Permalink
Browse files

v0.4 - good guy greg edition

  • Loading branch information...
1 parent 0a833ca commit 5e54762753069e65d2fd3d25a0676d5a859e19da @unicornFurnace unicornFurnace committed May 4, 2012
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="get" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="all_rows"/>
<input type="hidden" name="error_level" value="verbose"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="get" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="all_rows"/>
<input type="hidden" name="error_level" value="verbose"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="get" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="all"/>
<input type="hidden" name="error_level" value="none"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="get" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="all"/>
<input type="hidden" name="error_level" value="none"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="one_row"/>
<input type="hidden" name="error_level" value="verbose"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../custom.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="quotes_remove"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="query_results" value="bool"/>
<input type="hidden" name="error_level" value="none"/>
<input type="hidden" name="show_query" value="off"/>
@@ -36,9 +36,8 @@
</pre>
<form action="../select.php" method="get" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="quotes_remove"/>
- <input type="hidden" name="spaces_remove" value="off"/>
- <input type="hidden" name="blacklist_level" value="none"/>
+ <input type="hidden" name="blacklist_level" value="high"/>
+ <input type="hidden" name="blacklist_keywords" value="'">
<input type="hidden" name="query_results" value="all_rows"/>
<input type="hidden" name="error_level" value="verbose"/>
<input type="hidden" name="show_query" value="on"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="one_row"/>
<input type="hidden" name="error_level" value="verbose"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="none"/>
<input type="hidden" name="error_level" value="verbose"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="bool"/>
<input type="hidden" name="error_level" value="none"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="none"/>
<input type="hidden" name="error_level" value="none"/>
@@ -37,8 +37,6 @@
</pre>
<form action="../delete.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="none"/>
<input type="hidden" name="error_level" value="errors"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../select.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="low"/>
<input type="hidden" name="blacklist_keywords" value="union,select,where,and,or,--,#"/>
<input type="hidden" name="query_results" value="all_rows"/>
@@ -36,8 +36,6 @@
</pre>
<form action="../update.php" method="post" name="challenge_form">
- <input type="hidden" name="sanitize_quotes" value="none"/>
- <input type="hidden" name="spaces_remove" value="off"/>
<input type="hidden" name="blacklist_level" value="none"/>
<input type="hidden" name="query_results" value="none"/>
<input type="hidden" name="error_level" value="errors"/>
View
No changes.
View
@@ -19,15 +19,18 @@
<center><h1>SQLol - Custom query</h1></center><br>
<?php
include('includes/nav.inc.php');
+include('includes/options.inc.php');
?>
-<tr><td>Original Query (write *INJECT* in the query where you want to inject):</td><td><input type="textbox" name="location"></td></tr>
+<tr><td>Original Query (write *INJECT* in the query where you want to inject):</td><td><textarea name="location"><?php if(isset($_REQUEST["location"])) echo $_REQUEST["location"]; ?></textarea></td></tr>
</table>
<input type="submit" name="submit" value="Inject!">
<?php
if(isset($_REQUEST['submit'])){ //Injection time!
+ include('includes/sanitize.inc.php');
+
$query = str_replace('*INJECT*', $_REQUEST['inject_string'], $_REQUEST['location']);
$displayquery = str_replace('*INJECT*', '<u>' . $_REQUEST['inject_string'] . '</u>', $_REQUEST['location']);
View
@@ -20,21 +20,24 @@
<center><h1>SQLol - DELETE query</h1></center><br>
<?php
include('includes/nav.inc.php');
+include('includes/options.inc.php');
?>
<tr><td>Injection Location:</td><td>
<select name="location">
<option value="where_string">String in WHERE clause</option>
- <option value="where_int">Integer in WHERE clause</option>
- <option value="column_name">Column Name</option>
- <option value="table_name">Table Name</option>
+ <option value="where_int" <?php if(isset($_REQUEST["location"]) and $_REQUEST["location"]=="where_int") echo "selected"; ?>>Integer in WHERE clause</option>
+ <option value="column_name" <?php if(isset($_REQUEST["location"]) and $_REQUEST["location"]=="column_name") echo "selected"; ?>>Column Name</option>
+ <option value="table_name" <?php if(isset($_REQUEST["location"]) and $_REQUEST["location"]=="table_name") echo "selected"; ?>>Table Name</option>
</select></td></tr></table>
<input type="submit" name="submit" value="Inject!">
<?php
if(isset($_REQUEST['submit'])){ //Injection time!
