Vulnerability-Scanner/sql_injection.py at main · Alphx-rgb/Vulnerability-Scanner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import requests
from bs4 import BeautifulSoup
from urllib.parse import urljoin
import os


def sqli(url):
    # initializing an HTTP session & set the browser
    s=requests.Session()
    s.headers["User-Agent"]= "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36"
    f=open('LFI report.txt',"w")
    def get_forms(url):
        soup=BeautifulSoup( s.get(url, verify=False).content, "html.parser")
        return(soup.find_all("form"))

    def form_details(form):
        details={}
        #form-action
        action=form.attrs.get("action","").lower()
        #for-method
        method=form.attrs.get("method","get").lower()
        inputs=[]
        for input in form.find_all("input"):
            input_name=input.attrs.get("name")
            input_type=input.attrs.get("type", "text")
            input_value = input.attrs.get("value", "")
            inputs.append({"type":input_type,"name":input_name, "value": input_value})

        details["action"]=action
        details["method"]=method
        details["inputs"]=inputs
        return(details)    #all details of one single form

    def is_vulnerable(response):
        errors = {
            # MySQL
            "you have an error in your sql syntax;",
            "warning: mysql",
            # SQL Server
            "unclosed quotation mark after the character string",
            # Oracle
            "quoted string not properly terminated",
        }
        for error in errors:
            if error in response.content.decode().lower():
                return(True)
        return(False)

    def sql_scan(url):
        for c in "\"'":
            new_url=f"{url}{c}"
            print("[!] Trying", new_url)
            req=s.get(url, verify=False)
            if( is_vulnerable(req)): #checking if url is type: http://abc.com?abc=
                print("[+] SQL Injection vulnerability detected, link:", new_url)
                return
            #finding forms on th url
            forms=get_forms(url)
            f.write(f"[+] Detected {len(forms)} forms on {url}. \n")
            for form in forms:
                details=form_details(form)
                data={}
                for input in details["inputs"]:
                    if(input["type"] == "hidden" or input["value"]):
                        try:
                            data[input["name"]] = input["value"] + c
                        except:
                            pass
                    elif input["type"] != "submit":
                        data[input["name"]] = f"test{c}"
                url = urljoin(url, details["action"])
                if details["method"] == "post":
                    res = s.post(url, data=data, verify=False)
                elif details["method"] == "get":
                    res = s.get(url, params=data, verify=False)

                if( is_vulnerable(res)):
                    f.write("[+] SQL Injection vulnerability detected, link:"+ url+"\n")
                    f.write("[+] Form:\n")
                    f.write(details)
                    f.write("\n")
                    f.close()
                    break
    sql_scan(url)