ronin-sql 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/COPYING.txt +339 -0
- data/History.txt +7 -0
- data/Manifest.txt +45 -0
- data/README.txt +66 -0
- data/Rakefile +14 -0
- data/lib/ronin/code/sql.rb +24 -0
- data/lib/ronin/code/sql/between.rb +62 -0
- data/lib/ronin/code/sql/binary_expr.rb +46 -0
- data/lib/ronin/code/sql/builder.rb +61 -0
- data/lib/ronin/code/sql/code.rb +35 -0
- data/lib/ronin/code/sql/common_dialect.rb +62 -0
- data/lib/ronin/code/sql/create_index.rb +76 -0
- data/lib/ronin/code/sql/create_table.rb +93 -0
- data/lib/ronin/code/sql/create_view.rb +65 -0
- data/lib/ronin/code/sql/delete.rb +64 -0
- data/lib/ronin/code/sql/dialect.rb +162 -0
- data/lib/ronin/code/sql/drop_table.rb +51 -0
- data/lib/ronin/code/sql/exceptions.rb +24 -0
- data/lib/ronin/code/sql/exceptions/unknown_dialect.rb +31 -0
- data/lib/ronin/code/sql/expr.rb +193 -0
- data/lib/ronin/code/sql/field.rb +86 -0
- data/lib/ronin/code/sql/function.rb +52 -0
- data/lib/ronin/code/sql/in.rb +49 -0
- data/lib/ronin/code/sql/injection.rb +39 -0
- data/lib/ronin/code/sql/injection_builder.rb +137 -0
- data/lib/ronin/code/sql/injection_style.rb +79 -0
- data/lib/ronin/code/sql/insert.rb +86 -0
- data/lib/ronin/code/sql/keyword.rb +48 -0
- data/lib/ronin/code/sql/like_expr.rb +87 -0
- data/lib/ronin/code/sql/program.rb +79 -0
- data/lib/ronin/code/sql/replace.rb +58 -0
- data/lib/ronin/code/sql/select.rb +187 -0
- data/lib/ronin/code/sql/statement.rb +112 -0
- data/lib/ronin/code/sql/style.rb +170 -0
- data/lib/ronin/code/sql/unary_expr.rb +45 -0
- data/lib/ronin/code/sql/update.rb +75 -0
- data/lib/ronin/sql.rb +28 -0
- data/lib/ronin/sql/error.rb +52 -0
- data/lib/ronin/sql/extensions.rb +24 -0
- data/lib/ronin/sql/extensions/uri.rb +24 -0
- data/lib/ronin/sql/extensions/uri/http.rb +69 -0
- data/lib/ronin/sql/sql.rb +83 -0
- data/lib/ronin/sql/version.rb +29 -0
- data/spec/spec_helper.rb +5 -0
- data/tasks/spec.rb +7 -0
- metadata +121 -0
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin SQL - A Ronin library providing support for SQL related security
|
4
|
+
# tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/sql/extensions/uri'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin SQL - A Ronin library providing support for SQL related security
|
4
|
+
# tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/sql/extensions/uri/http'
|
@@ -0,0 +1,69 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin SQL - A Ronin library providing support for SQL related security
|
4
|
+
# tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/sql/sql'
|
25
|
+
require 'ronin/network/http'
|
26
|
+
|
27
|
+
require 'uri'
|
28
|
+
|
29
|
+
module URI
|
30
|
+
class HTTP < Generic
|
31
|
+
|
32
|
+
#
|
33
|
+
# Tests the +query_params+ of the HTTP URL with the given _options_ for
|
34
|
+
# SQL errors.
|
35
|
+
#
|
36
|
+
# _options_ may contain the following keys:
|
37
|
+
# <tt>:injection</tt>:: The SQL injection to use. Defaults to
|
38
|
+
# <tt>"'"</tt>.
|
39
|
+
# <tt>:types</tt>:: A list of error types to test for. If not specified
|
40
|
+
# all the error patterns in ERROR_PATTERNS will be
|
41
|
+
# tested.
|
42
|
+
#
|
43
|
+
def sql_errors(options={})
|
44
|
+
injection = (options[:injection] || "'")
|
45
|
+
|
46
|
+
return test_query_params(injection,options) do |injection_url|
|
47
|
+
body = Net.http_get_body(options.merge(:url => injection_url))
|
48
|
+
|
49
|
+
Ronin::SQL.error(body,options)
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
#
|
54
|
+
# Tests each +query_params+ of the HTTP URI with the given _options_ for
|
55
|
+
# SQL errors.
|
56
|
+
#
|
57
|
+
# _options_ may contain the following keys:
|
58
|
+
# <tt>:injection</tt>:: The SQL injection to use. Defaults to
|
59
|
+
# <tt>"'"</tt>.
|
60
|
+
# <tt>:types</tt>:: A list of error types to test for. If not specified
|
61
|
+
# all the error patterns in ERROR_PATTERNS will be
|
62
|
+
# tested.
|
63
|
+
#
|
64
|
+
def has_sql_errors?(options={})
|
65
|
+
!(sql_errors(options).empty?)
|
66
|
+
end
|
67
|
+
|
68
|
+
end
|
69
|
+
end
|
@@ -0,0 +1,83 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin SQL - A Ronin library providing support for SQL related security
|
4
|
+
# tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/sql/error'
|
25
|
+
require 'ronin/extensions/uri'
|
26
|
+
|
27
|
+
module Ronin
|
28
|
+
module SQL
|
29
|
+
|
30
|
+
# SQL error patterns
|
31
|
+
ERROR_PATTERNS = {
|
32
|
+
# sourced from sqid (http://sqid.rubyforge.org/).
|
33
|
+
:ms_sql => /Microsoft OLE DB Provider for (SQL Server|ODBC Drivers.*\[Microsoft\]\[ODBC (SQL Server|Access) Driver\])/,
|
34
|
+
:ms_access => /\[Microsoft\]\[ODBC Microsoft Access Driver\] Syntax error/,
|
35
|
+
:ms_jetdb => /Microsoft JET Database Engine/,
|
36
|
+
:ms_adodb => /ADODB.Command.*error/,
|
37
|
+
:asp_net => /Server Error.*System\.Data\.OleDb\.OleDbException/,
|
38
|
+
:mysql => /(Warning.*(supplied argument is not a valid MySQL result|mysql_.*\(\))|You have an error in your SQL syntax.*(on|at) line)/,
|
39
|
+
:php => /(Warning.*failed to open stream|Fatal Error.*(on|at) line)/,
|
40
|
+
:oracle => /ORA-[0-9][0-9][0-9][0-9]/,
|
41
|
+
:jdbc => /Invalid SQL statement or JDBC/,
|
42
|
+
:java_servlet => /javax\.servlet\.ServletException/,
|
43
|
+
:apache_tomcat => /org\.apache\.jasper\.JasperException/,
|
44
|
+
:vb_runtime => /Microsoft VBScript runtime/,
|
45
|
+
:vb_asp => /Type mismatch/
|
46
|
+
}
|
47
|
+
|
48
|
+
#
|
49
|
+
# Tests whether the _body_ contains an SQL error message using the
|
50
|
+
# given _options_.
|
51
|
+
#
|
52
|
+
# _options_ may contain the following keys:
|
53
|
+
# <tt>:types</tt>:: A list of error types to test for. If not specified
|
54
|
+
# all the error patterns in ERROR_PATTERNS will be
|
55
|
+
# tested.
|
56
|
+
#
|
57
|
+
def SQL.error(body,options={})
|
58
|
+
patterns = (options[:types] || ERROR_PATTERNS.keys)
|
59
|
+
|
60
|
+
patterns.each do |type|
|
61
|
+
match = ERROR_PATTERNS[type].match(body)
|
62
|
+
|
63
|
+
return Error.new(type,match[0].strip_html) if match
|
64
|
+
end
|
65
|
+
|
66
|
+
return nil
|
67
|
+
end
|
68
|
+
|
69
|
+
#
|
70
|
+
# Returns +true+ if the specified _body_ using the given _options_
|
71
|
+
# contains an SQL error, returns +false+ otherwise.
|
72
|
+
#
|
73
|
+
# _options_ may contain the following keys:
|
74
|
+
# <tt>:types</tt>:: A list of error types to test for. If not specified
|
75
|
+
# all the error patterns in ERROR_PATTERNS will be
|
76
|
+
# tested.
|
77
|
+
#
|
78
|
+
def SQL.has_error?(body,options={})
|
79
|
+
!(SQL.error(body,options).nil?)
|
80
|
+
end
|
81
|
+
|
82
|
+
end
|
83
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin SQL - A Ronin library providing support for SQL related security
|
4
|
+
# tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module SQL
|
26
|
+
# Ronin SQL version
|
27
|
+
VERSION = '0.1.0'
|
28
|
+
end
|
29
|
+
end
|
data/spec/spec_helper.rb
ADDED
data/tasks/spec.rb
ADDED
metadata
ADDED
@@ -0,0 +1,121 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: ronin-sql
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Postmodern Modulus III
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2008-08-20 00:00:00 -07:00
|
13
|
+
default_executable:
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: ronin
|
17
|
+
type: :runtime
|
18
|
+
version_requirement:
|
19
|
+
version_requirements: !ruby/object:Gem::Requirement
|
20
|
+
requirements:
|
21
|
+
- - ">="
|
22
|
+
- !ruby/object:Gem::Version
|
23
|
+
version: 0.0.9
|
24
|
+
version:
|
25
|
+
- !ruby/object:Gem::Dependency
|
26
|
+
name: hoe
|
27
|
+
type: :development
|
28
|
+
version_requirement:
|
29
|
+
version_requirements: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 1.7.0
|
34
|
+
version:
|
35
|
+
description: Ronin SQL is a Ruby library for Ronin that provids support for SQL related security tasks. Ronin is a Ruby platform designed for information security and data exploration tasks. Ronin allows for the rapid development and distribution of code over many of the common Source-Code-Management (SCM) systems.
