0

My code here suppose to grab list of injection string from table:* injection_text*, column: injection_code and inject it at the tail of the URL's crawled by my program, the URL's crawled are stored table: pages_crawl. my program suppose to display the result of the injection. the purpose of this program is to test for SQL injection vulnerabilities. its my Final year project. currently it is not displaying any vulnerabilities but if i inject manually into the URL's the site is vulnerable. Can anyone help me fix this code? currently it is injecting the string but it is removing the interger value in the url,
for example :
id=26381&cat=srigossip become id'&cat'
i want it to append the injection string to the end of the URL without altering the URL
' is my injection string
Can anyone help me fix this code?

            // prepare the url for the GET injection
            $urls = parse_url($row_pages['link']);
            parse_str($urls['query'], $query_string);

            $get_inject = "";
            if (!empty($query_string))
            {
                $i = 0;
                foreach ($query_string as $var => $value)
                {
               $get_inject .= (($i==0) ? "?" : "&") . $var . "=" . $row_injection_text['injection_code'];

                    $i++;
                }
            }

            $url_to_inject = $urls['scheme'] . "://" . $urls['host'] . $urls['path'];

            $curl = curl_init();

            curl_setopt_array($curl, array(
                CURLOPT_RETURNTRANSFER => 1,
                CURLOPT_URL => $url_to_inject . $get_inject,
                CURLOPT_USERAGENT => 'Desktop Browser Test'
            ));

            $response = curl_exec($curl);

            $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
            $header = substr($response, 0, $header_size);
            $body = substr($response, $header_size);

            curl_close($curl);

            $result_injection = checkForm($body, 'error in your SQL') ? "0" : "1";

Edited by jsj1411

4
Contributors
13
Replies
82
Views
1 Year
Discussion Span
Last Post by hielo
Featured Replies
  • 1
    diafol 3,669   1 Year Ago

    Not sure why you would get SQL injection vulnerabilities. If you use prepared statements, you shoud be able to pass anything to them without causing injections. Obviously you'd validate input before running the statement. Am I missing something? Read More

  • 1
    diafol 3,669   1 Year Ago

    Ah. Sorry, makes more sense now. Unfort. won't be able to hlp for a few days. Hope somebody can help in the meantime. Read More

  • 1
    cereal 1,419   1 Year Ago

    **@hielo** hi! On MySQL you can use the `SET` clause in the `INSERT` statement, both syntaxes are supported, see: * http://dev.mysql.com/doc/refman/5.7/en/insert.html Read More

1

On line 11, where are you initializing $row_injection_text? I am wondering if you meant to write $row_pages?

1

Not sure why you would get SQL injection vulnerabilities. If you use prepared statements, you shoud be able to pass anything to them without causing injections. Obviously you'd validate input before running the statement. Am I missing something?

Votes + Comments
actually i'm developing a sql injection testing tool on webpages, which this code suppose to inject , injecting string into the url
0

here's the full code, i sincerely hope someone could help me out, pls

<?php

include('simple_html_dom.php');

$query = "SELECT * FROM `injection_text`";

$cxn = new mysqli('p:localhost', 'root', '', 'wordpress', '3306');
$result = $cxn->query($query);

echo "<table>";
echo "<tr>
        <td>No</td>
        <td>URL</td>
        <td>Response</td>
        <td>Result</td>
      </tr>";

while($row_injection_text = $result->fetch_assoc()) 
{
    $params = $row_injection_text['injection_code'];

    $sql = "SELECT *, `b`.`id` AS crawl_id FROM `pages` a LEFT JOIN `pages_crawl` b ON `a`.`id`=`b`.`pages_id` WHERE `b`.`pages_id` = '" . $_GET['id'] . "' GROUP BY `b`.`id`";
    $result_row = $cxn->query($sql);

    $count = 0;
    while ($row_pages = $result_row->fetch_assoc())
    {

        if (checkForm($row_pages['source'], '<form'))
        {
            $params = ((strpos($row_pages['link'], '?')) ? "&" : "?") . $params;

            $getInput = getInputFields($row_pages['link'] . $params);         

            // if response is with error, it does not need to be injected post style
           if (!isset($getInput['error']))
            {

                // POST injection occurs here
                $param = array();

                foreach ($getInput as $elements) 
                {
                    foreach ($elements['inputs'] as $input)
                    {
                        $param[$input] = $row_injection_text['injection_code'];
                    }
                }

                $curl = curl_init();

                curl_setopt_array($curl, array(
                    CURLOPT_RETURNTRANSFER => 1,
                    CURLOPT_URL => $row_pages['link'],
                    CURLOPT_USERAGENT => 'Desktop Browser Test',
                    CURLOPT_POST => 1,
                    CURLOPT_VERBOSE => 1,
                    CURLOPT_HEADER => 1,
                    CURLOPT_POSTFIELDS => $param
                ));

                $response = curl_exec($curl);

                $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
                $header = substr($response, 0, $header_size);
                $body = substr($response, $header_size);
                curl_close($curl);

                $result_injection = checkForm($body, 'error in your SQL') ? "0" : "1";

                // save the injection response in the database
                $query_post = " INSERT INTO `injection_result` SET pages_crawl_id = '" . $row_pages['crawl_id'] . 
                                    "', injection_text_id = '" . $row_injection_text['id'] . 
                                    "', response = '" . addslashes($header) . 
                                    "', method = 'POST" . 
                                    "', result = '" . ($result_injection) . "' ";
                $result_post = $cxn->query($query_post);
           }

            // prepare the url for the GET injection
            $urls = parse_url($row_pages['link']);
            parse_str($urls['query'], $query_string);

            $get_inject = "";
            if (!empty($query_string))
            {
                $i = 0;
                foreach ($query_string as $var => $value)
                {
                    $get_inject .= (($i==0) ? "?" : "&") . $var . "=" . $row_injection_text['injection_code'];
                    $i++;
                }
            }

            $url_to_inject = $urls['scheme'] . "://" . $urls['host'] . $urls['path'];

            $curl = curl_init();

            curl_setopt_array($curl, array(
                CURLOPT_RETURNTRANSFER => 1,
                CURLOPT_URL => $url_to_inject . $get_inject,
                CURLOPT_USERAGENT => 'Desktop Browser Test'
            ));

            $response = curl_exec($curl);

            $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
            $header = substr($response, 0, $header_size);
            $body = substr($response, $header_size);

            curl_close($curl);

            $result_injection = checkForm($body, 'error in your SQL') ? "0" : "1";

            // save the injection response in the database
            $query_get = " INSERT INTO `injection_result` SET pages_crawl_id = '" . $row_pages['crawl_id'] . 
                                "', injection_text_id = '" . $row_injection_text['id'] . 
                                "', response = '" . addslashes($header) . 
                                "', method = 'GET" .
                                "', result = '" . ($result_injection) . "' ";
            $result_get = $cxn->query($query_get);

            // display
            echo "<tr><td>" . ++$count . "</td>";
            echo "<td><a href='" . $url_to_inject . $get_inject . "'>" . $url_to_inject . $get_inject . "</a></td>";
            echo "<td>" . $header . "</td>";
            echo "<td nowrap>" . (($result_injection == 1) ? "<span style='color:red;'>VULNERABLE!</span>" : "SECURE" ) . "</td>";
            echo "</tr>";
        }
    }

    echo "</tr>";
}

echo "</table>";

/*
 * Function to check for elements in a page
 * use a very simple string comparison function in php
 *
 * returns boolean
 *
 */
function checkForm($htmlSource, $needle)
{
    if (strpos($htmlSource, $needle)) {
        return true;
    }
    else {
        return false;
    }
}


/*
 * function to inject GET style
 * while at the same time check if there is a input elements in the page
 *
 * returns the inputs name
 *
 */
function getInputFields ($htmlSource)
{
    // param initilization
    $params = array();

    // get simple html
    $html = @file_get_html($htmlSource);

    // got html
    // prepare params to inject using forms in the html
    if (!is_bool($html))
    {
        // Find all form(s)
        $i=0;
        foreach($html->find('form') as $forms) {
            if (!empty($forms->action))
            {
                $params[0]['forms'][$i++] = $forms->action;
            }
        }

        // Find all input(s)
        $i=0;
        foreach($html->find('input') as $input) {
            if (!empty($input->name)) 
            {
                $params[0]['inputs'][$i++] = $input->name;
            }
        }
    }

    // no forms in the page
    else
    {
        $params['error'] = 'No forms here';
    }

    return $params;
}

?>
1

Ah. Sorry, makes more sense now. Unfort. won't be able to hlp for a few days. Hope somebody can help in the meantime.

Votes + Comments
really hope somebody could help me out here
1

Please provide a sample value for $row_pages['link'] and $row_injection_text['injection_code'].

0

Are you sure that your $row_injection_text['inject_code'] has a value? Meaning, have you tried running your LEFT JOIN query in an sql tool to verify that you are getting the expected results? Or even simpler, does it work when you try INNER JOIN?

The relevant block of code in question seems fine:

<?php
//save this as test.php and try it out
$row_pages = Array('link'=>'http://domain.com/mask_details.php?mask=28&page=1');
$row_injection_text=Array('injection_code'=>"' ' or 1=1 --");

            $urls = parse_url($row_pages['link']);
            echo '<pre>',__LINE__,'. ',print_r($urls,true),'</pre>';
            parse_str($urls['query'], $query_string);
            $get_inject = "";
            if (!empty($query_string))
            {
                $i = 0;
                foreach ($query_string as $var => $value)
                {
                    $get_inject .= (($i==0) ? "?" : "&") . $var . "=" . $row_injection_text['injection_code'];
                    $i++;
                }
            }
            $url_to_inject = $urls['scheme'] . "://" . $urls['host'] . $urls['path'];

echo $url_to_inject.$get_inject;

Edited by hielo

0

Is it possible for u to help me thru team viewer, the query seems fine one my side here. Maybe in that way u can have a beter view of my issue here

Edited by jsj1411

0

The main issue is, it's not detecting any vulnerability so it doesn't post into injection_result table, it's not checking whether it is a sql error or simply just a page not found error, even page not found is detected as vulnerable site

1

The main issue is, it's not detecting any vulnerability

How do you know that it is not detecting any vulnerabilities? Are you echoing (and inspecting) the intermediate results

so it doesn't post into injection_result table

Well, that's because what you have is a hybrid of the INSERT and UPDATE statements. The correct syntax is:

INSERT INTO `tableName` (`fieldName1`,`fieldName2`) VALUES ('value1', 'value2');
-- and for updates
UPDATE `tableName` SET `fieldName1` = 'value1', `fieldName2`='value2'

After executing a query, you should check to see if it fails. You are not doing error checking after executing queries. Otherwise you would have found the error.

0

Indeed! That is certainly news to me. FYI: that seems to be a MySQL-specific feature. It is not standard sql (see section 13.8 <insert statement> at http://www.contrib.andrew.cmu.edu/~shadow/sql/sql1992.txt).

On another note, the following line:

if (checkForm($row_pages['source'], '<form')){ /*...the sql injection tests go here...*/ }

will not perform any of the sql injection test on the relevant page whenever the page in question does not have a <form> in it. I looked at the site with the masks, and I did not find any page with forms in them, so the sample url you supplied is not the ideal site on which to try out your tests.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.