|
Title: using script for sql injection test... Post by: wlandymore on May 08, 2012, 03:56:05 PM Hey guys,
I'm trying to write a script that will use the web form that is hooked into a mysql database to check if a user exists in the DB and if they have an e-mail. So I was thinking this would be possible to do through something like PHP but I've never done it before so I'm foggy on how it might be done. I was thinking something like: <?php $db="testdb"; $table="users"; $host="http://someserver.com/index.php"; $host+/action=POST&usrname=user1&submit_button=submit; if response = 'user exists' exit; if not use another name... Obviously that isn't what has to be there but I don't know how to automate this so that the usernames can be put in a form and then submitted one after the other to check their validity. Anyone done something like before? Title: Re: using script for sql injection test... Post by: ajohnson on May 08, 2012, 06:01:04 PM The following PHP script is a simplified version of the page I believe you're trying to access. It compares the POST user variable to a list of user names (users.db) and returns whether or not the POST user is a valid user. The type of back-end really isn't relevant. You ultimately just need to iterate through a list of users and identify a unique string that signifies a valid user in the page that's returned.
(Edit: You'll get a PHP Notice / blank page if you don't supply user via POST; I obviously didn't include any error checking.) index.php: Code: <?php $user = $_POST['user']; $f = fopen('users.db', 'r'); $message = 'Invalid User'; while ($line = trim(fgets($f))) { if ($line == $user) { $message = 'Valid User'; break; } } echo $message . "\n"; ?> users.db: Code: steve anthony bob I was originally going to write an example in Python, but I knew sil would respond with, "You can do that with bash..." so I decided to skip a step ;) The following is the users.lst file that is iterated through and tested for validity. Code: bob sally alice nicky steve bill anthony drew This script iterates through the user list, acquires the page with wget, checks for the unique validity string, and writes out if a match is found. Code: for u in `cat users.lst`; do wget --post-data="user=$u" -q -O - http://localhost/ehtest/index.php | grep -i -q ^valid && echo $u found; done Code: bob found steve found anthony found If you have the SQLi POST string, all you have to do is replace the username/email/whatever and perform text-matching like I did above. If you want to do this with Python and make it sexier, you can start by researching the urllib library. Title: Re: using script for sql injection test... Post by: ajohnson on May 08, 2012, 11:06:20 PM Python example if you're curious (again, no error-checking/validation):
Code: #!/usr/bin/python import urllib2 import sys if len(sys.argv) < 5: print 'Usage: ' + sys.argv[0] + ' <url> <post> <user list> <match text>' print 'Use ### as a placeholder for post variable' print 'i.e. ' + sys.argv[0] + ' http://localhost/ehtest/index.php user=### user.lst "Valid User"' + '\n' exit() url = sys.argv[1] post = sys.argv[2] ulist = sys.argv[3] match = sys.argv[4] ph = '###' f = open(ulist) for user in f: user = user.strip() data = post.replace(ph, user) request = urllib2.Request(url, data) response = urllib2.urlopen(request) page = response.read() if page.find(match) > 0: print "Success for: " + user Output (using same files as above): Code: # ./test.py http://localhost/ehtest/ user=### users.lst "Valid User" Success for: bob Success for: steve Success for: anthony Title: Re: using script for sql injection test... Post by: wlandymore on May 11, 2012, 03:01:11 PM wow, thanks. That's awesome!
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |