2009-12-30 22:24:22 +00:00
|
|
|
##
|
|
|
|
|
# $Id$
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2009-12-30 22:24:22 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'rex/proto/http'
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Auxiliary::WMAPScanUniqueQuery
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2010-04-30 08:40:19 +00:00
|
|
|
super(update_info(info,
|
2009-12-30 22:24:22 +00:00
|
|
|
'Name' => 'HTTP Error Based SQL Injection Scanner',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
},
|
|
|
|
|
'Author' => [ 'et [at] cyberspace.org' ],
|
|
|
|
|
'License' => BSD_LICENSE,
|
2010-04-30 08:40:19 +00:00
|
|
|
'Version' => '$Revision$'))
|
|
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('METHOD', [ true, "HTTP Method",'GET']),
|
|
|
|
|
OptString.new('PATH', [ true, "The path/file to test SQL injection", '/default.aspx']),
|
2011-02-22 04:27:40 +00:00
|
|
|
OptString.new('QUERY', [ false, "HTTP URI Query", '']),
|
|
|
|
|
OptString.new('DATA', [ false, "HTTP Body/Data Query", ''])
|
2009-12-30 22:24:22 +00:00
|
|
|
], self.class)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
register_advanced_options(
|
|
|
|
|
[
|
|
|
|
|
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
|
|
|
|
|
], self.class)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_host(ip)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
qvars = nil
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
sqlinj = [
|
|
|
|
|
[ "'" ,'Single quote'],
|
|
|
|
|
[ "')",'Single quote and parenthesis'],
|
|
|
|
|
[ "\"",'Double quote'],
|
2011-02-22 04:27:40 +00:00
|
|
|
[ "%u0027",'unicode single quote'],
|
|
|
|
|
[ "%u02b9",'unicode single quote'],
|
|
|
|
|
[ "%u02bc",'unicode single quote'],
|
|
|
|
|
[ "%u02c8",'unicode single quote'],
|
|
|
|
|
[ "%c0%27",'unicode single quote'],
|
|
|
|
|
[ "%c0%a7",'unicode single quote'],
|
|
|
|
|
[ "%e0%80%a7",'unicode single quote'],
|
2010-04-30 08:40:19 +00:00
|
|
|
[ "#{rand(10)}'", 'Random value with single quote']
|
2009-12-30 22:24:22 +00:00
|
|
|
]
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
errorstr = [
|
|
|
|
|
["Unclosed quotation mark after the character string",'MSSQL','string'],
|
|
|
|
|
["Syntax error in string in query expression",'MSSQL','string'],
|
|
|
|
|
["Microsoft OLE DB Provider",'MSSQL','unknown'],
|
|
|
|
|
["You have an error in your SQL syntax",'MySQL','unknown'],
|
2011-02-04 05:57:26 +00:00
|
|
|
["java.sql.SQLException",'unknown','unknown'],
|
|
|
|
|
["ORA-",'ORACLE','unknown'],
|
|
|
|
|
["PLS-",'ORACLE','unknown'],
|
|
|
|
|
["Syntax error",'unknown','unknown'],
|
2009-12-30 22:24:22 +00:00
|
|
|
]
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
#
|
|
|
|
|
# Dealing with empty query/data and making them hashes.
|
|
|
|
|
#
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-02-22 20:49:44 +00:00
|
|
|
if datastore['METHOD'] =='GET'
|
2011-02-22 04:27:40 +00:00
|
|
|
if not datastore['QUERY'].empty?
|
|
|
|
|
qvars = queryparse(datastore['QUERY']) #Now its a Hash
|
|
|
|
|
else
|
|
|
|
|
return
|
|
|
|
|
end
|
2009-12-30 22:24:22 +00:00
|
|
|
else
|
2011-02-22 04:27:40 +00:00
|
|
|
if not datastore['DATA'].empty?
