SQL injection emulation about tanner HOT 13 CLOSED

Find out if we can use https://github.com/client9/libinjection to detect SQLi

from tanner.

I have the error when trying to use libinjection with python 3. I used this docs and have next error:

Traceback (most recent call last):
  File "/home/afeena/draft/sqli.py", line 4, in <module>
    s = sqli_state()
NameError: name 'sqli_state' is not defined

I have module in `/usr/local/lib/python3.5/dist-packages/libinjection-3.9.1-py3.5-linux-x86_64.egg``, I can import module, but can't use functions.

When I use libinjection with python 2 I have no problem. It finds all the function.
I don't know binding process well, maybe we can do smth with error?

from tanner.

I can confirm your issue.

from tanner.

Can you raise an issue with the maintainer of libinjection?

from tanner.

I wrote the issue yesterday :)
client9/libinjection#108
Waiting for the answer

from tanner.

Initial work done here: 638ed6a

from tanner.

• Shall we use docker for DB, or we can run DB without docker?
• Shall we use one DB for all possible users, or maybe we can create DB for every session and then drop it?
• What DB shall we use?

I think about initializing DB: we can use sql file for creating DB. If user wants, he can uses own sql file, but by default we can use any existing dump.

from tanner.

Can you have a look how it was done by Rebecca? https://github.com/rebeccan/glastopf there is some information in install.txt.

from tanner.

I explored the code one more time. I want to make the first implementation with two tables (users and comments) and sqlite db. And without docker for the first attempt. Would that be OK?

from tanner.

Sounds good,

from tanner.

Mapping requests to tables blew my mind. I have only one idea how to implement this:
create special dorks for sqli based on existing database.

Example:
We have table users with field id, username, email, password

1. Determine set of queries for the table:
   SELECT * FROM users WHERE id=,
   SELECT email FROM users WHERE username=, etc
2. Create special dorks mapped to the queries:
   /smth/blogpost.php?id=1,
   /smth/userinfo.php?username=admin,
   etc.

Maybe this idea has not any chance, but I can't imagine how to make working system for various db and sites.

We can stay for now with Rebecca's implementation: map login/password(in get or post) to users table (for login form), and comment in request to comment table.

Can you look at my commits, please? Maybe I move in a wrong direction. afeena@d7d0fb2
afeena@abede5e

from tanner.

SQLi handling consists of two components: We want to detect the the SQLi statements in the HTTP query (using libinjection) and we want to reply to the query so the adversary think he was successful. As you already noticed, the second part is rather difficult.
Usually we see SQLi queries that target specific applications. They will try the query against the honeypot, if it's not working, they move on to a different target. Then we see queries that are only probing to see if there is a vulnerability. Usually they try to trigger a SQL error message. Then they try to use that error message from SQL to get data out of the database. So sometimes it is enough to respond with an SQL error message if we see a SQL injection query. This is how I would start: If it is a SQL injection and we don't know how to respond properly, reply with an error message.

from tanner.

Initial work done with dde3110

from tanner.