Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] http-blindsql-injection.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Thu, 5 Sep 2013 20:04:23 +0300

The attached script finds blind SQL injections using two common methods:
Content-based and Time-based. You can disable a technique with the use of
'timebased' and 'contentbased' options.

More info about the techniques: https://www.owasp.org/index.php/Blind_SQL_Injection

The script, by default, checks for SQLi on both URLs and forms unless you don't
want to where you can use checkurls and checkforms boolean options.

There is also a singlepages option to test it against specific pages and a
diffratio option to manually set the least ratio of content length difference
between the HTML responses when testing for content-based blind SQLi.

You run it like this:

./nmap -p80 -n -Pn --script http-blindsql-injection some-random-page.com

And the output looks like this:

 80/tcp open  http    syn-ack
 | http-blindsql-injection: 
 |   Found the following possible blind SQL injection vulnerabilities: 
 |       Path: http://some-random-page.com:80/
 |       Field: password
 |       Method: POST
 |       Submission: http://some-random-page.com:80//search.php
 |       SQLi: 1' or SLEEP(10) and '1'='1
 |       Time difference: 8.0084838867188
 |       SQLi true response: 1' OR '1'='1
 |       SQLi false response: 1' AND '1'='2
 |_      Responses diff ratio: 0.25

I've tested it against a simple web app of my own and it worked good.

Hope you like it,

George Chatzisofroniou

Attachment: http-blindsql-injection.nse

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • [NSE] http-blindsql-injection.nse George Chatzisofroniou (Sep 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]