|
|
|
|
|
qvars = queryparse(datastore['DATA']) #Now its a Hash
|
|
|
|
|
else
|
|
|
|
|
return
|
2011-02-22 20:49:44 +00:00
|
|
|
end
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
2010-04-30 08:40:19 +00:00
|
|
|
# Send normal request to check if error is generated
|
2009-12-30 22:24:22 +00:00
|
|
|
# (means the error is caused by other means)
|
|
|
|
|
#
|
2010-09-20 08:06:27 +00:00
|
|
|
#
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if datastore['METHOD'] == 'POST'
|
|
|
|
|
reqinfo = {
|
|
|
|
|
'uri' => datastore['PATH'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'query' => datastore['QUERY'],
|
|
|
|
|
'data' => datastore['DATA'],
|
2011-02-04 05:57:26 +00:00
|
|
|
'method' => datastore['METHOD'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'ctype' => 'application/x-www-form-urlencoded',
|
|
|
|
|
'encode' => false
|
2011-02-04 05:57:26 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
reqinfo = {
|
2010-09-20 08:06:27 +00:00
|
|
|
'uri' => datastore['PATH'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'query' => datastore['QUERY'],
|
2010-09-20 08:06:27 +00:00
|
|
|
'method' => datastore['METHOD'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'ctype' => 'application/x-www-form-urlencoded',
|
|
|
|
|
'encode' => false
|
2011-02-04 05:57:26 +00:00
|
|
|
}
|
|
|
|
|
end
|
2011-02-22 20:49:44 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
begin
|
2011-02-22 04:27:40 +00:00
|
|
|
normalres = send_request_raw(reqinfo, 20)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2010-04-30 08:40:19 +00:00
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
if !datastore['NoDetailMessages']
|
2010-04-30 08:40:19 +00:00
|
|
|
print_status("Normal request sent.")
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
found = false
|
|
|
|
|
inje = nil
|
|
|
|
|
dbt = nil
|
|
|
|
|
injt = nil
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
if normalres
|
|
|
|
|
errorstr.each do |estr,dbtype,injtype|
|
|
|
|
|
if normalres.body.include? estr
|
|
|
|
|
found = true
|
|
|
|
|
inje = estr
|
|
|
|
|
dbt = dbtype
|
2010-04-30 08:40:19 +00:00
|
|
|
injt = injtype
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
if found
|
|
|
|
|
print_error("[#{wmap_target_host}] Error string appears in the normal response, unable to test")
|
2010-04-30 08:40:19 +00:00
|
|
|
print_error("[#{wmap_target_host}] Error string: '#{inje}'")
|
2009-12-30 22:24:22 +00:00
|
|
|
print_error("[#{wmap_target_host}] DB TYPE: #{dbt}, Error type '#{injt}'")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
report_note(
|
|
|
|
|
:host => ip,
|
2011-02-04 05:57:26 +00:00
|
|
|
:proto => 'tcp',
|
|
|
|
|
:sname => 'HTTP',
|
2009-12-30 22:24:22 +00:00
|
|
|
:port => rport,
|
|
|
|
|
:type => 'DATABASE_ERROR',
|
|
|
|
|
:data => "#{datastore['PATH']} Error: #{inje} DB: #{dbt}"
|
|
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
print_error("[#{wmap_target_host}] No response")
|
2010-04-30 08:40:19 +00:00
|
|
|
return
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
#
|
|
|
|
|
# Test URI Query parameters
|
2010-09-20 08:06:27 +00:00
|
|
|
#
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
found = false
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if qvars
|
2009-12-30 22:24:22 +00:00
|
|
|
sqlinj.each do |istr,idesc|
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
if found
|
|
|
|
|
break
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
qvars.each do |key,value|
|
2011-02-22 04:27:40 +00:00
