ronin-sql 0.1.1 → 0.2.0

data/lib/ronin/sql/error/message.rb

@@ -0,0 +1,64 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+module Ronin
+  module SQL
+    module Error
+      class Message
+
+        # The URL which is vulnerable
+        attr_reader :url
+
+        # The vulnerable query param
+        attr_accessor :param
+
+        # SQL error type
+        attr_reader :type
+
+        # SQL Dialect
+        attr_reader :dialect
+
+        # SQL error message
+        attr_reader :message
+
+        #
+        # Creates a new SQL Error object with the specified _type_, 
+        # _dialect_ and _message_.
+        #
+        def initialize(type,dialect,message)
+          @type = type
+          @dialect = dialect
+          @message = message
+        end
+
+        #
+        # Returns the message in String form.
+        #
+        def to_s
+          @message.to_s
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/sql/error/pattern.rb

@@ -0,0 +1,106 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/sql/error/message'
+
+module Ronin
+  module SQL
+    module Error
+      class Pattern
+
+        # Name of the pattern
+        attr_reader :name
+
+        # Name of the SQL dialect
+        attr_accessor :dialect
+
+        # Patterns to use for matching SQL errors
+        attr_reader :patterns
+
+        #
+        # Creates a new Pattern object with the specified _name_. If a
+        # _block_ is given, it will be passed the newly created Pattern
+        # object.
+        #
+        def initialize(name,&block)
+          @dialect = :common
+          @name = name.to_sym
+          @patterns = []
+
+          block.call(self) if block
+        end
+
+        #
+        # Add the specified _pattern_ to be used to recognize SQL error
+        # messages.
+        #
+        def recognize(pattern)
+          @patterns << pattern
+          return self
+        end
+
+        #
+        # Returns the first match between the error pattern and the
+        # specified _data_. If no matches were found +nil+ will be
+        # returned.
+        #
+        def match(data)
+          data = data.to_s
+
+          @patterns.each do |pattern|
+            match = data.match(pattern)
+
+            return Message.new(@name,@dialect,match[0]) if match
+          end
+
+          return nil
+        end
+
+        #
+        # Returns the match index within the specified _data_ where a SQL
+        # error Pattern occurs. If no SQL error Pattern can be found within
+        # _data_, +nil+ will be returned.
+        #
+        def =~(data)
+          data = data.to_s
+
+          @patterns.each do |pattern|
+            if (index = (pattern =~ data))
+              return index
+            end
+          end
+
+          return nil
+        end
+
+        #
+        # Returns the name of the error pattern.
+        #
+        def to_s
+          @name.to_s
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/sql/error/patterns.rb

@@ -0,0 +1,100 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/sql/error/pattern'
+
+module Ronin
+  module SQL
+    module Error
+      Error.pattern :ms_sql do |p|
+        p.dialect = :ms
+        p.recognize /Microsoft OLE DB Provider for SQL Server/
+        p.recognize /Microsoft OLE DB Provider for ODBC Drivers.*\[Microsoft\]\[ODBC SQL Server Driver\]/
+      end
+
+      Error.pattern :ms_access do |p|
+        p.dialect = :ms
+        p.recognize /Microsoft OLE DB Provider for ODBC Drivers.*\[Microsoft\]\[ODBC Access Driver\]/
+        p.recognize /\[Microsoft\]\[ODBC Microsoft Access Driver\] Syntax error/
+      end
+
+      Error.pattern :ms_jetdb do |p|
+        p.dialect = :ms
+        p.recognize /Microsoft JET Database Engine/
+      end
+
+      Error.pattern :ms_adodb do |p|
+        p.dialect = :ms
+        p.recognize /ADODB.Command.*error/
+      end
+
+      Error.pattern :asp_net do |p|
+        p.dialect = :common
+        p.recognize /Server Error.*System\.Data\.OleDb\.OleDbException/
+      end
+
+      Error.pattern :mysql do |p|
+        p.dialect = :mysql
+        p.recognize /Warning.*supplied argument is not a valid MySQL result/
+        p.recognize /Warning.*mysql_.*\(\)/
+        p.recognize /You have an error in your SQL syntax.*(on|at) line/
+      end
+
+      Error.pattern :php do |p|
+        p.dialect = :common
+        p.recognize /Warning.*failed to open stream/
+        p.recognize /Fatal Error.*(on|at) line/
+      end
+
+      Error.pattern :oracle do |p|
+        p.dialect = :oracle
+        p.recognize /ORA-[0-9][0-9][0-9][0-9]/
+      end
+
+      Error.pattern :jdbc do |p|
+        p.dialect = :common
+        p.recognize /Invalid SQL statement or JDBC/
+      end
+
+      Error.pattern :java_servlet do |p|
+        p.dialect = :common
+        p.recognize /javax\.servlet\.ServletException/
+      end
+
+      Error.pattern :apache_tomcat do |p|
+        p.dialect = :common
+        p.recognize /org\.apache\.jasper\.JasperException/
+      end
+
+      Error.pattern :vb_runtime do |p|
+        p.dialect = :common
+        p.recognize /Microsoft VBScript runtime/
+      end
+
+      Error.pattern :vb_asp do |p|
+        p.dialect = :common
+        p.recognize /Type mismatch/
+      end
+    end
+  end
+end

data/lib/ronin/sql/error.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,32 +21,7 @@
 #++
 #
 
