||||
|
||||
return 0;
|
||||
|
@ -1150,7 +1169,7 @@ static u8 inject_check7_callback(struct http_request* req,
|
|||
|
||||
req->pivot->misc_req[req->user_val] = req;
|
||||
req->pivot->misc_res[req->user_val] = res;
|
||||
if ((++req->pivot->misc_cnt) != 6) return 1;
|
||||
if ((++req->pivot->misc_cnt) != 8) return 1;
|
||||
|
||||
/* Got all data:
|
||||
|
||||
|
@ -1160,22 +1179,35 @@ static u8 inject_check7_callback(struct http_request* req,
|
|||
misc[3] = [orig]\'\"
|
||||
misc[4] = [orig]'"
|
||||
misc[5] = [orig]\\'\\"
|
||||
misc[6] = 9 - 1 (or orig - 0 - 0)
|
||||
misc[7] = 9 1 - (or orig 0 0 - -)
|
||||
|
||||
If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL
|
||||
injection. If misc[3] != misc[4] and misc[4] != misc[5],
|
||||
probable text SQL injection.
|
||||
injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7].
|
||||
|
||||
If misc[3] != misc[4] and misc[4] != misc[5], probable text SQL
|
||||
injection.
|
||||
|
||||
*/
|
||||
|
||||
if (same_page(&MRES(0)->sig, &MRES(1)->sig) &&
|
||||
!same_page(&MRES(0)->sig, &MRES(2)->sig)) {
|
||||
problem(PROB_SQL_INJECT, MREQ(0), MRES(0),
|
||||
(u8*)"response suggests arithmetic evaluation on server side",
|
||||
(u8*)"response suggests arithmetic evaluation on server side (type 1)",
|
||||
req->pivot, 0);
|
||||
RESP_CHECKS(MREQ(0), MRES(0));
|
||||
RESP_CHECKS(MREQ(2), MRES(2));
|
||||
}
|
||||
|
||||
if (same_page(&MRES(2)->sig, &MRES(6)->sig) &&
|
||||
!same_page(&MRES(6)->sig, &MRES(7)->sig)) {
|
||||
problem(PROB_SQL_INJECT, MREQ(7), MRES(7),
|
||||
(u8*)"response suggests arithmetic evaluation on server side (type 2)",
|
||||
req->pivot, 0);
|
||||
RESP_CHECKS(MREQ(6), MRES(6));
|
||||
RESP_CHECKS(MREQ(7), MRES(7));
|
||||
}
|
||||
|
||||
if (!same_page(&MRES(3)->sig, &MRES(4)->sig) &&
|
||||
!same_page(&MRES(3)->sig, &MRES(5)->sig)) {
|
||||
problem(PROB_SQL_INJECT, MREQ(4), MRES(4),
|
||||
|
|
Loading…
Reference in New Issue