开发者

How to find sql injection vulnerabilities?

Is there a way to find SQL injection vulnerabilities?

Note: I am asking how to find them on a s开发者_开发知识库erver you are in control of so you can fix them. I am not asking about how to detect them on someone else's server to exploit them.

Is there a way to find every occurance of mysql_query() without opening every page and doing a ctrl+f?


Using linux, you can use the grep utility.

find /dir/containing/files -type f -name '*.php'|xargs grep --color=auto "mysql_query"
  • /dir/containing/files: The directory containing your PHP files, for example, /home/user/domains/example.com/public_html
  • -type f: search for files only (not directories)
  • -name '*.php' match files ending with .php only. If you'ld like to match other files too, like .inc use this instead: -name '*.php' -o -name '*.inc' (matches *.php OR *.inc)
  • |xargs grep use the contents of the found files for searching
  • --color=auto highlights the found part
  • "mysql_query" your search terms


No, there is no simple way. And if there is, it is NOT fool-proof.

That being said, you should look into this question/answer thread and apply them.

For searching mysql_query(), you can use your text-editor's search in files feature. I use Notepad++ and it has search-in-files which can search for any string like mysql_query in a directory and subdirectory with specific extension (.php in your case) files.

A tutorial with screenshot for Notepad++ is here.


There's an open source project made in python called w3af which is used, among other things, to find SQL injection problems.

Download it from the page and then when you start it select the fast_scan profile and on the Target enter your URL (it could be something like http://localhost:8080 if you are running locally) and run the application.

In case it can find any sql injection problem it will let you know.

This step can be done after checking all your mysql_query calls to check everything is working fine.


By far the best way to find SQL Injection Vulnerablites is by using a Fuzzer such as Acunetix ($) NTOSpider($$$), Wapitit(open source, very good), W3AF(open source, not very good.).

Make sure dispaly_errors=On. These tools detect sql injection by inserting bad data like '" and seeing if an error is displayed. They also detect sql injection by injecting queries that take a long time like ' sleep(30)-- to see if the request takes more than 30 seconds.


If you want to search give Red Gate's excellent SQL Search tool a try (its free!) but it's only for SQL Server though.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