Programming

Writing a SQL injection scanner in 7 lines of code – Python

Hello my fellow noob! In this tutorial we will be learning how to interact with websites and we will be build a SQLi scanner in just 7 lines of code. Lets begin!

So how do we connect to a website? Well we there are many modules for that purpose and I will list the best three of them:

  • Requests : Lets say its a module which can help you view web pages. Its great at what it does and its easy to use.
  • Mechanize : Its my favorite. Apart from what requests does it can also interact with HTML forms. Mechanize makes requests to a website like a normal browser would. It has many other features which will be discussed later.
  • Selenium : This module literally lets you emulate a real browser. Its like running firefox in your terminal. It the most powerful and complicated module out of these three.

For today we will be using the requests module. Now lets write a program to connect to google.com:

import requests
requests.get('https://google.com')

Alright we just made a request to google. Yeah I know its very simple and this is why I love python.

So in the first line, we are importing the module requests. After that we are using something called requests.get to open the webpage. Whats requests.get? Well it represents that requests is a python file and we are using a function defined in it called get. Confused? Ah its just something you should get used to. Its just a function, all modules have their own functions.

Well we just made a request to google now lets read the response.

import requests
response = requests.get('https://google.com')
html = response.text
print html

So this time we assigned a variable named response to our code which is requesting response from google. In the next line, we are converting the response of google to text and we are assigning this value to a variable named html. At last, we are printing the html variable which contains the response of google in text or should I say source code of google?

Output:

build sqli scanner python

Don’t get scared its just source code of the webpage we requested. Lets move on and build an SQLi scanner.

Writing SQLi Scanner Script in Python

So first of all let me clarify that we aren’t going to build a crawler which will crawl the website for SQLi vulnerabilities. We are just creating a program to detect error based SQL injection. You would have to supply a URL with parameters to it like you do in SQLmap.

Hmm..so how do you detect Error Based SQL injection? Well just add a (single quote) in a parameter and it will throw up an error like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ''4''' at line 1

So if we can somehow add a single quote end of the URL and then check if the response contains an error like this then we can create a basic SQLi scanner. Lets do this!

import requests
url = raw_input('Enter a url with parameter: ')
response = requests.get(url + "'").text
if 'error' in data and 'syntax' in data or 'MySQL' in response:
    print 'Its vulnerable'
else:
    print 'Its not vulnerable'

Lets breakdown the code:

    • Line 1: We are importing the module named requests
    • Line 2: We are asking the use to enter a URL and assigning a variable url to whatever they enter
    • Line 3: You already know request.get does. Take a closer look at url + “‘”, we are combining them so if the url entered by the user was example.com/gallery.php?id=1 then it would become example.com/gallery.php?id=1. For saving space, we are converting the response to text in the same line by adding .text at the end of it.
    • Line 4 & 5: We are checking if words like error, syntax and MySQL are present in the response. If yes, then our program print Its vulnerable.
    • Line 6 & 7: If the if statement fails, else statement gets executed which prints that Its not vulnerable.

Output:

Enter a url with parameter: http://www.******.com/agent.php?id=4
Its vulnerable

Let me break down the if statement of this program which is:

if 'error' in data and 'syntax' in data or 'MySQL' in response:

Its structure is like this:

if condition1 and condition2 or condition3:

Here’s the answer of your confusion:

  • and: If two or more conditions are connected via and, both of them should be satisfied otherwise the if statement will not execute. In this case, if the response doesn’t contain both words, error and syntax the if statement will fail.
  • or: if two or more conditions are connected via or, even if one of them is satisfied then the if statement will be executed. In this case, if the response doesn’t have the words error and syntax in it, our program will check it the target contains the word MySQL in it.

Our program still has a lot of bugs, try to find and fix them if you can 😉
We will make our SQLi scanner better in next chapter. Till then, Keep Learning! Keep Coding!

Next Chapter >>

Also Read: SQL Injection Explained From Scratch


6 Comments

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<