metasploit-framework/modules/auxiliary/scanner/http/error_sql_injection.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'rex/proto/http'
require 'msf/core'




class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::WMAPScanUniqueQuery
	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report


	def initialize(info = {})
		super(update_info(info,
			'Name'   		=> 'HTTP Error Based SQL Injection Scanner',
			'Description'	=> %q{
				This module identifies the existence of Error Based SQL injection issues. Still requires alot of work

			},
			'Author' 		=> [ 'et [at] cyberspace.org' ],
			'License'		=> BSD_LICENSE,
			'Version'		=> '$Revision$'))

		register_options(
			[
				OptString.new('METHOD', [ true, "HTTP Method",'GET']),
				OptString.new('PATH', [ true,  "The path/file to test SQL injection", '/default.aspx']),
				OptString.new('QUERY', [ false,  "HTTP URI Query", ''])
			], self.class)

		register_advanced_options(
			[
				OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
			], self.class)

	end

	def run_host(ip)

		qvars = nil

		sqlinj = [
			[ "'" ,'Single quote'],
			[ "')",'Single quote and parenthesis'],
			[ "\"",'Double quote'],
			[ "#{rand(10)}'", 'Random value with single quote']
		]

		errorstr = [
			["Unclosed quotation mark after the character string",'MSSQL','string'],
			["Syntax error in string in query expression",'MSSQL','string'],
			["Microsoft OLE DB Provider",'MSSQL','unknown'],
			["You have an error in your SQL syntax",'MySQL','unknown'],
			["java.sql.SQLException",'unknown','unknown'],
			["ORA-",'ORACLE','unknown'],
			["PLS-",'ORACLE','unknown'],
			["Syntax error",'unknown','unknown'],
		]

		#
		# Dealing with empty query/data and making them hashes.
		#

		if  !datastore['QUERY'] or datastore['QUERY'].empty?
			return
		else
			qvars = queryparse(datastore['QUERY']) #Now its a Hash
		end

		#
		# Send normal request to check if error is generated
		# (means the error is caused by other means)
		#
		#

		if datastore['METHOD'] == 'POST'
			reqinfo = {
				'uri'  		=> datastore['PATH'],
				'vars_post' => qvars,
				'method'   	=> datastore['METHOD'],
				'ctype'		=> 'application/x-www-form-urlencoded'
			}
		else
			reqinfo = {
				'uri'  		=> datastore['PATH'],
				'vars_get' 	=> qvars,
				'method'   	=> datastore['METHOD'],
				'ctype'		=> 'application/x-www-form-urlencoded'
			}
		end
		
		begin
			normalres = send_request_cgi(reqinfo, 20)

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
		rescue ::Timeout::Error, ::Errno::EPIPE
		end

		if !datastore['NoDetailMessages']
			print_status("Normal request sent.")
		end

		found = false
		inje = nil
		dbt = nil
		injt = nil

		if normalres
			errorstr.each do |estr,dbtype,injtype|
				if normalres.body.include? estr
					found = true
					inje = estr
					dbt = dbtype
					injt = injtype
				end
			end

			if found
				print_error("[#{wmap_target_host}] Error string appears in the normal response, unable to test")
				print_error("[#{wmap_target_host}] Error string: '#{inje}'")
				print_error("[#{wmap_target_host}] DB TYPE: #{dbt}, Error type '#{injt}'")

				report_note(
					:host	=> ip,
					:proto  => 'tcp',
					:sname	=> 'HTTP',
					:port	=> rport,
					:type	=> 'DATABASE_ERROR',
					:data	=> "#{datastore['PATH']} Error: #{inje} DB: #{dbt}"
				)

				return
			end
		else
			print_error("[#{wmap_target_host}] No response")
			return
		end

		#
		# Test URI Query parameters
		#

		found = false

		if qvars
			sqlinj.each do |istr,idesc|

				if found
					break
				end

				qvars.each do |key,value|
					qvars = queryparse(datastore['QUERY']) #Now its a Hash
					qvars[key] = qvars[key]+istr

					if !datastore['NoDetailMessages']
						print_status("- Testing query with #{idesc}. Parameter #{key}:")
					end
					
					if datastore['METHOD'] == 'POST'
						reqinfo = {
							'uri'  		=> datastore['PATH'],
							'vars_post' => qvars,
							'method'   	=> datastore['METHOD'],
							'ctype'		=> 'application/x-www-form-urlencoded'
						}
					else
						reqinfo = {
							'uri'  		=> datastore['PATH'],
							'vars_get' 	=> qvars,
							'method'   	=> datastore['METHOD'],
							'ctype'		=> 'application/x-www-form-urlencoded'
						}
					end

					begin
						
						testres = send_request_cgi(reqinfo, 20)

					rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
					rescue ::Timeout::Error, ::Errno::EPIPE
					end

					if testres
						errorstr.each do |estr,dbtype,injtype|
							if testres.body.include? estr
								found = true
								inje = estr
								dbt = dbtype
								injt = injtype
							end
						end

						if found
							print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
							print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{qvars[key]}")
							print_status("[#{wmap_target_host}] Vuln query parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")

							report_note(
								:host	=> ip,
								:proto  => 'tcp',
								:sname	=> 'HTTP',
								:port	=> rport,
								:type	=> 'SQL_INJECTION',
								:data	=> "#{datastore['PATH']} Location: QUERY Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
							)

							return
						end
					else
						print_error("[#{wmap_target_host}] No response")
						return
					end
				end
			end
			qvars = queryparse(datastore['QUERY'])
		end
	end	
end