PHP SQL INJECTION

Question

jsj1411 0 Newbie Poster

8 Years Ago

My code here suppose to grab list of injection string from table:* injection_text*, column: injection_code and inject it at the tail of the URL's crawled by my program, the URL's crawled are stored table: pages_crawl. my program suppose to display the result of the injection. the purpose of this program is to test for SQL injection vulnerabilities. its my Final year project. currently it is not displaying any vulnerabilities but if i inject manually into the URL's the site is vulnerable. Can anyone help me fix this code? currently it is injecting the string but it is removing the interger value in the url,
for example :
id=26381&cat=srigossip become id'&cat'
i want it to append the injection string to the end of the URL without altering the URL
' is my injection string
Can anyone help me fix this code?

            // prepare the url for the GET injection
            $urls = parse_url($row_pages['link']);
            parse_str($urls['query'], $query_string);

            $get_inject = "";
            if (!empty($query_string))
            {
                $i = 0;
                foreach ($query_string as $var => $value)
                {
               $get_inject .= (($i==0) ? "?" : "&") . $var . "=" . $row_injection_text['injection_code'];

                    $i++;
                }
            }

            $url_to_inject = $urls['scheme'] . "://" . $urls['host'] . $urls['path'];

            $curl = curl_init();

            curl_setopt_array($curl, array(
                CURLOPT_RETURNTRANSFER => 1,
                CURLOPT_URL => $url_to_inject . $get_inject,
                CURLOPT_USERAGENT => 'Desktop Browser Test'
            ));

            $response = curl_exec($curl);

            $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
            $header = substr($response, 0, $header_size);
            $body = substr($response, $header_size);

            curl_close($curl);

            $result_injection = checkForm($body, 'error in your SQL') ? "0" : "1";

mysql php

Edited 8 Years Ago by jsj1411

4 Contributors
13 Replies
459 Views
2 Days Discussion Span
Latest Post 8 Years Ago Latest Post by hielo

hielo 65 Veteran Poster

8 Years Ago

On line 11, where are you initializing $row_injection_text? I am wondering if you meant to write $row_pages?

diafol

8 Years Ago

Not sure why you would get SQL injection vulnerabilities. If you use prepared statements, you shoud be able to pass anything to them without causing injections. Obviously you'd validate input before running the statement. Am I missing something?

jsj1411 commented: actually i'm developing a sql injection testing tool on webpages, which this code suppose to inject , injecting string into the url +0

diafol

8 Years Ago

Ah. Sorry, makes more sense now. Unfort. won't be able to hlp for a few days. Hope somebody can help in the meantime.

jsj1411 commented: really hope somebody could help me out here +0

hielo 65 Veteran Poster

8 Years Ago

Please provide a sample value for $row_pages['link'] and $row_injection_text['injection_code'].

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

actually i'm developing a sql injection testing tool on webpages, which this code suppose to inject , injecting string into the url

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 1 · 2016-05-26T19:56:53+00:00

Hi, have you tried http_build_query()?

http://php.net/manual/en/function.http-build-query.php

jsj1411 0 Newbie Poster · Answer 2 · 2016-05-26T22:30:21+00:00

here's the full code, i sincerely hope someone could help me out, pls

<?php

include('simple_html_dom.php');

$query = "SELECT * FROM `injection_text`";

$cxn = new mysqli('p:localhost', 'root', '', 'wordpress', '3306');
$result = $cxn->query($query);

echo "<table>";
echo "<tr>
        <td>No</td>
        <td>URL</td>
        <td>Response</td>
        <td>Result</td>
      </tr>";

while($row_injection_text = $result->fetch_assoc()) 
{
    $params = $row_injection_text['injection_code'];

    $sql = "SELECT *, `b`.`id` AS crawl_id FROM `pages` a LEFT JOIN `pages_crawl` b ON `a`.`id`=`b`.`pages_id` WHERE `b`.`pages_id` = '" . $_GET['id'] . "' GROUP BY `b`.`id`";
    $result_row = $cxn->query($sql);

    $count = 0;
    while ($row_pages = $result_row->fetch_assoc())
    {

        if (checkForm($row_pages['source'], '<form'))
        {
            $params = ((strpos($row_pages['link'], '?')) ? "&" : "?") . $params;

            $getInput = getInputFields($row_pages['link'] . $params);         

            // if response is with error, it does not need to be injected post style
           if (!isset($getInput['error']))
            {

                // POST injection occurs here
                $param = array();

                foreach ($getInput as $elements) 
                {
                    foreach ($elements['inputs'] as $input)
                    {
                        $param[$input] = $row_injection_text['injection_code'];
                    }
                }

                $curl = curl_init();

                curl_setopt_array($curl, array(
                    CURLOPT_RETURNTRANSFER => 1,
                    CURLOPT_URL => $row_pages['link'],
                    CURLOPT_USERAGENT => 'Desktop Browser Test',
                    CURLOPT_POST => 1,
                    CURLOPT_VERBOSE => 1,
                    CURLOPT_HEADER => 1,
                    CURLOPT_POSTFIELDS => $param
                ));

                $response = curl_exec($curl);

                $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
                $header = substr($response, 0, $header_size);
                $body = substr($response, $header_size);
                curl_close($curl);

                $result_injection = checkForm($body, 'error in your SQL') ? "0" : "1";

                // save the injection response in the database
                $query_post = " INSERT INTO `injection_result` SET pages_crawl_id = '" . $row_pages['crawl_id'] . 
                                    "', injection_text_id = '" . $row_injection_text['id'] . 
                                    "', response = '" . addslashes($header) . 
                                    "', method = 'POST" . 
                                    "', result = '" . ($result_injection) . "' ";
                $result_post = $cxn->query($query_post);
           }

            // prepare the url for the GET injection
            $urls = parse_url($row_pages['link']);
            parse_str($urls['query'], $query_string);

            $get_inject = "";
            if (!empty($query_string))
            {
                $i = 0;
                foreach ($query_string as $var => $value)
                {
                    $get_inject .= (($i==0) ? "?" : "&") . $var . "=" . $row_injection_text['injection_code'];
                    $i++;
                }
            }

            $url_to_inject = $urls['scheme'] . "://" . $urls['host'] . $urls['path'];

            $curl = curl_init();

            curl_setopt_array($curl, array(
                CURLOPT_RETURNTRANSFER => 1,
                CURLOPT_URL => $url_to_inject . $get_inject,
                CURLOPT_USERAGENT => 'Desktop Browser Test'
            ));

            $response = curl_exec($curl);

            $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
            $header = substr($response, 0, $header_size);
            $body = substr($response, $header_size);

            curl_close($curl);

            $result_injection = checkForm($body, 'error in your SQL') ? "0" : "1";

            // save the injection response in the database
            $query_get = " INSERT INTO `injection_result` SET pages_crawl_id = '" . $row_pages['crawl_id'] . 
                                "', injection_text_id = '" . $row_injection_text['id'] . 
                                "', response = '" . addslashes($header) . 
                                "', method = 'GET" .
                                "', result = '" . ($result_injection) . "' ";
            $result_get = $cxn->query($query_get);

            // display
            echo "<tr><td>" . ++$count . "</td>";
            echo "<td><a href='" . $url_to_inject . $get_inject . "'>" . $url_to_inject . $get_inject . "</a></td>";
            echo "<td>" . $header . "</td>";
            echo "<td nowrap>" . (($result_injection == 1) ? "<span style='color:red;'>VULNERABLE!</span>" : "SECURE" ) . "</td>";
            echo "</tr>";
        }
    }

    echo "</tr>";
}

echo "</table>";

/*
 * Function to check for elements in a page
 * use a very simple string comparison function in php
 *
 * returns boolean
 *
 */
function checkForm($htmlSource, $needle)
{
    if (strpos($htmlSource, $needle)) {
        return true;
    }
    else {
        return false;
    }
}


/*
 * function to inject GET style
 * while at the same time check if there is a input elements in the page
 *
 * returns the inputs name
 *
 */
function getInputFields ($htmlSource)
{
    // param initilization
    $params = array();

    // get simple html
    $html = @file_get_html($htmlSource);

