Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

This is a quick and dirty PPI hack I threw together, but it attempts to spider through your codebase and look for SQL injection attacks. It returns some false positives, but that's better than false negatives. It could use some work, particularly since identifying something as SQL is difficult.

#!/usr/local/bin/perl use strict; use warnings; use File::Find::Rule; use PPI; my $extensions = join '|' => qw(pm pl cgi); my @files = File::Find::Rule->file->name(qr/\.(?:$extensions)$/)->in(' +.'); $| = 1; my $files = @files; my $count = 1; my $bad_files = 0; my $total_attacks = 0; foreach my $file (@files) { warn "Processing ($file) $count out of $files\n"; $count++; my $quotes = extract_quotes($file); my $injections = find_injections($quotes); if (@$injections) { $bad_files++; $total_attacks += @$injections; my $possibles = join "\n--\n\t" => @$injections; print "\nFile $file might have injection attacks:\n\n\t$possib +les\n"; } } print <<"END_SUMMARY"; Summary ------- Out of $files files analyzed: $bad_files file(s) might have SQL injection attacks. $total_attacks attack(s) may have been present. END_SUMMARY sub find_injections { my $quotes = shift; my @injections; foreach my $quote (@$quotes) { next unless $quote =~ /^\s*(?:select|insert|update|delete)/i; if ( $quote =~ /=\s*'?[\$\@]/ ) { # won't catch interpolated field names push @injections => $quote; } } return \@injections; } sub extract_quotes { my $file = shift; my $doc = PPI::Document->new( $file, readonly => 1 ); unless ($doc) { warn "Could not create a document for ($file). Skipping"; return []; } return [ map { $_->can('string') ? $_->string : $_->heredoc } @{ $doc->find('Token::Quote') || [] }, @{ $doc->find('Token::HereDoc') || [] } ]; } sub slurp { my $file = shift; open my $fh, '<', $file or die "Cannot open ($file) for reading: $ +!"; local $/; my $contents = <$fh>; return $contents; }

Cheers,
Ovid

New address of my CGI Course.


In reply to Use PPI to Find SQL Injection Attacks by Ovid

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others having an uproarious good time at the Monastery: (14)
    As of 2014-08-21 15:40 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      The best computer themed movie is:











      Results (136 votes), past polls