|
36
|
+
email:
|
37
|
+
- postmodern.mod3@gmail.com
|
38
|
+
executables: []
|
39
|
+
|
40
|
+
extensions: []
|
41
|
+
|
42
|
+
extra_rdoc_files:
|
43
|
+
- History.txt
|
44
|
+
- COPYING.txt
|
45
|
+
- Manifest.txt
|
46
|
+
- README.txt
|
47
|
+
files:
|
48
|
+
- History.txt
|
49
|
+
- COPYING.txt
|
50
|
+
- Manifest.txt
|
51
|
+
- README.txt
|
52
|
+
- Rakefile
|
53
|
+
- lib/ronin/code/sql.rb
|
54
|
+
- lib/ronin/code/sql/between.rb
|
55
|
+
- lib/ronin/code/sql/binary_expr.rb
|
56
|
+
- lib/ronin/code/sql/builder.rb
|
57
|
+
- lib/ronin/code/sql/code.rb
|
58
|
+
- lib/ronin/code/sql/common_dialect.rb
|
59
|
+
- lib/ronin/code/sql/create_index.rb
|
60
|
+
- lib/ronin/code/sql/create_table.rb
|
61
|
+
- lib/ronin/code/sql/create_view.rb
|
62
|
+
- lib/ronin/code/sql/delete.rb
|
63
|
+
- lib/ronin/code/sql/dialect.rb
|
64
|
+
- lib/ronin/code/sql/drop_table.rb
|
65
|
+
- lib/ronin/code/sql/exceptions.rb
|
66
|
+
- lib/ronin/code/sql/exceptions/unknown_dialect.rb
|
67
|
+
- lib/ronin/code/sql/expr.rb
|
68
|
+
- lib/ronin/code/sql/field.rb
|
69
|
+
- lib/ronin/code/sql/function.rb
|
70
|
+
- lib/ronin/code/sql/in.rb
|
71
|
+
- lib/ronin/code/sql/injection.rb
|
72
|
+
- lib/ronin/code/sql/injection_builder.rb
|
73
|
+
- lib/ronin/code/sql/injection_style.rb
|
74
|
+
- lib/ronin/code/sql/insert.rb
|
75
|
+
- lib/ronin/code/sql/keyword.rb
|
76
|
+
- lib/ronin/code/sql/like_expr.rb
|
77
|
+
- lib/ronin/code/sql/program.rb
|
78
|
+
- lib/ronin/code/sql/replace.rb
|
79
|
+
- lib/ronin/code/sql/select.rb
|
80
|
+
- lib/ronin/code/sql/statement.rb
|
81
|
+
- lib/ronin/code/sql/style.rb
|
82
|
+
- lib/ronin/code/sql/unary_expr.rb
|
83
|
+
- lib/ronin/code/sql/update.rb
|
84
|
+
- lib/ronin/sql/extensions.rb
|
85
|
+
- lib/ronin/sql/extensions/uri.rb
|
86
|
+
- lib/ronin/sql/extensions/uri/http.rb
|
87
|
+
- lib/ronin/sql/error.rb
|
88
|
+
- lib/ronin/sql/sql.rb
|
89
|
+
- lib/ronin/sql/version.rb
|
90
|
+
- lib/ronin/sql.rb
|
91
|
+
- tasks/spec.rb
|
92
|
+
- spec/spec_helper.rb
|
93
|
+
has_rdoc: true
|
94
|
+
homepage: http://ronin.rubyforge.org/sql/
|
95
|
+
post_install_message:
|
96
|
+
rdoc_options:
|
97
|
+
- --main
|
98
|
+
- README.txt
|
99
|
+
require_paths:
|
100
|
+
- lib
|
101
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
102
|
+
requirements:
|
103
|
+
- - ">="
|
104
|
+
- !ruby/object:Gem::Version
|
105
|
+
version: "0"
|
106
|
+
version:
|
107
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
108
|
+
requirements:
|
109
|
+
- - ">="
|
110
|
+
- !ruby/object:Gem::Version
|
111
|
+
version: "0"
|
112
|
+
version:
|
113
|
+
requirements: []
|
114
|
+
|
115
|
+
rubyforge_project: ronin
|
116
|
+
rubygems_version: 1.2.0
|
117
|
+
signing_key:
|
118
|
+
specification_version: 2
|
119
|
+
summary: Ronin SQL is a Ruby library for Ronin that provids support for SQL related security tasks
|
120
|
+
test_files: []
|
121
|
+
|