SQL / SQLI tokenizer parser analyzer. For

• C and C++
• PHP
• Python
• Lua
• Java (external port)
• LuaJIT/FFI (external port)

See https://www.client9.com/ for details and presentations.

Simple example:

#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include "libinjection.h"
#include "libinjection_sqli.h"

int main(int argc, const char* argv[])
{
    struct libinjection_sqli_state state;
    int issqli;

    const char* input = argv[1];
    size_t slen = strlen(input);

    /* in real-world, you would url-decode the input, etc */

    libinjection_sqli_init(&state, input, slen, FLAG_NONE);
    issqli = libinjection_is_sqli(&state);
    if (issqli) {
        fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
    }
    return issqli;
}

$ gcc -Wall -Wextra examples.c libinjection_sqli.c
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'

More advanced samples:

• sqli_cli.c
• reader.c
• fptool

See CHANGELOG for details.

Versions are listed as "major.minor.point"

Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.

Minor are C code changes. These may include

• logical change to detect or suppress
• optimization changes
• code refactoring

Point releases are purely data changes. These may be safely applied.

The continuous integration results at GitHub tests the following:

• build and unit-tests under GCC
• build and unit-tests under Clang
• static analysis using clang static analyzer
• static analysis using cppcheck
• checks for memory errors using valgrind

Copyright (c) 2012-2016 Nick Galbreath

Licensed under the standard BSD 3-Clause open source license. See COPYING for details.

Some of the previous help runners have been merged into the Makefile. E.g.:

• run-clang-asan.sh -> make clan-asan
• make-ci.sh -> make ci

If you run make cppcheck you will see this warning printed:

nofile:0 information missingIncludeSystem Cppcheck cannot find all the include files (use --check-config for details)

You can safely ignore it as it is just saying that standard include files are being ignored (which is the recommended option):

example1.c:1:0: information: Include file: <stdio.h> not found. Please note: Cppcheck does not need standard library headers to get proper results. [missingIncludeSystem]

The src directory contains everything, but you only need to copy the following into your source tree:

• src/libinjection.h
• src/libinjection_sqli.c
• src/libinjection_sqli_data.h
• COPYING

Usually the new autoconf build system takes care of the LIBINJECTION_VERSION definition. But that might now be available when you are embedding the above files.

This is solved by manually defining the version you are embedding to your CFLAGS.

E.g.: CFLAGS="-DLIBINJECTION_VERSION=\"3.9.2.65-dfe6-dirty\""

An easy way to get the version tag is to execute git describe in this directory.