|
|
|
if datastore['METHOD'] == 'POST'
|
|
|
|
|
qvars = queryparse(datastore['DATA']) #Now its a Hash
|
|
|
|
|
else
|
|
|
|
|
qvars = queryparse(datastore['QUERY']) #Now its a Hash
|
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
qvars[key] = qvars[key]+istr
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
if !datastore['NoDetailMessages']
|
2010-04-30 08:40:19 +00:00
|
|
|
print_status("- Testing query with #{idesc}. Parameter #{key}:")
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
2011-02-22 20:49:44 +00:00
|
|
|
|
2011-02-22 04:27:40 +00:00
|
|
|
fstr = ""
|
2011-02-22 20:49:44 +00:00
|
|
|
qvars.each_pair do |var,val|
|
2011-02-22 04:27:40 +00:00
|
|
|
fstr += var+"="+val+"&"
|
|
|
|
|
end
|
2011-02-22 20:49:44 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if datastore['METHOD'] == 'POST'
|
|
|
|
|
reqinfo = {
|
|
|
|
|
'uri' => datastore['PATH'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'query' => datastore['QUERY'],
|
|
|
|
|
'data' => fstr,
|
2011-02-04 05:57:26 +00:00
|
|
|
'method' => datastore['METHOD'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'ctype' => 'application/x-www-form-urlencoded',
|
|
|
|
|
'encode' => false
|
2011-02-04 05:57:26 +00:00
|
|
|
}
|
2009-12-30 22:24:22 +00:00
|
|
|
else
|
2011-02-04 05:57:26 +00:00
|
|
|
reqinfo = {
|
|
|
|
|
'uri' => datastore['PATH'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'query' => fstr,
|
2011-02-04 05:57:26 +00:00
|
|
|
'method' => datastore['METHOD'],
|
2011-02-22 04:27:40 +00:00
|
|
|
'ctype' => 'application/x-www-form-urlencoded',
|
|
|
|
|
'encode' => false
|
2011-02-04 05:57:26 +00:00
|
|
|
}
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
begin
|
2011-02-22 20:49:44 +00:00
|
|
|
|
2011-02-22 04:27:40 +00:00
|
|
|
testres = send_request_raw(reqinfo, 20)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2010-04-30 08:40:19 +00:00
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if testres
|
|
|
|
|
errorstr.each do |estr,dbtype,injtype|
|
|
|
|
|
if testres.body.include? estr
|
|
|
|
|
found = true
|
|
|
|
|
inje = estr
|
|
|
|
|
dbt = dbtype
|
2010-04-30 08:40:19 +00:00
|
|
|
injt = injtype
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
if found
|
|
|
|
|
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{qvars[key]}")
|
|
|
|
|
print_status("[#{wmap_target_host}] Vuln query parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-30 22:24:22 +00:00
|
|
|
report_note(
|
|
|
|
|
:host => ip,
|
2011-02-04 05:57:26 +00:00
|
|
|
:proto => 'tcp',
|
|
|
|
|
:sname => 'HTTP',
|
2009-12-30 22:24:22 +00:00
|
|
|
:port => rport,
|
|
|
|
|
:type => 'SQL_INJECTION',
|
2011-02-04 05:57:26 +00:00
|
|
|
:data => "#{datastore['PATH']} Location: QUERY Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
|
2009-12-30 22:24:22 +00:00
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
return
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
|
|
|
|
else
|
2010-04-30 08:40:19 +00:00
|
|
|
print_error("[#{wmap_target_host}] No response")
|
2009-12-30 22:24:22 +00:00
|
|
|
return
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2011-02-22 20:49:44 +00:00
|
|
|
|
2011-02-22 04:27:40 +00:00
|
|
|
if datastore['METHOD'] == 'POST'
|
|
|
|
|
qvars = queryparse(datastore['DATA']) #Now its a Hash
|
|
|
|
|
else
|
|
|
|
|
qvars = queryparse(datastore['QUERY']) #Now its a Hash
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
2011-02-22 20:49:44 +00:00
|
|
|
end
|
2009-12-30 22:24:22 +00:00
|
|
|
end
|