    // got html
    // prepare params to inject using forms in the html
    if (!is_bool($html))
    {
        // Find all form(s)
        $i=0;
        foreach($html->find('form') as $forms) {
            if (!empty($forms->action))
            {
                $params[0]['forms'][$i++] = $forms->action;
            }
        }

        // Find all input(s)
        $i=0;
        foreach($html->find('input') as $input) {
            if (!empty($input->name)) 
            {
                $params[0]['inputs'][$i++] = $input->name;
            }
        }
    }

    // no forms in the page
    else
    {
        $params['error'] = 'No forms here';
    }

    return $params;
}

?>

jsj1411 0 Newbie Poster · Answer 3 · 2016-05-27T15:07:20+00:00

$row_pages['link'] will have values such as :
http://suagacollection.com/mask_details.php?mask=28&page=1
$row_injection_text['inject_code'] will have values such as :
'
' or 1=1 --

hielo 65 Veteran Poster · Answer 4 · 2016-05-27T15:40:08+00:00

Are you sure that your $row_injection_text['inject_code'] has a value? Meaning, have you tried running your LEFT JOIN query in an sql tool to verify that you are getting the expected results? Or even simpler, does it work when you try INNER JOIN?

The relevant block of code in question seems fine:

<?php
//save this as test.php and try it out
$row_pages = Array('link'=>'http://domain.com/mask_details.php?mask=28&page=1');
$row_injection_text=Array('injection_code'=>"' ' or 1=1 --");

            $urls = parse_url($row_pages['link']);
            echo '<pre>',__LINE__,'. ',print_r($urls,true),'</pre>';
            parse_str($urls['query'], $query_string);
            $get_inject = "";
            if (!empty($query_string))
            {
                $i = 0;
                foreach ($query_string as $var => $value)
                {
                    $get_inject .= (($i==0) ? "?" : "&") . $var . "=" . $row_injection_text['injection_code'];
                    $i++;
                }
            }
            $url_to_inject = $urls['scheme'] . "://" . $urls['host'] . $urls['path'];

echo $url_to_inject.$get_inject;

jsj1411 0 Newbie Poster · Answer 5 · 2016-05-27T18:53:12+00:00

Is it possible for u to help me thru team viewer, the query seems fine one my side here. Maybe in that way u can have a beter view of my issue here

jsj1411 0 Newbie Poster · Answer 6 · 2016-05-27T19:15:46+00:00

The main issue is, it's not detecting any vulnerability so it doesn't post into injection_result table, it's not checking whether it is a sql error or simply just a page not found error, even page not found is detected as vulnerable site

hielo 65 Veteran Poster · Answer 7 · 2016-05-27T20:23:34+00:00

The main issue is, it's not detecting any vulnerability

How do you know that it is not detecting any vulnerabilities? Are you echoing (and inspecting) the intermediate results

so it doesn't post into injection_result table

Well, that's because what you have is a hybrid of the INSERT and UPDATE statements. The correct syntax is:

INSERT INTO `tableName` (`fieldName1`,`fieldName2`) VALUES ('value1', 'value2');
-- and for updates
UPDATE `tableName` SET `fieldName1` = 'value1', `fieldName2`='value2'

After executing a query, you should check to see if it fails. You are not doing error checking after executing queries. Otherwise you would have found the error.

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 8 · 2016-05-28T07:39:55+00:00

@hielo hi! On MySQL you can use the SET clause in the INSERT statement, both syntaxes are supported, see:

http://dev.mysql.com/doc/refman/5.7/en/insert.html

hielo 65 Veteran Poster · Answer 9 · 2016-05-28T19:58:54+00:00

Indeed! That is certainly news to me. FYI: that seems to be a MySQL-specific feature. It is not standard sql (see section 13.8 <insert statement> at http://www.contrib.andrew.cmu.edu/~shadow/sql/sql1992.txt).

On another note, the following line:

if (checkForm($row_pages['source'], '<form')){ /*...the sql injection tests go here...*/ }

will not perform any of the sql injection test on the relevant page whenever the page in question does not have a <form> in it. I looked at the site with the masks, and I did not find any page with forms in them, so the sample url you supplied is not the ideal site on which to try out your tests.