Sql injection scanner php

Saved searches

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Vulnerabilities scanner tool

License

ilmercu/Scanner-and-Command-Injection

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

Git stats

Files

Failed to load latest commit information.

README.md

Scanner and Command Injection

The idea of this vulnerability scanner and command injection is to show some examples on how vulnerable parameters can be exploited in order to execute commands.

The scanner won’t work on every environment, commands and arguments injections are based on linux commands.

The application code reads input files (created by the user) and send HTTP requests based on the specified method. Commands in payloads file will be injected into each parameter by using permutations. A different request will be sent for each payloads permutation.
Server response is elaborated in order to check vulnerabilities. This check is based on a simple idea of looking if specific strings are in response body.
If a vulnerability is found a descriptive line will be written inside the output file.

• Requests details file: used to specify the list of requests details containing HTTP method, resource and parameters under test.
  The format used to specify the details is: HTTP method:resource:parameter1,parameter2.
• Payloads file: used to specify the list of commands that will be used in a specific request (based on files row number).
  The format used to specify the details is: command1~command2~..

Requests details file format example

GET:/ping.php:host GET:/ping-escapeshellcmd.php:host GET:/find-escapeshellcmd.php:input GET:/ping-no-amp.php:host POST:/login2.php:user,pass GET:/search_by_price2.php:max GET:/echo-name.php:name 

Payloads file format example

;cat /etc/passwd ;ls -la ping.php -exec whoami ; ;head ping.php --noc --noc --xss 

DEBUG = True # if True, code execution prints debugging lines KEEP_BROWSER_OPEN = False # used to keep the browser open after selenium checks TARGET = 'http://localhost:8000' # target VULNERABILITY_OUTPUT_PATH = 'assets/output/vulnerability-output.txt' # output path REQUESTS_SPLIT_VAL = ':' # split char for requests REQUESTS_PARAMETERS_SPLIT_VAL = ',' # split char for parameters in requests PAYLOADS_SPLIT_VAL = '~' # split char for commands values CURRENT_USER = 'andre' # known user used for whoami test COMMAND_COLUMNS_NUMBER = '--noc' # command to find the number of columns in a table. Valid only in sql mode COMMAND_XSS_INJECTION = '--xss' # command to test xss injections. Valid only in xss mode MAX_ALERT_WAITING_TIME = 5 # max time (in seconds) to wait for the popup message in browser

The data stored in the database will be used to test sql injections.
Execute files in sqli-target/setup to create and populate the database.
Connection credentials are stored in sqli-target/mysql_credentials.php file.

For commands and arguments injections

foo@bar:~$ cd "target environment" foo@bar:~$ php -S localhost:8000

foo@bar:~$ cd sqli-target foo@bar:~$ php -S localhost:8000

foo@bar:~$ cd xss-target foo@bar:~$ php -S localhost:8000

• -m, Injection mode, required. Permitted values [cmd, sql, xss]
  • cmd: used to test commands and arguments injections.
  • sql: used to test sql injections. In this mode payloads are used in a differt way than cmd mode. This mode is based on a specific command (in config file) used to perform a Union-based SQL injection. Other injections can be tested but no check is performed for them.
  • xss: used to test xss injections for GET HTTP method. This mode is based on the idea of injecting payloads, checks if them are in the HTTP response and they are shown as dialog popup by using selenium.

  foo@bar:~$ python main.py -m cmd -r assets/input/requests-details-cmd.txt -p assets/input/payloads-cmd.txt

  foo@bar:~$ python main.py -m sql -r assets/input/requests-details-sql.txt -p assets/input/payloads-sql.txt

  foo@bar:~$ python main.py -m xss -r assets/input/requests-details-xss.txt -p assets/input/payloads-xss.txt

  Output file is saved on assets/output/vulnerability-output.txt file.

  Источник

  Saved searches

  Use saved searches to filter your results more quickly

  You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

  Quick SQL Scanner, Dorker, Webshell injector PHP

  License

  Cvar1984/sqlscan

  This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

  Name already in use

  A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

  Sign In Required

  Please sign in to use Codespaces.

  Launching GitHub Desktop

  If nothing happens, download GitHub Desktop and try again.

  Launching GitHub Desktop

  If nothing happens, download GitHub Desktop and try again.

  Launching Xcode

  If nothing happens, download Xcode and try again.

  Launching Visual Studio Code

  Your codespace will open once ready.

  There was a problem preparing your codespace, please try again.

  Latest commit

  Git stats

  Files

  Failed to load latest commit information.

  README.md

  sqlscan is quick web scanner for find an sql inject point. not for educational, this is for hacking.

  use sitemap for best result

  see composer.json for more information

  For PC Linux debian based environments.

