Showing posts from September, 2012

sqlmap - A Tool to Test SQL Injection

In a previous post I designed a simple web page that would accept a username and password.  I chose to test this same page for sql injections with a tool called sqlmap.

First taking the server response from a previous post I noticed the data was posted as "username=test&password=test".  Then I took this information and created the sqlmap command I was going to run.

python --data="username=test&password=test" --url="http://test.local" -t http.log

It was after some research that I found the "-t" option.  This outputs to a file the server and client responses in plain text or the encoding used. 

The http.log was a lot easier to use then wireshark that I initially was using.  I wanted to understand more of how sqlmap could gather the database name, table name and then the contents of this.

I grepped the http.log file for the keyword username= and found after url-decoding the SQL statements being sent back and forth.  Then I analyzed th…

Simple Bash HTTP Spider

I was tasked with finding broken links and links that did not link directly with a parent site.  Here is the simple Bash HTTP Spider that I wrote.  The followMaster.txt has the list of URLs referring to the parent site.  The links_outside.txt and links_outsideNew.txt have the external links or ones without the URL as the argument in them.

Usage: ./ http://url.url

# This script is design to spider a web site for URLs
# The first argument is the URL that will be spidered...
# This core URL will remain as the spider goes through the site
# Will spider 5 rounds through the URLs found

if [ $# -eq 0 ]; then
    echo "Example: ./ url"
    echo "URL - URL to spider"
    echo ""

wget $1 -O main.txt

cat main.txt | grep "a href" | sed 's/.*<a href="//' | sed 's/">.*//' | awk '{print $1}' | grep -v -e "javascript:" | sed 's/"//' | grep "$1" | sort | uniq

Brute Force HTTP Login

The purpose of this post is to better understand how to brute force an HTTP login.  So I took the time to design a real simple web application in php with a MySQL database.  This is so I could have a test server to work from.

The php code is below that I used:
<FORM NAME="index" method="POST" action="checklogin.php">
        echo '<TABLE><TR>';
        echo '<TD>Username</TD><TD><input type=text name=username size=20></TD>';
        echo '</TR><TR>';
        echo '<TD>Password</TD><TD><input type=password name=password size=20></TD>';
        echo '</TR><TR>';
        echo '<TD COLSPAN=2><CENTER><input type=submit value=Login></CENTER></TD>';
        echo '</TR></TABLE>';

The php code for chec…