.

using script for sql injection test...

<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Tue May 08, 2012 3:56 pm

using script for sql injection test...

Hey guys,

I'm trying to write a script that will use the web form that is hooked into a mysql database to check if a user exists in the DB and if they have an e-mail. So I was thinking this would be possible to do through something like PHP but I've never done it before so I'm foggy on how it might be done.

I was thinking something like:

<?php
$db="testdb";
$table="users";
$host="http://someserver.com/index.php";

$host+/action=POST&usrname=user1&submit_button=submit;
if response = 'user exists' exit;
if not use another name...

Obviously that isn't what has to be there but I don't know how to automate this so that the usernames can be put in a form and then submitted one after the other to check their validity.

Anyone done something like before?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue May 08, 2012 6:01 pm

Re: using script for sql injection test...

The following PHP script is a simplified version of the page I believe you're trying to access. It compares the POST user variable to a list of user names (users.db) and returns whether or not the POST user is a valid user. The type of back-end really isn't relevant. You ultimately just need to iterate through a list of users and identify a unique string that signifies a valid user in the page that's returned.

(Edit: You'll get a PHP Notice / blank page if you don't supply user via POST; I obviously didn't include any error checking.)

index.php:
  Code:
<?php
$user = $_POST['user'];

$f = fopen('users.db', 'r');

$message = 'Invalid User';

while ($line = trim(fgets($f))) {
    if ($line == $user) {
        $message = 'Valid User';
        break;
    }
}

echo $message . "\n";
?>


users.db:
  Code:
steve
anthony
bob


I was originally going to write an example in Python, but I knew sil would respond with, "You can do that with bash..." so I decided to skip a step ;)

The following is the users.lst file that is iterated through and tested for validity.
  Code:
bob
sally
alice
nicky
steve
bill
anthony
drew


This script iterates through the user list, acquires the page with wget, checks for the unique validity string, and writes out if a match is found.
  Code:
for u in `cat users.lst`; do wget --post-data="user=$u" -q -O - http://localhost/ehtest/index.php | grep -i -q ^valid && echo $u found; done


  Code:
bob found
steve found
anthony found


If you have the SQLi POST string, all you have to do is replace the username/email/whatever and perform text-matching like I did above. If you want to do this with Python and make it sexier, you can start by researching the urllib library.
Last edited by dynamik on Tue May 08, 2012 6:03 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue May 08, 2012 11:06 pm

Re: using script for sql injection test...

Python example if you're curious (again, no error-checking/validation):

  Code:
#!/usr/bin/python
import urllib2
import sys

if len(sys.argv) < 5:
    print 'Usage: ' + sys.argv[0] + ' <url> <post> <user list> <match text>'
    print 'Use ### as a placeholder for post variable'
    print 'i.e. ' + sys.argv[0] + ' http://localhost/ehtest/index.php user=### user.lst "Valid User"' + '\n'
    exit()

url = sys.argv[1]
post = sys.argv[2]
ulist = sys.argv[3]
match = sys.argv[4]
ph = '###'

f = open(ulist)

for user in f:
    user = user.strip()
    data = post.replace(ph, user)
    request = urllib2.Request(url, data)
    response = urllib2.urlopen(request)
    page = response.read()
    if page.find(match) > 0:
        print "Success for: " + user


Output (using same files as above):
  Code:
# ./test.py http://localhost/ehtest/ user=### users.lst "Valid User"
Success for: bob
Success for: steve
Success for: anthony
The day you stop learning is the day you start becoming obsolete.
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Fri May 11, 2012 3:01 pm

Re: using script for sql injection test...

wow, thanks. That's awesome!

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software