Script http-sql-injection

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-sql-injection.nse

Script Summary

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.

The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analysed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool.

We may not have access to the target web server's true hostname, which can prevent access to virtually hosted sites.

See also:

• http-vuln-cve2014-3704.nse

Script Arguments

http-sql-injection.withinhost

only spider URLs within the same host. (default: true)

http-sql-injection.errorstrings

a path to a file containing the error strings to search for (one per line, lines started with # are treated as comments). The default file is nselib/data/http-sql-errors.lst which was taken from fuzzdb project, for more info, see http://code.google.com/p/fuzzdb/. If someone detects some strings in that file causing a lot of false positives, then please report them to dev@nmap.org.

http-sql-injection.withindomain

only spider URLs within the same domain. This widens the scope from withinhost and can not be used in combination. (default: false)

http-sql-injection.url

the url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)

http-sql-injection.maxpagecount

the maximum amount of pages to visit. A negative value disables the limit (default: 20)

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -sV --script=http-sql-injection <target>

Script Output

PORT   STATE SERVICE
80/tcp open  http    syn-ack
| http-sql-injection:
|   Possible sqli for queries:
|     http://foo.pl/forms/page.php?param=13'%20OR%20sqlspider
|   Possible sqli for forms:
|     Form at path: /forms/f1.html, form's action: a1/check1.php. Fields that might be vulnerable:
|       f1text
|     Form at path: /forms/a1/../f2.html, form's action: a1/check2.php. Fields that might be vulnerable:
|_      f2text

Requires

• http
• httpspider
• io
• nmap
• shortport
• stdnse
• string
• table
• url

---

Authors:

• Eddie Bell
• Piotr Olma

License: Same as Nmap--See https://nmap.org/book/man-legal.html

portrule

portrule (host, port)

Parameters

host

 

port

 

See also:

• http-vuln-cve2014-3704.nse