  $ sudo apt install php php-bz2 php-curl php-mbstring curl $ sudo curl https://raw.githubusercontent.com/Cvar1984/sqlscan/dev/build/main.phar --output /usr/local/bin/sqlscan $ chmod +x /usr/local/bin/sqlscan $ sqlscan http://example.gov --scan $ sqlscan list_url.txt --scan

  For Android Termux environments

  $ apt install php curl $ curl https://raw.githubusercontent.com/Cvar1984/sqlscan/dev/build/main.phar --output $PREFIX/bin/sqlscan $ chmod +x $PREFIX/bin/sqlscan $ sqlscan http://example.gov --scan $ sqlscan list_url.txt --scan

  $ composer install $ box build

  • Quick shell code injector
  • Bypass waf
  • Url from json
  • report csv/xml/html/pdf/db ( composer dependcies )
  • multi threads ( pthread )

  Copyright (c) 2019

  Licensed unter the Apache License, Version 2.0 or the MIT license, at your option.

  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the «Software»), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

  THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

  Licensed under the Apache License, Version 2.0 (the «License»); you may not use this file except in compliance with the License. You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an «AS IS» BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

  Источник

  Saved searches

  Use saved searches to filter your results more quickly

  You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

  PHP tool to scan ADOdb code for SQL Injections

  emanuil/php-reaper

  This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

  Name already in use

  A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

  Sign In Required

  Please sign in to use Codespaces.

  Launching GitHub Desktop

  If nothing happens, download GitHub Desktop and try again.

  Launching GitHub Desktop

  If nothing happens, download GitHub Desktop and try again.

  Launching Xcode

  If nothing happens, download Xcode and try again.

  Launching Visual Studio Code

  Your codespace will open once ready.

  There was a problem preparing your codespace, please try again.

  Latest commit

  Git stats

  Files

  Failed to load latest commit information.

  README.md

  PHP tool to scan ADOdb code for SQL Injections

  The main idea is to be able to detect problems as early as possible, when the code is fresh in your mind. Shift as much checks as possible to the left. Automate as much as possible.

  Running PHP-Reaper is far less time consuming than running full fledged automated security scanner at your application. The web security scanner might not locate all possible SQL Injections vulnerabilities, because of hard to reach code from the UI (or needs to set rare conditions). PHP-Reaper is fast and pinpoints the exact line where the problem lies, scanning all your PHP ADOdb source code.

  You’ll get the most out of PHP-Reaper if you run it on every commit. It’s made to be CI friendly and fast.

  Because of laziness, pressure or just ignorance, php developers using ADOdb are making such mistakes.

  $dbConn->GetRow("SELECT * FROM users WHERE >$user_id");

  $dbConn->GetRow("SELECT * FROM users WHERE array(‘$user_id’));

  $ids = join(',', $ids); $dbConn->GetAll("SELECT * FROM campaigns WHERE id IN ($ids>)");

  $dbConn->GetAll('SELECT * FROM campaigns WHERE FIND_IN_SET (id, ' . $dbConn->Param('') . ')', array(join(',', $ids)));

  Recursively scan directory with php files:

  php php-reaper -d directory_with_php_files

  php php-reaper -f single_file.php

  The tests are located in tests directory. To run them, once in tests directory, type:

  If you extend this tool, make sure that the tests are passing before submitting pull request. Better yet, add new test files and unit tests. Look at example files directory, what types of SQL Injections are detected.

  PHP-Reaper is CI friendly. On error it will exit with -1 status, so it’s easy to hook it to your CI jobs.

  You can ignore the warnings by PHP-Reaper, if you’re absolutely sure that the code does not contain SQL Injection. Comment the line above the ADOdb function with:

  // safesql $result_set = $dbConn->getAll('SELECT * FROM ' . $this->usersTable);

  You need to be absolutely sure $this->usersTable variable cannot be controller by an attacker.

  The following ADOdb methods are considered dangerous and are scanned for potential SQL injections: getone(), getrow(), getall(), getcol(), getassoc(), execute(), replace(). Note that autoexecute() is immune, because it automatically escapes all the parameters. If you have methods in your code base with the same names e.g. execute() — non ADOdb method, you may see false positives. The solution is to rename your methods to be with names different than the default ADODb methods — e.g. executeTask(). PHP-Reaper is written in such a way because PHP is pretty dynamic and static analysis cannot reliably tell us the class of the instantiated object.

  PHP-Reaper is using the excellent php parser with the same name: PHP-Parser. It currently uses version 1.4.1.

  Источник