Class: API_Fuzzer::SqlCheck

Inherits:

Object

• Object
• API_Fuzzer::SqlCheck

Defined in:

lib/API_Fuzzer/sql_check.rb

Direct Known Subclasses

SqlBlindCheck

Constant Summary

ALLOWED_METHODS =

[:get, :post].freeze

PAYLOAD_PATH =

File.expand_path('../../../payloads/sql.txt', __FILE__)

DETECT_PATH =

File.expand_path('../../../payloads/detect/sql.txt', __FILE__)

Instance Attribute Summary

• #parameters ⇒ Object

  Returns the value of attribute parameters.

• #payloads ⇒ Object

  Returns the value of attribute payloads.

• #sql_errors ⇒ Object

  Returns the value of attribute sql_errors.

Class Method Summary

• .check_response?(body, payload) ⇒ Boolean
• .fetch_payloads ⇒ Object
• .fuzz_each_fragment(url, payload) ⇒ Object
• .fuzz_each_parameter(parameter, payload) ⇒ Object
• .fuzz_each_payload(payload) ⇒ Object
• .fuzz_payloads ⇒ Object
• .response_json?(response) ⇒ Boolean
• .scan(options = {}) ⇒ Object
• .success?(response) ⇒ Boolean

Instance Attribute Details

#parameters ⇒ Object

Returns the value of attribute parameters.

# File 'lib/API_Fuzzer/sql_check.rb', line 9

def parameters
  @parameters
end

#payloads ⇒ Object

Returns the value of attribute payloads.

# File 'lib/API_Fuzzer/sql_check.rb', line 10

def payloads
  @payloads
end

#sql_errors ⇒ Object

Returns the value of attribute sql_errors.

# File 'lib/API_Fuzzer/sql_check.rb', line 10

def sql_errors
  @sql_errors
end

Class Method Details

.check_response?(body, payload) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/API_Fuzzer/sql_check.rb', line 126

def self.check_response?(body, payload)
  @sql_errors.each do |error|
    if body.match(error.chomp)
      puts error
      return true
    end
  end
  false
end

.fetch_payloads ⇒ Object

# File 'lib/API_Fuzzer/sql_check.rb', line 144

def self.fetch_payloads
  file = File.expand_path(PAYLOAD_PATH, __FILE__)
  File.readlines(file).each do |line|
    @payloads << line
  end

  file = File.expand_path(DETECT_PATH, __FILE__)
  File.readlines(file).each do |line|
    @sql_errors << line.downcase
  end
end

.fuzz_each_fragment(url, payload) ⇒ Object

# File 'lib/API_Fuzzer/sql_check.rb', line 65

def self.fuzz_each_fragment(url, payload)
  ALLOWED_METHODS.each  do |method|
    begin
      response = API_Fuzzer::Request.send_api_request(
        url: url,
        method: method,
        cookies: @cookies,
        headers: @headers
      )

      @vulnerabilities << API_Fuzzer::Error.new(description: "#{method} #{@url}", status: response.status, value: response.body) unless success?(response)
      body = ''
      if response_json?(response)
        body = JSON.parse(response.body)
      else
        body = response.body
      end

      vulnerable = check_response?(body.to_s.downcase, payload)
      next unless vulnerable
      @vulnerabilities << API_Fuzzer::Vulnerability.new(
        description: "Possible SQL injection in #{method} #{@url}",
        parameter: "URL: #{url}",
        value: "[PAYLOAD] #{payload}",
        type: 'HIGH'
      )
    rescue Exception => e
      puts e.message
    end
  end
end

.fuzz_each_parameter(parameter, payload) ⇒ Object

# File 'lib/API_Fuzzer/sql_check.rb', line 97

def self.fuzz_each_parameter(parameter, payload)
  @params[parameter] = payload
  ALLOWED_METHODS.each do |method|
    begin
      response = API_Fuzzer::Request.send_api_request(
        url: @url,
        params: @params,
        method: method,
        cookies: @cookies,
        headers: @headers
      )

      @vulnerabilities << API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body) unless success?(response)
      body = response.body.to_s.downcase
      vulnerable = check_response?(body, payload)
      next unless vulnerable

      @vulnerabilities << API_Fuzzer::Vulnerability.new(
        description: "Possible SQL injection in #{method} #{@url} parameter: #{parameter}",
        parameter: "parameter: #{@parameter}",
        value: "[PAYLOAD] #{payload}",
        type: 'HIGH'
      )
    rescue Exception => e
      puts e.message
    end
  end
end

.fuzz_each_payload(payload) ⇒ Object

# File 'lib/API_Fuzzer/sql_check.rb', line 42

def self.fuzz_each_payload(payload)
  uri = URI(@url)
  path = uri.path
  query = uri.query
  base_uri = query.nil? ? path : [path, query].join("?")
  fragments = base_uri.split(/[\/,?,&]/) - ['']
  fragments.each do |fragment|
    if fragment.match(/\A(\w)+=(\w)*\z/)
      url = @url.gsub(fragment, [fragment, payload].join('')).chomp
      fuzz_each_fragment(url, payload)
    else
      url = @url.gsub(fragment, payload).chomp
      fuzz_each_fragment(url, payload)
    end
  end

  return if @params.empty?

  @params.keys.each do |parameter|
    fuzz_each_parameter(parameter, payload)
  end
end

.fuzz_payloads ⇒ Object

# File 'lib/API_Fuzzer/sql_check.rb', line 36

def self.fuzz_payloads
  @payloads.each do |payload|
    fuzz_each_payload(payload)
  end
end

.response_json?(response) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/API_Fuzzer/sql_check.rb', line 140

def self.response_json?(response)
  response && response.headers['Content-Type'] && response.headers['Content-Type'].downcase =~ /application\/json/
end

.scan(options = {}) ⇒ Object

# File 'lib/API_Fuzzer/sql_check.rb', line 16

def self.scan(options = {})
  @payloads  = []
  @sql_errors = []
  fetch_payloads
  @url = options[:url] || nil
  raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
  @params = options[:params] || {}
  @cookies = options[:cookies] || {}
  @json = options[:json] || false
  @headers = options[:headers] || {}
  @vulnerabilities = []

  fuzz_payloads
  return @vulnerabilities.uniq { |vuln| vuln.description }
rescue HTTP::ConnectionError => e
  sleep(5)
  fuzz_payloads
  return @vulnerabilities.uniq { |vuln| vuln.description }
end

.success?(response) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/API_Fuzzer/sql_check.rb', line 136

def self.success?(response)
  response.code == 200
end