+ include('includes/sanitize.inc.php');
+
$display_table_name = $table_name = 'users';
$display_where_clause = $where_clause = 'WHERE isadmin = 0';
@@ -17,6 +17,8 @@
$dsn = $dbtype.'://'.$hostspec.'/'.$database.$persist;
$db_conn = NewADOConnection($dsn);
+$_REQUEST = array_merge($_GET, $_POST, $_COOKIE);
+
print("\n<br>\n<br>");
if(isset($_REQUEST['show_query']) and $_REQUEST['show_query']=='on') echo "Query (injection string is <u>underlined</u>): " . $displayquery . "\n<br>";
View
@@ -10,11 +10,6 @@
You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-
-$blacklist_low = 'select,from,1=1,--,union,#';
-$blacklist_medium = $blacklist_low . '@@,xp_cmdshell,UTL_HTTP';
-$blacklist_high = $blacklist_medium . '/*,*/,;';
-
?>
<center>
| <a href="insert.php">INSERT</a> || <a href="update.php">UPDATE</a> || <a href="delete.php">DELETE</a> || <a href="select.php">SELECT</a> || <a href="custom.php">Custom</a> || <a href="challenges.htm">Challenges</a> |<br>
@@ -24,92 +19,3 @@
<hr width="60%">
<hr width="40%">
<br>
-<form name="action="<?php echo basename($_SERVER['SCRIPT_FILENAME']) ?>" method="get">
-<table>
-<tr><td>Injection String:</td><td><input type="textarea" name="inject_string"></td></tr>
-<tr><td><b>Input Sanitization:</b></td></tr>
-<tr><td>Single Quotes:</td><td><select name="sanitize_quotes">
- <option value="none">No sanitization</option>
- <option value="quotes_double">Single quotes doubled</option>
- <option value="quotes_escape">Single quotes backslashed</option>
- <option value="quotes_remove">Single quotes removed</option>
- </select></td></tr>
- <tr><td>Remove Spaces:</td><td><input type="checkbox" name="spaces_remove" value="on"></td></tr>
- <tr><td>Blacklist Level:</td><td><select name="blacklist_level">
- <option value="none">No blacklisting</option>
- <option value="low">Low</option>
- <option value="medium">Medium</option>
- <option value="high">High</option>
- </select></td></tr>
- <tr><td>Blacklist Keywords (comma separated):</td><td><textarea name="blacklist_keywords"></textarea></td></tr>
-<tr><td><b>Output Level:</b></td></tr>
- <tr><td>Output Query Results:</td><td><select name="query_results">
- <option value="all_rows">All rows</option>
- <option value="one_row">One row</option>
- <option value="bool">Boolean (Zero/Non-zero result set)</option>
- <option value="none">No results</option>
- </select></td></tr>
- <tr><td>Error Verbosity:</td><td><select name="error_level">
- <option value="verbose">Verbose error messages</option>
- <option value="errors">Generic error messages</option>
- <option value="none">No error messages</option>
- </select></td></tr>
- <tr><td>Show Query:</td><td><input type="checkbox" name="show_query" value="on"></td></tr>
-<?php
-$_REQUEST = array_merge($_GET, $_POST, $_COOKIE);
-
-if(isset($_REQUEST['submit'])){ //Injection time!
-
- switch($_REQUEST['sanitize_quotes']){ //Apply the requested level of quote sanitization
-
- case 'quotes_double':
- $_REQUEST['inject_string'] = str_replace('\'', '\'\'', $_REQUEST['inject_string']);
- break;
- case 'quotes_escape':
- $_REQUEST['inject_string'] = str_replace('\'', '\\\'', $_REQUEST['inject_string']);
- break;
- case 'quotes_remove':
- $_REQUEST['inject_string'] = str_replace('\'', '', $_REQUEST['inject_string']);
- break;
-
- }
-
- //Remove spaces if requested
- if(isset($_REQUEST['spaces_remove']) and $_REQUEST['spaces_remove'] == 'on') $_REQUEST['inject_string'] = str_replace(' ', '', $_REQUEST['inject_string']);
-
- //Parse blacklist
- if(isset($_REQUEST['blacklist_keywords'])){
- $blacklist = explode(',' , $_REQUEST['blacklist_keywords']);
- }
-
- if(isset($_REQUEST['blacklist_level'])){
- switch($_REQUEST['blacklist_level']){
- //We process blacklists differently at each level. At the lowest, each keyword is removed case-sensitively.
- //At medium blacklisting, checks are done case-insensitively.
- //At the highest level, checks are done case-insensitively and repeatedly.
