using script for sql injection test...

[wlandymore]

Hey guys,

I'm trying to write a script that will use the web form that is hooked into a mysql database to check if a user exists in the DB and if they have an e-mail. So I was thinking this would be possible to do through something like PHP but I've never done it before so I'm foggy on how it might be done.

I was thinking something like:

<?php
$db="testdb";
$table="users";
$host="http://someserver.com/index.php";

$host+/action=POST&usrname=user1&submit_button=submit;
if response = 'user exists' exit;
if not use another name...

Obviously that isn't what has to be there but I don't know how to automate this so that the usernames can be put in a form and then submitted one after the other to check their validity.

Anyone done something like before?

[ajohnson]

The following PHP script is a simplified version of the page I believe you're trying to access. It compares the POST user variable to a list of user names (users.db) and returns whether or not the POST user is a valid user. The type of back-end really isn't relevant. You ultimately just need to iterate through a list of users and identify a unique string that signifies a valid user in the page that's returned.

(Edit: You'll get a PHP Notice / blank page if you don't supply user via POST; I obviously didn't include any error checking.)

index.php:

Code:

<?php
$user = $_POST['user'];

$f = fopen('users.db', 'r');

$message = 'Invalid User';

while ($line = trim(fgets($f))) {
    if ($line == $user) {
        $message = 'Valid User';
        break;
    }
}

echo $message . "\n";
?>

users.db:

Code:

steve
anthony
bob

I was originally going to write an example in Python, but I knew sil would respond with, "You can do that with bash..." so I decided to skip a step

The following is the users.lst file that is iterated through and tested for validity.

Code:

bob
sally
alice
nicky
steve
bill
anthony
drew

This script iterates through the user list, acquires the page with wget, checks for the unique validity string, and writes out if a match is found.

Code:

for u in `cat users.lst`; do wget --post-data="user=$u" -q -O - http://localhost/ehtest/index.php | grep -i -q ^valid && echo $u found; done

Code:

bob found
steve found
anthony found

If you have the SQLi POST string, all you have to do is replace the username/email/whatever and perform text-matching like I did above. If you want to do this with Python and make it sexier, you can start by researching the urllib library.

[ajohnson]

Python example if you're curious (again, no error-checking/validation):

Code:

#!/usr/bin/python
import urllib2
import sys

if len(sys.argv) < 5:
    print 'Usage: ' + sys.argv[0] + ' <url> <post> <user list> <match text>'
    print 'Use ### as a placeholder for post variable'
    print 'i.e. ' + sys.argv[0] + ' http://localhost/ehtest/index.php user=### user.lst "Valid User"' + '\n'
    exit()

url = sys.argv[1]
post = sys.argv[2]
ulist = sys.argv[3]
match = sys.argv[4]
ph = '###'

f = open(ulist)

for user in f:
    user = user.strip()
    data = post.replace(ph, user)
    request = urllib2.Request(url, data)
    response = urllib2.urlopen(request)
    page = response.read()
    if page.find(match) > 0:
        print "Success for: " + user

Output (using same files as above):

Code:

# ./test.py http://localhost/ehtest/ user=### users.lst "Valid User"
Success for: bob
Success for: steve
Success for: anthony

[wlandymore]

wow, thanks. That's awesome!