Skip to content
SQL / SQLI tokenizer parser analyzer
C Python Shell HTML Makefile Lua Other
Branch: master
Clone or download

Latest commit

client9 Merge pull request #133 from p0pr0ck5/lua-ffi-link
Link to LuaJIT FFI bindings
thanks!
Latest commit e86ff40 Mar 12, 2018

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
data Close #114 - "if not" in TSQL May 21, 2017
go whitespace Feb 1, 2016
lua fix paths Apr 4, 2014
misc spelling Aug 14, 2016
php Update Makefile Apr 2, 2014
python python/setup.py: uses setuptools if possible Jul 6, 2015
src Close #114 - "if not" in TSQL May 21, 2017
tests Close #114 - "if not" in TSQL May 21, 2017
.gitignore ignore gcov files Jan 10, 2016
.travis.yml coveralls Jan 10, 2016
CHANGELOG changelogs May 21, 2017
CHANGELOG.md markdown changes May 21, 2017
COPYING clean up license Jan 11, 2016
Makefile make self-documenting May 30, 2017
README.md Link to LuaJIT FFI bindings Dec 7, 2017
RELEASE-HOWTO.md changelogs May 21, 2017
configure-clang-asan.sh run tests with asan Feb 2, 2016
configure-clang.sh spelling Feb 1, 2016
configure-gcc-hardened.sh spelling Feb 1, 2016
configure-gcov.sh remove more autotools junk May 12, 2014
configure-gprof.sh autotools delete May 12, 2014
install-sh Commit up-to-date versions of autotool to make life easier May 4, 2014
make-ci.sh Attempt to glue in coveralls Jan 10, 2016
run-clang-asan.sh run tests with asan Feb 2, 2016
run-gcov-samples.sh Switch from /bin/bash to /bin/sh Jan 6, 2016
run-gcov-unittests.sh Switch from /bin/bash to /bin/sh Jan 6, 2016
tags.sh get releaser script working again May 21, 2017
test-gprof.sh Switch from /bin/bash to /bin/sh Jan 6, 2016

README.md

Build Status Coverage Status license

libinjection

SQL / SQLI tokenizer parser analyzer. For

See https://www.client9.com/ for details and presentations.

Simple example:

#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include "libinjection.h"
#include "libinjection_sqli.h"

int main(int argc, const char* argv[])
{
    struct libinjection_sqli_state state;
    int issqli;

    const char* input = argv[1];
    size_t slen = strlen(input);

    /* in real-world, you would url-decode the input, etc */

    libinjection_sqli_init(&state, input, slen, FLAG_NONE);
    issqli = libinjection_is_sqli(&state);
    if (issqli) {
        fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
    }
    return issqli;
}
$ gcc -Wall -Wextra examples.c libinjection_sqli.c
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'

More advanced samples:

VERSION INFORMATION

See CHANGELOG for details.

Versions are listed as "major.minor.point"

Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.

Minor are C code changes. These may include

  • logical change to detect or suppress
  • optimization changes
  • code refactoring

Point releases are purely data changes. These may be safely applied.

QUALITY AND DIAGNOSITICS

The continuous integration results at https://travis-ci.org/client9/libinjection tests the following:

LICENSE

Copyright (c) 2012-2016 Nick Galbreath

Licensed under the standard BSD 3-Clause open source license. See COPYING for details.

EMBEDDING

The src directory contains everything, but you only need to copy the following into your source tree:

You can’t perform that action at this time.