-module Ronin
-  module SQL
-    class Error
-
-      # SQL error type
-      attr_reader :type
-
-      # SQL error message
-      attr_reader :message
-
-      #
-      # Creates a new SQL Error object with the specified _type_ and
-      # _message_.
-      #
-      def initialize(type,message)
-        @type = type
-        @message = message
-      end
-
-      #
-      # Returns the message in String form.
-      #
-      def to_s
-        @message.to_s
-      end
-
-    end
-  end
-end
+require 'ronin/sql/error/message'
+require 'ronin/sql/error/pattern'
+require 'ronin/sql/error/error'
+require 'ronin/sql/error/patterns'

data/lib/ronin/sql/extensions/uri/http.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,10 +21,9 @@
 #++
 #
 
-require 'ronin/sql/sql'
-require 'ronin/network/http'
-
-require 'uri'
+require 'ronin/sql/injection'
+require 'ronin/extensions/uri/http'
+require 'ronin/chars'
 
 module URI
   class HTTP < Generic
@@ -34,36 +33,92 @@ module URI
     # SQL errors.
     #
     # _options_ may contain the following keys:
-    # <tt>:injection</tt>:: The SQL injection to use. Defaults to
-    #                       <tt>"'"</tt>.
-    # <tt>:types</tt>:: A list of error types to test for. If not specified
-    #                   all the error patterns in ERROR_PATTERNS will be
-    #                   tested.
+    # <tt>:sql</tt>:: The SQL injection to use. Defaults to <tt>"'"</tt>.
     #
     def sql_errors(options={})
-      injection = (options[:injection] || "'")
+      errors = {}
 
-      return test_query_params(injection,options) do |param,injection_url|
-        body = Net.http_get_body(options.merge(:url => injection_url))
+      return each_query_param do |param,value|
+        error = SQL::Injection.new(self,param).error(options)
 
-        Ronin::SQL.error(body,options)
+        errors[param] = error if error
       end
+
+      return errors
+    end
+
+    def sql_error(options={})
+      sql_errors(options).values.first
     end
 
     #
-    # Tests each +query_params+ of the HTTP URI with the given _options_ for
-    # SQL errors.
+    # Returns +true+ if any of the +query_params+ of the HTTP URI return
+    # SQL errors using the given _options_, returns +false+ otherwise.
     #
     # _options_ may contain the following keys:
-    # <tt>:injection</tt>:: The SQL injection to use. Defaults to
-    #                       <tt>"'"</tt>.
-    # <tt>:types</tt>:: A list of error types to test for. If not specified
-    #                   all the error patterns in ERROR_PATTERNS will be
-    #                   tested.
+    # <tt>:sql</tt>:: The SQL injection to use. Defaults to <tt>"'"</tt>.
     #
     def has_sql_errors?(options={})
       !(sql_errors(options).empty?)
     end
 
+    #
+    # Tests the +query_params+ of the HTTP URL with the given _options_ for
+    # blind SQL injections.
+    #
+    def sql_injections(options={})
+      injectable = []
+
+      each_query_param do |param,value|
+        integer_tests = [
+          {:escape => value},
+          {:escape => value, :close_parenthesis => true}
+        ]
+
+        string_tests = [
+          {:escape => value, :close_string => true},
+          {:escape => value, :close_string => true, :close_parenthesis => true}
+        ]
+
+        if (value && Chars.numeric =~ value)
+          # if the param value is numeric, we should try escaping a
+          # numeric value first.
+          tests = integer_tests + string_tests
+        else
+          # if the param value is a string, we should try escaping a
+          # string value first.
+          tests = string_tests + integer_tests
+        end
+
+        tests.each do |test|
+          inj = Ronin::SQL::Injection.new(self,param,options.merge(test))
+
+          if inj.vulnerable?(options)
+            injectable << inj
+            break
+          end
+        end
+      end
+
+      return injectable
+    end
+
+    #
+    # Returns the first vulnerable SQL injection object found in the
+    # HTTP URL.
+    #
+    def sql_injection(options={})
+      sql_injections(options).first
+    end
+
+    #
+    # Returns +true+ if any of the +query_params+ of the HTTP URL are
+    # vulnerable to blind SQL injection using the given _options_, returns
+    # +false+ otherwise.
+    #
+    def has_sql_injections?(options={})
+      !(sql_injections(options).empty?)
+    end
+
   end
 end

data/lib/ronin/sql/extensions/uri.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/ronin/sql/extensions.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,4 +21,5 @@
 #++
 #
 
+require 'ronin/sql/extensions/string'
 require 'ronin/sql/extensions/uri'

data/lib/ronin/sql/injection.rb

@@ -0,0 +1,213 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/sql/error'
+require 'ronin/code/sql/injection'
+require 'ronin/sessions/http'
+require 'ronin/extensions/uri'
+require 'ronin/web/extensions/hpricot'
+require 'ronin/web/web'
+
+module Ronin
+  module SQL
+    class Injection
+
+      include Sessions::HTTP
+
+      # The URL to inject upon
+      attr_reader :url
+
+      # The URL query param to inject into
+      attr_reader :param
+
+      # Options for crafting SQL injections
+      attr_reader :sql_options
+
+      # HTTP request method (either :get or :post)
+      parameter :http_method,
+                :default => :get,
+                :description => 'HTTP request method to use'
+
+      #
+      # Creates a new Injection object with the specified _url_, _param_
+      # to inject upon and the given _options_ which will be used
+      # for crafting SQL injections.
+      #
+      def initialize(url,param,options={})
+        super()
+
+        @url = url
+        @param = param
+        @sql_options = options
+      end
+
+      #
+      # Spider a site starting at the specified _url_ using the given
+      # _options_ and return an Array of URLs which are vulnerable to SQL
+      # Injection. If a _block_ is given, it will be passed vulnerable SQL
+      # Injection objects as they are found.
+      #
+      #   Injection.spider('http://www.target.com/contact/')
+      #   # => [...]
+      #
+      #   Injection.spider('http://www.target.com/') do |injection|
+      #     ...
+      #   end
+      #
+      def Injection.spider(url,options={},&block)
+        injections = []
+
+        Web.spider_site(url,options) do |spider|
+          spider.every_url_like(/\?[a-zA-Z0-9_]/) do |vuln_url|
+            found = vuln_url.sql_injections
+
+            found.each(&block) if block
+            injections += found
+          end
+        end
+
+        return injections
+      end
+
+      #
+      # Creates a new Code::SQL::Injection object using the given _options_
+      # and _block_. The given _options_ will be merged with the injections
+      # sql_options, to create a tailored Code::SQL::Injection object.
+      #
+      def sql(options={},&block)
+        Code::SQL::Injection.new(@sql_options.merge(options),&block)
+      end
+
+      def inject(options={},&block)
+        injection = (options[:sql] || sql(options,&block))
+
+        injection_url = URI(@url.to_s)
+        injection_url.query_params[@param.to_s] = injection
+
+        request_method = (options[:method] || @http_method)
+        options = options.merge(:url => injection_url)
+
+        if request_method == :post
+          return http_post_body(options)
+        else
+          return http_get_body(options)
+        end
+      end
+
+      def inject_error(options={})
+        inject({:sql => "'"}.merge(options))
+      end
+
+      def error(options={})
+        inject_error(options).sql_error
+      end
+
+      def has_error?(options={})
+        Error.has_message?(inject_error(options))
+      end
+
+      def vulnerable?(options={})
+        body1 = inject(options) { no_rows }
+        body2 = inject(options) { all_rows }
+
+        if (body1.sql_error? || body2.sql_error?)
+          return false
+        end
+
+        body1 = Hpricot(body1)
+        body2 = Hpricot(body2)
+
+        return body1 < body2
+      end
+
+      def has_column?(column,options={})
+        body1 = inject(options)
+        body2 = inject(options.merge(:symbols => {:column => column})) do
+          has_column?(column)
+        end
+
+        if (body1.sql_error? || body2.sql_error?)
+          return false
+        end
+
+        body1 = Hpricot(body1)
+        body2 = Hpricot(body2)
+
+        return body1 == body2
+      end
+
+      def has_table?(table,options={})
+        body1 = inject(options)
+        body2 = inject(options.merge(:symbols => {:table => table})) do
+          has_table?(table)
+        end
+
+        if (body1.sql_error? || body2.sql_error?)
+          return false
+        end
+
+        body1 = Hpricot(body1)
+        body2 = Hpricot(body2)
+
+        return body1 == body2
+      end
+
+      def uses_column?(column,options={})
+        body1 = inject(options)
+        body2 = inject(options.merge(:symbols => {:column => column})) do
+          uses_column?(table)
+        end
+
+        if (body1.sql_error? || body2.sql_error?)
+          return false
+        end
+
+        body1 = Hpricot(body1)
+        body2 = Hpricot(body2)
+
+        return body1 == body2
+      end
+
+      def uses_table?(table,options={})
+        body1 = inject(options)
+        body2 = inject(options.merge(:symbols => {:table => table})) do
+          uses_table?(table)
+        end
+
+        if (body1.sql_error? || body2.sql_error?)
+          return false
+        end
+
+        body1 = Hpricot(body1)
+        body2 = Hpricot(body2)
+
+        return body1 == body2
+      end
+
+      def to_s
+        @url.to_s
+      end
+
+    end
+  end
+end

data/lib/ronin/sql/version.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -24,6 +24,6 @@
 module Ronin
   module SQL
     # Ronin SQL version
-    VERSION = '0.1.1'
+    VERSION = '0.2.0'
   end
 end