mailing list archives
From: George Chatzisofroniou <sophron () latthi com>
Date: Thu, 5 Sep 2013 20:04:23 +0300
The attached script finds blind SQL injections using two common methods:
Content-based and Time-based. You can disable a technique with the use of
'timebased' and 'contentbased' options.
More info about the techniques: https://www.owasp.org/index.php/Blind_SQL_Injection
The script, by default, checks for SQLi on both URLs and forms unless you don't
want to where you can use checkurls and checkforms boolean options.
There is also a singlepages option to test it against specific pages and a
diffratio option to manually set the least ratio of content length difference
between the HTML responses when testing for content-based blind SQLi.
You run it like this:
./nmap -p80 -n -Pn --script http-blindsql-injection some-random-page.com
And the output looks like this:
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| Found the following possible blind SQL injection vulnerabilities:
| Path: http://some-random-page.com:80/
| Field: password
| Method: POST
| Submission: http://some-random-page.com:80//search.php
| SQLi: 1' or SLEEP(10) and '1'='1
| Time difference: 8.0084838867188
| SQLi true response: 1' OR '1'='1
| SQLi false response: 1' AND '1'='2
|_ Responses diff ratio: 0.25
I've tested it against a simple web app of my own and it worked good.
Hope you like it,
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
- [NSE] http-blindsql-injection.nse George Chatzisofroniou (Sep 05)