SQL injection emulation

[glaslos]

This is a bit of a tricky one and we made various attempts in Glastopf. First attempt was based on tokenizing know SQL injection queries and using them to match queries against Glastopf. This had limited success as we had a small database. Response was generally just a default MySQL error message. Second attempt can be found here and here (IIRC libinjection has now it's own Python bindings). Finally we have this fork of Glastopf using a sandboxed database: https://github.com/rebeccan/glastopf I think an initial implementation should be based on libinjection.

[glaslos]

Find out if we can use https://github.com/client9/libinjection to detect SQLi

[afeena]

I have the error when trying to use libinjection with python 3. I used this docs and have next error:

Traceback (most recent call last):
  File "/home/afeena/draft/sqli.py", line 4, in <module>
    s = sqli_state()
NameError: name 'sqli_state' is not defined

I have module in `/usr/local/lib/python3.5/dist-packages/libinjection-3.9.1-py3.5-linux-x86_64.egg``, I can import module, but can't use functions.

When I use libinjection with python 2 I have no problem. It finds all the function. I don't know binding process well, maybe we can do smth with error?

[glaslos]

I can confirm your issue.

[glaslos]

Can you raise an issue with the maintainer of libinjection?

[afeena]

I wrote the issue yesterday :) https://github.com/client9/libinjection/issues/108 Waiting for the answer

[glaslos]

Initial work done here: 638ed6a

[afeena]

• Shall we use docker for DB, or we can run DB without docker?
• Shall we use one DB for all possible users, or maybe we can create DB for every session and then drop it?
• What DB shall we use?

I think about initializing DB: we can use sql file for creating DB. If user wants, he can uses own sql file, but by default we can use any existing dump.

[glaslos]

Can you have a look how it was done by Rebecca? https://github.com/rebeccan/glastopf there is some information in install.txt.

[afeena]

I explored the code one more time. I want to make the first implementation with two tables (users and comments) and sqlite db. And without docker for the first attempt. Would that be OK?

[glaslos]

Sounds good,

[afeena]

Mapping requests to tables blew my mind. I have only one idea how to implement this: create special dorks for sqli based on existing database.

Example: We have table users with field id, username, email, password

1. Determine set of queries for the table:
   SELECT * FROM users WHERE id=, SELECT email FROM users WHERE username=, etc
2. Create special dorks mapped to the queries:
   /smth/blogpost.php?id=1, /smth/userinfo.php?username=admin, etc.

Maybe this idea has not any chance, but I can't imagine how to make working system for various db and sites.

We can stay for now with Rebecca's implementation: map login/password(in get or post) to users table (for login form), and comment in request to comment table.

Can you look at my commits, please? Maybe I move in a wrong direction. https://github.com/afeena/tanner/commit/d7d0fb2980e46213c78b79da4215b27889debeb4 https://github.com/afeena/tanner/commit/abede5ed236b7fc3d7f5ed9f25831e8311354eac

[glaslos]

SQLi handling consists of two components: We want to detect the the SQLi statements in the HTTP query (using libinjection) and we want to reply to the query so the adversary think he was successful. As you already noticed, the second part is rather difficult. Usually we see SQLi queries that target specific applications. They will try the query against the honeypot, if it's not working, they move on to a different target. Then we see queries that are only probing to see if there is a vulnerability. Usually they try to trigger a SQL error message. Then they try to use that error message from SQL to get data out of the database. So sometimes it is enough to respond with an SQL error message if we see a SQL injection query. This is how I would start: If it is a SQL injection and we don't know how to respond properly, reply with an error message.

[glaslos]

Initial work done with dde3110