Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

This is a quick and dirty PPI hack I threw together, but it attempts to spider through your codebase and look for SQL injection attacks. It returns some false positives, but that's better than false negatives. It could use some work, particularly since identifying something as SQL is difficult.

#!/usr/local/bin/perl use strict; use warnings; use File::Find::Rule; use PPI; my $extensions = join '|' => qw(pm pl cgi); my @files = File::Find::Rule->file->name(qr/\.(?:$extensions)$/)->in(' +.'); $| = 1; my $files = @files; my $count = 1; my $bad_files = 0; my $total_attacks = 0; foreach my $file (@files) { warn "Processing ($file) $count out of $files\n"; $count++; my $quotes = extract_quotes($file); my $injections = find_injections($quotes); if (@$injections) { $bad_files++; $total_attacks += @$injections; my $possibles = join "\n--\n\t" => @$injections; print "\nFile $file might have injection attacks:\n\n\t$possib +les\n"; } } print <<"END_SUMMARY"; Summary ------- Out of $files files analyzed: $bad_files file(s) might have SQL injection attacks. $total_attacks attack(s) may have been present. END_SUMMARY sub find_injections { my $quotes = shift; my @injections; foreach my $quote (@$quotes) { next unless $quote =~ /^\s*(?:select|insert|update|delete)/i; if ( $quote =~ /=\s*'?[\$\@]/ ) { # won't catch interpolated field names push @injections => $quote; } } return \@injections; } sub extract_quotes { my $file = shift; my $doc = PPI::Document->new( $file, readonly => 1 ); unless ($doc) { warn "Could not create a document for ($file). Skipping"; return []; } return [ map { $_->can('string') ? $_->string : $_->heredoc } @{ $doc->find('Token::Quote') || [] }, @{ $doc->find('Token::HereDoc') || [] } ]; } sub slurp { my $file = shift; open my $fh, '<', $file or die "Cannot open ($file) for reading: $ +!"; local $/; my $contents = <$fh>; return $contents; }


New address of my CGI Course.

In reply to Use PPI to Find SQL Injection Attacks by Ovid

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others romping around the Monastery: (5)
    As of 2018-05-24 16:58 GMT
    Find Nodes?
      Voting Booth?