6

Is there a way to find SQL injection vulnerabilities?

Note: I am asking how to find them on a server you are in control of so you can fix them. I am not asking about how to detect them on someone else's server to exploit them.

Is there a way to find every occurance of mysql_query() without opening every page and doing a ctrl+f?

JD Isaacks
  • 56,088
  • 93
  • 276
  • 422

5 Answers5

10

Using linux, you can use the grep utility.

find /dir/containing/files -type f -name '*.php'|xargs grep --color=auto "mysql_query"
  • /dir/containing/files: The directory containing your PHP files, for example, /home/user/domains/example.com/public_html
  • -type f: search for files only (not directories)
  • -name '*.php' match files ending with .php only. If you'ld like to match other files too, like .inc use this instead: -name '*.php' -o -name '*.inc' (matches *.php OR *.inc)
  • |xargs grep use the contents of the found files for searching
  • --color=auto highlights the found part
  • "mysql_query" your search terms
Lekensteyn
  • 64,486
  • 22
  • 159
  • 192
  • Can you explain that in baby steps? – Richard JP Le Guen Sep 03 '10 at 14:03
  • @Richard first, he's finding all PHP files. Then he's sending them to grep, and searching for all occurrences of "mysql_query". Lekensteyn is satirically telling you how using the old mysql API is vulnerable to injection attacks :) – jrharshath Sep 03 '10 at 14:07
  • Just did it :) Note: this will highlight lines only, not the context. – Lekensteyn Sep 03 '10 at 14:08
  • Is this something I can do from a php script if the site is through a hosting company? Thanks! – JD Isaacks Sep 03 '10 at 14:08
  • @John: Why wouldn't you have a copy of the site locally? – Steven Sudit Sep 03 '10 at 14:10
  • @Steven, I do, but its not stored locally on a Linux machine. – JD Isaacks Sep 03 '10 at 14:11
  • 1
    Using PHP will be more work. You can use CGI to execute bash. Place a file named `somefile.sh` (or whatever you want, even extension doesn't matter) in your `cgi-bin`, `chmod` it to 755. The first line should contains `#!/bin/sh` (or `#!/usr/local/bin/sh` on BSD), the second line `printf "Content-Type: text/plain\n\n"` and the third the given line in the answer. This works only for Linux machines, if you're working on Windoze or something, consider a virtual machine with Linux installed. – Lekensteyn Sep 03 '10 at 14:11
  • @Lekensteyn its hosted on a linux machine, my local copy is just on windows. Thanks! – JD Isaacks Sep 03 '10 at 14:13
  • @John: If you have it on a Windows box, you can use ports of Unix tools, or if you have MS VS handy, its built-in grep functionality ("Find in Files") should be sufficient. – Steven Sudit Sep 03 '10 at 14:13
  • @John, you can use a CGI script as I described in my last post. Otherwise, you can use SSI: save the following as file.shtml: ``. Works on apache with `Options +Includes` – Lekensteyn Sep 03 '10 at 14:16
  • @Lèse majesté No one uses this method to find sql injection. Everyone uses fuzzers, I seriously doubt you have ever found a sql injection vulnerability in your entire life and your giving people security advice. – rook Sep 03 '10 at 22:02
  • @Rook: Well aren't you Mr. Conceited... Maybe you should learn the difference between black box testing and white box testing, or code auditing? Simply using a "fuzzer" without identifying internal injection points isn't going to help you find potential vulnerabilities in a framework or library/component. – Lèse majesté Sep 04 '10 at 01:27
  • @Rook, if you've made the source on your own, this will be fine, providing you know the function you use for running SQL queries. Not everyone is that experienced as you. If OP wants a way to find a specified string in all files, I pass them on. – Lekensteyn Sep 04 '10 at 08:21
6

No, there is no simple way. And if there is, it is NOT fool-proof.

That being said, you should look into this question/answer thread and apply them.

For searching mysql_query(), you can use your text-editor's search in files feature. I use Notepad++ and it has search-in-files which can search for any string like mysql_query in a directory and subdirectory with specific extension (.php in your case) files.

A tutorial with screenshot for Notepad++ is here.

Community
  • 1
  • 1
shamittomar
  • 46,210
  • 12
  • 74
  • 78
2

There's an open source project made in python called w3af which is used, among other things, to find SQL injection problems.

Download it from the page and then when you start it select the fast_scan profile and on the Target enter your URL (it could be something like http://localhost:8080 if you are running locally) and run the application.

In case it can find any sql injection problem it will let you know.

This step can be done after checking all your mysql_query calls to check everything is working fine.

Lombo
  • 11,847
  • 2
  • 20
  • 27
0

By far the best way to find SQL Injection Vulnerablites is by using a Fuzzer such as Acunetix ($) NTOSpider($$$), Wapitit(open source, very good), W3AF(open source, not very good.).

Make sure dispaly_errors=On. These tools detect sql injection by inserting bad data like '" and seeing if an error is displayed. They also detect sql injection by injecting queries that take a long time like ' sleep(30)-- to see if the request takes more than 30 seconds.

rook
  • 66,304
  • 38
  • 162
  • 239
-1

If you want to search give Red Gate's excellent SQL Search tool a try (its free!) but it's only for SQL Server though.

AndrewJacksonZA
  • 1,243
  • 2
  • 18
  • 31
  • 1
    Even if he was using SQL Server, how would that even help with searching through inline SQL occurrences inside php files? – SQLMenace Sep 03 '10 at 14:07
  • 1
    I don't believe this is relevant, regardless of the database type. With the exception of dynamic SQL in stored procedures, the place to look for SQL injection errors is on the client, not the server. – Steven Sudit Sep 03 '10 at 14:08
  • @Steven Sudit: That's what I was referring to - dynamic SQL within stored procedures. – AndrewJacksonZA Sep 06 '10 at 11:15
  • Looks interesting, but I do my best to avoid dynamic SQL. I've gone that route before, when highly motivated, but it's a real pain, in addition to the security risks. – Steven Sudit Sep 08 '10 at 02:47