Friday, October 17, 2008

Automatic SQL Injection Website Defacement

I wrote a proof of concept tool, based on the ASPROX bot that has been
attacking millions of SQL-injection prone web sites running MS-SQL servers at their backends.
Given a list of URLs that can be retrieved using various crawlers found on the web, it tests for SQL injection via URL parameters. In case one works, it attemps to either inject defacement content as entered by the user or alternatively to run an OS command on the SQL server.

Main Features:
  1. Written in Python
  2. Uses the robust CURL library - fastest HTTP request crafter in the world
  3. Encodes payload query in binary format to encapsulate internal SQL syntax and evade IDS systems
  4. URL encodes all content to comply with standard GET requests
  5. Allows usage of HTTP proxy
  1. Parallelize URL attacks
  2. Attack web forms with POST requests
  3. Build GUI (IronPython...?)

No comments: