Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
SQL Injection and XSS scanner
Posted by: Dbyt3r
Date: December 01, 2007 04:48AM

Hey, first post here :)

I've been hanging around here and some other sites for a week or two now, and think this stuff is pretty interesting :D..

Anyways, I ended up writing a basic sql injection and XSS scanner for .php scripts which should be cool when looking for vuln's in open source scripts and stuff. I'm sure there are loads of more advanced scripts out there, but I just felt like coding some perl :P..

It scans the baseDirectoryOfSource and gets all the *.php files in the base directory and all the sub directories, and scans wach one..


#Usage: ./scriptname.pl --dir=baseDirectoryOfSource
use Getopt::Long;
GetOptions("dir=s",\$directory);
chdir($directory);
@directories = split(/\s/,`ls -R | grep ./` . ".\n");
foreach $directory ( @directories ){
$directory =~ s/://;
foreach $file ( <$directory/*.php> ){
open (IN, "<$file" );
@text = <IN>;
$i = 1;
foreach $_ ( @text ) {
if ( m/[^\[][\"\']\s?(SELECT|INSERT|DROP|UPDATE).*?\$(_[^s]|HTTP)/i ){
print "Possible SQL injection exploit in $file, line number $i:\n" . $_ . "\n";
}
if ( m/\$([\w]+)\s*=\s*\$(_[^s]|HTTP)/i ){
$variableName = $1;
$sanitizedElsewhere = 0;
$regex= "htmlspecialchars|intval|mysql_escape.*?" . $variableName;
foreach $line (@text){
if($line =~ m/$regex/i ){
$sanitizedElsewhere = 1;
}
}
if(! $sanitizedElsewhere) {
print "Possible un-sanitized variable in $file, line number $i:\n" . $_ . "\n";
}
}
if ( m/(prin|echo).*?\$(_[^s]|HTTP)/i ){
print "Possible XSS exploit in $file, line number $i:\n" . $_ . "\n";
}
$i++;
}
}
}

Please lemme know if you have any suggestions! :D

P.S.: I wasn't exactly sure what forum it should go to so I just put it here, please move it if there's a more suitable forum :)

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: Kyran
Date: December 07, 2007 02:06AM

Very basic, but I think in concept it should be a direction we need to take. Don't look for actual exploits, just the possibility of one, then have a person manually check those lines.

- Kyran

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: rsnake
Date: December 09, 2007 09:16PM

You're going to end up finding a lot of false positives - not just SQL related false positives, but non SQL related as well. How many times do people use those words throughout their websites that would match that pattern? I'd dare say fairly regularly. It could help you narrow things down a little though. Maybe a more complex regex would reduce that risk. Or perhaps you could eventually turn it into a PHP version of PERL's taint.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: oniric
Date: January 24, 2008 03:22PM

Not too bad but I think this is gonna find a ton of false positive as RSnake said. What about if you could also check if the variable is sanitized in a pre-included file? There would be a tree of that, of course. Thinking a little bit more that could be too expensive to do for the results you obtain but certainly cool!

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: nEUrOO
Date: January 26, 2008 09:40AM

Some tools are working like that, I can cite PHP-SAT, SWAAT, Pixy... Fortify source code analyzer (commercial source code scanner) is now handling PHP also.
I've also been working a little on such problems and I'm currently developing php-oracle: http://trac2.assembla.com/php-ast where the security metrics are actually giving such information (xss, sql and so on) it's simply working with a list of sensitive functions, sanitizing function etc.

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: oniric
Date: January 28, 2008 01:14AM

Thanks nEUrOO for the info, I was looking for software with that feature and I found Pixy and tested it with a large Web Application and it started throwing exceptions ^^, not a good beginning indeed. I found also a php extension named Inclued that you can find on this site http://t3.dotgnu.info/blog/tags/inclued/
I managed to compile it but haven't tried for now. What do you think is the best source scanner for PHP web applications?

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: ntp
Date: January 28, 2008 02:34AM

my guess is that nEUrOO will say that he prefers Fortify SCA 5, then SWAAT, PHP-SAT, Pixy, et al..

personally, i like PSA3 best (and also PhpSecAudit and PFF)

what's good about that is that no two testers think alike. what is bad about that is that you will probably have to try all the tools yourself

note that while doing so, you might also want to check out RATS and Inspekt (which also support PHP), as well as some runtime tools (work well for finding RFI) - dorkscan, FIS, WebSpidah, Wapiti, RFIScan - and maybe some "code side" runtime tools - PHP-IDS, CORE GRASP, WPIDS, and Hardened-PHP

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: oniric
Date: January 28, 2008 06:41AM

Wow, that's a pretty large bunch of names! I guess I should take some days to test them out. Thanks for the info!

Options: ReplyQuote
Re: SQL Injection and XSS scanner
Posted by: nEUrOO
Date: January 29, 2008 07:56AM

ntp: I cannot say I really prefer Fortify or whatever. I'm sure that a tool like PHP-SAT can do at least as good as Fortify SCA with some effort (from the assesser) and it's free... :)

oniric: if you are willing to do some code, you may use phc (http://www.phpcompiler.org); I'd like to see more people using such tool (and I should have start using this compiler instead of doing mine)
So, to answer your question, I would say that my favorite is PHP-SAT from Eric Bouwers because it's free, open and extandable http://www.program-transformation.org/PHP/PhpSat

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote


Sorry, only registered users may post in this forum.