-
- case 'low':
- foreach($blacklist as $keyword){
- $_REQUEST['inject_string'] = str_replace($keyword, '', $_REQUEST['inject_string']);
- }
- break;
- case 'medium':
- foreach($blacklist as $keyword){
- $_REQUEST['inject_string'] = str_replace(strtolower($keyword), '', strtolower($_REQUEST['inject_string']));
- }
- break;
- case 'high':
- do{
- $keyword_found = 0;
- foreach($blacklist as $keyword){
- $_REQUEST['inject_string'] = str_replace(strtolower($keyword), '', strtolower($_REQUEST['inject_string']), $count);
- $keyword_found += $count;
- }
- }while ($keyword_found);
- break;
-
- }
- }
-}
-
-?>
View
@@ -0,0 +1,43 @@
+<?php
+/*
+SQLol - A configurable SQL injection testbed
+Daniel "unicornFurnace" Crowley
+Copyright (C) 2012 Trustwave Holdings, Inc.
+
+This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+?>
+
+<form method="get">
+<table>
+<tr><td>Injection String:</td></tr>
+<tr><td><textarea name="inject_string"><?php if(isset($_REQUEST["inject_string"])) echo $_REQUEST["inject_string"]; ?></textarea></td></tr>
+<tr><td><b>Input Sanitization:</b></td></tr>
+<tr><td>Double-up Single Quotes:</td><td><input type="checkbox" name="quotes_double" <?php if(isset($_REQUEST["quotes_double"])) echo "checked"; ?> ></td></tr>
+ <tr><td>Blacklist Level:</td><td><select name="blacklist_level">
+ <option value="none">No blacklisting</option>
+ <option value="reject_low" <?php if(isset($_REQUEST["blacklist_level"]) and $_REQUEST["blacklist_level"]=="reject_low") echo "selected"; ?>>Reject (Low)</option>
+ <option value="reject_high" <?php if(isset($_REQUEST["blacklist_level"]) and $_REQUEST["blacklist_level"]=="reject_high") echo "selected"; ?>>Reject (High)</option>
+ <option value="escape" <?php if(isset($_REQUEST["blacklist_level"]) and $_REQUEST["blacklist_level"]=="escape") echo "selected"; ?>>Escape</option>
+ <option value="low" <?php if(isset($_REQUEST["blacklist_level"]) and $_REQUEST["blacklist_level"]=="low") echo "selected"; ?>>Remove (Low)</option>
+ <option value="medium" <?php if(isset($_REQUEST["blacklist_level"]) and $_REQUEST["blacklist_level"]=="medium") echo "selected"; ?>>Remove (Medium)</option>
+ <option value="high" <?php if(isset($_REQUEST["blacklist_level"]) and $_REQUEST["blacklist_level"]=="high") echo "selected"; ?>>Remove (High)</option>
+ </select></td></tr>
+ <tr><td>Blacklist Keywords (comma separated):</td><td><textarea name="blacklist_keywords"><?php if(isset($_REQUEST["blacklist_keywords"])) echo $_REQUEST["blacklist_keywords"]; ?></textarea></td></tr>
+<tr><td><b>Output Level:</b></td></tr>
+ <tr><td>Output Query Results:</td><td><select name="query_results">
+ <option value="all_rows">All rows</option>
+ <option value="one_row" <?php if(isset($_REQUEST["query_results"]) and $_REQUEST["query_results"]=="one_row") echo "selected"; ?>>One row</option>
+ <option value="bool" <?php if(isset($_REQUEST["query_results"]) and $_REQUEST["query_results"]=="bool") echo "selected"; ?>>Boolean (Zero/Non-zero result set)</option>
+ <option value="none" <?php if(isset($_REQUEST["query_results"]) and $_REQUEST["query_results"]=="none") echo "selected"; ?>>No results</option>
+ </select></td></tr>
+ <tr><td>Error Verbosity:</td><td><select name="error_level">
+ <option value="verbose">Verbose error messages</option>
+ <option value="errors" <?php if(isset($_REQUEST["error_level"]) and $_REQUEST["error_level"]=="errors") echo "selected"; ?>>Generic error messages</option>
+ <option value="none" <?php if(isset($_REQUEST["error_level"]) and $_REQUEST["error_level"]=="none") echo "selected"; ?>>No error messages</option>
+ </select></td></tr>
+ <tr><td>Show Query:</td><td><input type="checkbox" name="show_query" value="on" <?php if(isset($_REQUEST["show_query"])) echo "checked"; ?> ></td></tr>
Oops, something went wrong.

0 comments on commit 5e54762

Please sign in to comment.