SqliDetector/Program.cs at main · CanXploit/SqliDetector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
using System;
using System.IO;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using System.Collections.Generic;

class Program
{
    static async Task Main(string[] args)
    {
        if (args.Length == 0 || Has(args, "-h", "--help"))
        {
            Help();
            return;
        }

        string listFile = GetArg(args, "-l", "--list");
        if (listFile == null || !File.Exists(listFile)) return;

        string payloadFile = GetArg(args, "-p", "--payload");
        var payloads = payloadFile != null && File.Exists(payloadFile)
            ? new List<string>(File.ReadAllLines(payloadFile))
            : new List<string> { "'" };

        using var client = new HttpClient();

        foreach (var url in File.ReadAllLines(listFile))
        {
            bool vuln = false;
            foreach (var payload in payloads)
            {
                var testUrl = Inject(url, payload);
                try
                {
                    var body = await client.GetStringAsync(testUrl);
                    if (HasSqlError(body))
                    {
                        vuln = true;
                        break;
                    }
                }
                catch { }
            }
            Console.WriteLine($"{url} => {vuln}");
        }
    }

    static string Inject(string url, string payload)
    {
        var q = url.IndexOf('?');
        if (q == -1) return url;
        var baseUrl = url.Substring(0, q + 1);
        var query = url.Substring(q + 1);
        var parts = query.Split('&');
        var sb = new StringBuilder();
        for (int i = 0; i < parts.Length; i++)
        {
            var kv = parts[i].Split('=');
            if (kv.Length == 2)
                sb.Append(kv[0]).Append("=").Append(Uri.EscapeDataString(Uri.UnescapeDataString(kv[1]) + payload));
            else
                sb.Append(parts[i]);
            if (i < parts.Length - 1) sb.Append("&");
        }
        return baseUrl + sb.ToString();
    }

    static bool HasSqlError(string body)
    {
        string[] errors =
        {
            "SQL syntax",
            "mysql_",
            "ORA-",
            "ODBC",
            "Unclosed quotation mark",
            "SQLiteException",
            "PDOException"
        };
        foreach (var e in errors)
            if (body.IndexOf(e, StringComparison.OrdinalIgnoreCase) >= 0)
                return true;
        return false;
    }

    static bool Has(string[] a, params string[] k)
    {
        foreach (var x in a)
            foreach (var y in k)
                if (x == y) return true;
        return false;
    }

    static string GetArg(string[] a, string s, string l)
    {
        for (int i = 0; i < a.Length - 1; i++)
            if (a[i] == s || a[i] == l)
                return a[i + 1];
        return null;
    }

    static void Help()
    {
        Console.WriteLine("Options:");
        Console.WriteLine("-l, --list <file>");
        Console.WriteLine("-p, --payload <file>");
        Console.WriteLine("-h, --help");
    }
}