tags:

views:

181

answers:

5
+3  Q: 

How to find sql injection vulnerabilities?

Is there a way to find SQL injection vulnerabilities?

Note: I am asking how to find them on a server you are in control of so you can fix them. I am not asking about how to detect them on someone else's server to exploit them.

Is there a way to find every occurance of mysql_query() without opening every page and doing a ctrl+f?

A: 

If you want to search give Red Gate's excellent SQL Search tool a try (its free!) but it's only for SQL Server though.

AndrewJacksonZA  2010-09-03 14:01:40
Even if he was using SQL Server, how would that even help with searching through inline SQL occurrences inside php files?
SQLMenace  2010-09-03 14:07:06
I don't believe this is relevant, regardless of the database type. With the exception of dynamic SQL in stored procedures, the place to look for SQL injection errors is on the client, not the server.
Steven Sudit  2010-09-03 14:08:52
@Steven Sudit: That's what I was referring to - dynamic SQL within stored procedures.
AndrewJacksonZA  2010-09-06 11:15:54
Looks interesting, but I do my best to avoid dynamic SQL. I've gone that route before, when highly motivated, but it's a real pain, in addition to the security risks.
Steven Sudit  2010-09-08 02:47:19
+6  A: 

Using linux, you can use the grep utility.

find /dir/containing/files -type f -name '*.php'|xargs grep --color=auto "mysql_query"
  • /dir/containing/files: The directory containing your PHP files, for example, /home/user/domains/example.com/public_html
  • -type f: search for files only (not directories)
  • -name '*.php' match files ending with .php only. If you'ld like to match other files too, like .inc use this instead: -name '*.php' -o -name '*.inc' (matches *.php OR *.inc)
  • |xargs grep use the contents of the found files for searching
  • --color=auto highlights the found part
  • "mysql_query" your search terms
Lekensteyn  2010-09-03 14:01:53
Can you explain that in baby steps?
LeguRi  2010-09-03 14:03:52
@Richard first, he's finding all PHP files. Then he's sending them to grep, and searching for all occurrences of "mysql_query". Lekensteyn is satirically telling you how using the old mysql API is vulnerable to injection attacks :)
Here Be Wolves  2010-09-03 14:07:16
Just did it :) Note: this will highlight lines only, not the context.
Lekensteyn  2010-09-03 14:08:34
Is this something I can do from a php script if the site is through a hosting company? Thanks!
John Isaacks  2010-09-03 14:08:43
@John: Why wouldn't you have a copy of the site locally?
Steven Sudit  2010-09-03 14:10:11
@Steven, I do, but its not stored locally on a Linux machine.
John Isaacks  2010-09-03 14:11:24
Using PHP will be more work. You can use CGI to execute bash. Place a file named `somefile.sh` (or whatever you want, even extension doesn't matter) in your `cgi-bin`, `chmod` it to 755. The first line should contains `#!/bin/sh` (or `#!/usr/local/bin/sh` on BSD), the second line `printf "Content-Type: text/plain\n\n"` and the third the given line in the answer. This works only for Linux machines, if you're working on Windoze or something, consider a virtual machine with Linux installed.
Lekensteyn  2010-09-03 14:11:33
@Lekensteyn its hosted on a linux machine, my local copy is just on windows. Thanks!
John Isaacks  2010-09-03 14:13:05
@John: If you have it on a Windows box, you can use ports of Unix tools, or if you have MS VS handy, its built-in grep functionality ("Find in Files") should be sufficient.
Steven Sudit  2010-09-03 14:13:39
@John, you can use a CGI script as I described in my last post. Otherwise, you can use SSI: save the following as file.shtml: `<!--#exec cmd="find /dir/containing/files -type f -name '*.php'|xargs grep --color=auto 'mysql_query'" -->`. Works on apache with `Options +Includes`
Lekensteyn  2010-09-03 14:16:26
-1 you must be joking.
Rook  2010-09-03 15:47:34
@Rook: mind explanation your comment/downvote?
Lèse majesté  2010-09-03 20:15:27
@Lèse majesté No one uses this method to find sql injection. Everyone uses fuzzers, I seriously doubt you have ever found a sql injection vulnerability in your entire life and your giving people security advice.
Rook  2010-09-03 22:02:12
@Rook: Well aren't you Mr. Conceited... Maybe you should learn the difference between black box testing and white box testing, or code auditing? Simply using a "fuzzer" without identifying internal injection points isn't going to help you find potential vulnerabilities in a framework or library/component.
Lèse majesté  2010-09-04 01:27:35
@Rook, if you've made the source on your own, this will be fine, providing you know the function you use for running SQL queries. Not everyone is that experienced as you. If OP wants a way to find a specified string in all files, I pass them on.
Lekensteyn  2010-09-04 08:21:38
@Lekensteyn read my answer on this thread.
Rook  2010-09-04 09:20:30
+4  A: 

No, there is no simple way. And if there is, it is NOT fool-proof.

That being said, you should look into this question/answer thread and apply them.

For searching mysql_query(), you can use your text-editor's search in files feature. I use Notepad++ and it has search-in-files which can search for any string like mysql_query in a directory and subdirectory with specific extension (.php in your case) files.

A tutorial with screenshot for Notepad++ is here.

shamittomar  2010-09-03 14:02:36
I think he explained that: find every case where SQL is being used and manually inspect for concatenation instead of parameterization.
Steven Sudit  2010-09-03 14:08:06
Also Quanta+ has that feature
nico  2010-09-03 14:10:22
+2  A: 

There's an open source project made in python called w3af which is used, among other things, to find SQL injection problems.

Download it from the page and then when you start it select the fast_scan profile and on the Target enter your URL (it could be something like http://localhost:8080 if you are running locally) and run the application.

In case it can find any sql injection problem it will let you know.

This step can be done after checking all your mysql_query calls to check everything is working fine.

Lombo  2010-09-03 14:08:36
Interesting.....x
Steven Sudit  2010-09-03 14:12:15
A: 

By far the best way to find SQL Injection Vulnerablites is by using a Fuzzer such as Acunetix ($) NTOSpider($$$), Wapitit(open source, very good), W3AF(open source, not very good.).

Make sure dispaly_errors=On. These tools detect sql injection by inserting bad data like '" and seeing if an error is displayed. They also detect sql injection by injecting queries that take a long time like ' sleep(30)-- to see if the request takes more than 30 seconds.

Rook  2010-09-03 15:49:05

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases