#!/usr/bin/env ruby require 'active_support/secure_random' require 'rexml/document' wapiti_path = '/home/bperry/tools/wapiti/trunk/src/' sqlmap_path = '/home/bperry/tools/sqlmap/' wapiti_report_path = '/tmp/wapiti_report_' + SecureRandom.uuid + '.xml' remote_host = ARGV[0] p "Running wapiti..." `#{wapiti_path}wapiti.py #{ARGV[0]} -f xml -o #{wapiti_report_path}` p "Report saved to #{wapiti_report_path}" p "Parsing results" results = [] report = ::File.open(wapiti_report_path, "rb") doc = REXML::Document.new report.read doc.elements.each('/report/bugTypeList/bugType') do |element| bug_type = element.attributes["name"] next if bug_type != "SQL Injection" p "Parsing " + bug_type result = {} element.elements.each("bugList/bug") do |bug| result[:type] = bug_type bug.elements.each do |child| if child.name == "url" result[:url] = child.text elsif child.name == "parameter" result[:parameter] = child.text end end results << result result = {} end end results.each do |result| next if result[:type] !~ /SQL Injection/ p "Running sqlmap" if result[:url].index(result[:parameter]) url = result[:url].gsub("%BF%27%22%28", "abcd") params = result[:url].split("?")[1].split("&") skipped_params = [] params.each do |param| skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28") end p "Running GET sql injection test on url: " + url sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --smart --skip=\"#{skipped_params.join(",")}\" --technique=EUS --flush-session --fresh-queries --level=2 --batch" out = `#{sqlmap_command}` printf out else url = result[:url] p "Running POST sql injection test on url: " + url p "With data: " + result[:parameter] parameter = result[:parameter].gsub("%BF%27%22%28", "abcd") params = result[:parameter].split("&") skipped_params = [] params.each do |param| skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28") end sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --data=\"#{parameter}\" --skip=\"#{skipped_params.join(",")}\" --smart --technique=EUS --flush-session --fresh-queries --level=2 --batch" p sqlmap_command sqlmap_output = `#{sqlmap_command}` printf sqlmap_output end end
Sunday, May 20, 2012
Automating SQLMap with data from wapiti
Wapiti is really fast at finding possible sql injection points in a web application or website. SQLMap is great at figuring out how to exploit these possible injection points. The following script runs Wapiti on a host to find possible injection points, then passes that data to SQLMap to try and exploit. Tested on BadStore and running SVN latest of both Wapiti and SQLMap. You can play around with the arguments I am passing to SQLMap and make the scans a bit more thorough, but at the expense of speed.
Monday, May 7, 2012
Simple CVE stats from 2001-2011
Year 2001 has 1538 vulnerabilities 2001 had 8 vulns of type: Buffer Errors 2001 had 4 vulns of type: Cryptographic Issues 2001 had 4 vulns of type: Path Traversal 2001 had 2 vulns of type: Authentication Issues 2001 had 2 vulns of type: Permissions, Privileges, and Access Control 2001 had 2 vulns of type: Code Injection 2001 had 2 vulns of type: Input Validation 2001 had 1 vulns of type: Resource Management Errors 2001 had 1 vulns of type: Link Following 2001 had 0 vulns of type: Credentials Management 2001 had 0 vulns of type: Cross-Site Request Forgery (CSRF) 2001 had 0 vulns of type: Cross-Site Scripting 2001 had 0 vulns of type: Format String Vulnerability 2001 had 0 vulns of type: Configuration 2001 had 0 vulns of type: Information Leak / Disclosure 2001 had 0 vulns of type: Numeric Errors 2001 had 0 vulns of type: OS Command Injections 2001 had 0 vulns of type: Race Conditions 2001 had 0 vulns of type: SQL Injection Total vulns in 2001 with CWE: 26 Percentage of vulns with CWE: 1.69050715214564% Year 2002 has 2368 vulnerabilities 2002 had 41 vulns of type: Buffer Errors 2002 had 32 vulns of type: Permissions, Privileges, and Access Control 2002 had 32 vulns of type: Cross-Site Scripting 2002 had 29 vulns of type: Input Validation 2002 had 17 vulns of type: Information Leak / Disclosure 2002 had 13 vulns of type: Path Traversal 2002 had 9 vulns of type: Configuration 2002 had 8 vulns of type: Credentials Management 2002 had 8 vulns of type: Code Injection 2002 had 7 vulns of type: SQL Injection 2002 had 6 vulns of type: Numeric Errors 2002 had 6 vulns of type: Resource Management Errors 2002 had 5 vulns of type: Authentication Issues 2002 had 3 vulns of type: Cryptographic Issues 2002 had 2 vulns of type: Race Conditions 2002 had 2 vulns of type: Link Following 2002 had 1 vulns of type: Cross-Site Request Forgery (CSRF) 2002 had 1 vulns of type: Format String Vulnerability 2002 had 1 vulns of type: OS Command Injections Total vulns in 2002 with CWE: 223 Percentage of vulns with CWE: 9.41722972972973% Year 2003 has 1515 vulnerabilities 2003 had 59 vulns of type: Buffer Errors 2003 had 40 vulns of type: Cross-Site Scripting 2003 had 30 vulns of type: Input Validation 2003 had 25 vulns of type: Information Leak / Disclosure 2003 had 24 vulns of type: Permissions, Privileges, and Access Control 2003 had 17 vulns of type: Path Traversal 2003 had 13 vulns of type: Code Injection 2003 had 12 vulns of type: Configuration 2003 had 12 vulns of type: SQL Injection 2003 had 9 vulns of type: Authentication Issues 2003 had 9 vulns of type: Credentials Management 2003 had 8 vulns of type: Cryptographic Issues 2003 had 6 vulns of type: Resource Management Errors 2003 had 4 vulns of type: Numeric Errors 2003 had 2 vulns of type: Format String Vulnerability 2003 had 2 vulns of type: Race Conditions 2003 had 2 vulns of type: Link Following 2003 had 0 vulns of type: Cross-Site Request Forgery (CSRF) 2003 had 0 vulns of type: OS Command Injections Total vulns in 2003 with CWE: 274 Percentage of vulns with CWE: 18.0858085808581% Year 2004 has 2669 vulnerabilities 2004 had 30 vulns of type: Buffer Errors 2004 had 22 vulns of type: Permissions, Privileges, and Access Control 2004 had 20 vulns of type: Cross-Site Scripting 2004 had 9 vulns of type: Path Traversal 2004 had 9 vulns of type: Input Validation 2004 had 8 vulns of type: SQL Injection 2004 had 6 vulns of type: Authentication Issues 2004 had 6 vulns of type: Credentials Management 2004 had 6 vulns of type: Code Injection 2004 had 5 vulns of type: Configuration 2004 had 4 vulns of type: Information Leak / Disclosure 2004 had 4 vulns of type: Resource Management Errors 2004 had 3 vulns of type: Cryptographic Issues 2004 had 3 vulns of type: Format String Vulnerability 2004 had 2 vulns of type: Race Conditions 2004 had 2 vulns of type: Link Following 2004 had 1 vulns of type: Numeric Errors 2004 had 1 vulns of type: OS Command Injections 2004 had 0 vulns of type: Cross-Site Request Forgery (CSRF) Total vulns in 2004 with CWE: 141 Percentage of vulns with CWE: 5.28287748220307% Year 2005 has 4684 vulnerabilities 2005 had 64 vulns of type: Buffer Errors 2005 had 48 vulns of type: SQL Injection 2005 had 32 vulns of type: Permissions, Privileges, and Access Control 2005 had 31 vulns of type: Resource Management Errors 2005 had 28 vulns of type: Cross-Site Scripting 2005 had 21 vulns of type: Input Validation 2005 had 20 vulns of type: Code Injection 2005 had 18 vulns of type: Information Leak / Disclosure 2005 had 15 vulns of type: Numeric Errors 2005 had 10 vulns of type: Path Traversal 2005 had 5 vulns of type: Link Following 2005 had 4 vulns of type: Authentication Issues 2005 had 3 vulns of type: Cryptographic Issues 2005 had 3 vulns of type: Configuration 2005 had 2 vulns of type: Credentials Management 2005 had 2 vulns of type: Race Conditions 2005 had 1 vulns of type: Cross-Site Request Forgery (CSRF) 2005 had 1 vulns of type: Format String Vulnerability 2005 had 1 vulns of type: OS Command Injections Total vulns in 2005 with CWE: 309 Percentage of vulns with CWE: 6.59692570452605% Year 2006 has 7043 vulnerabilities 2006 had 199 vulns of type: Code Injection 2006 had 145 vulns of type: Buffer Errors 2006 had 87 vulns of type: Cross-Site Scripting 2006 had 84 vulns of type: SQL Injection 2006 had 74 vulns of type: Resource Management Errors 2006 had 63 vulns of type: Input Validation 2006 had 50 vulns of type: Permissions, Privileges, and Access Control 2006 had 37 vulns of type: Numeric Errors 2006 had 29 vulns of type: Information Leak / Disclosure 2006 had 21 vulns of type: Path Traversal 2006 had 17 vulns of type: Format String Vulnerability 2006 had 14 vulns of type: Authentication Issues 2006 had 8 vulns of type: Cryptographic Issues 2006 had 7 vulns of type: Race Conditions 2006 had 6 vulns of type: Configuration 2006 had 5 vulns of type: Credentials Management 2006 had 3 vulns of type: Cross-Site Request Forgery (CSRF) 2006 had 2 vulns of type: OS Command Injections 2006 had 1 vulns of type: Link Following Total vulns in 2006 with CWE: 852 Percentage of vulns with CWE: 12.0971177055232% Year 2007 has 6505 vulnerabilities 2007 had 451 vulns of type: Buffer Errors 2007 had 366 vulns of type: Cross-Site Scripting 2007 had 296 vulns of type: Code Injection 2007 had 263 vulns of type: SQL Injection 2007 had 229 vulns of type: Permissions, Privileges, and Access Control 2007 had 228 vulns of type: Input Validation 2007 had 164 vulns of type: Path Traversal 2007 had 107 vulns of type: Numeric Errors 2007 had 104 vulns of type: Resource Management Errors 2007 had 96 vulns of type: Information Leak / Disclosure 2007 had 69 vulns of type: Authentication Issues 2007 had 41 vulns of type: Cross-Site Request Forgery (CSRF) 2007 had 36 vulns of type: Configuration 2007 had 31 vulns of type: Format String Vulnerability 2007 had 25 vulns of type: Link Following 2007 had 24 vulns of type: Credentials Management 2007 had 19 vulns of type: Cryptographic Issues 2007 had 18 vulns of type: Race Conditions 2007 had 6 vulns of type: OS Command Injections Total vulns in 2007 with CWE: 2573 Percentage of vulns with CWE: 39.554189085319% Year 2008 has 7031 vulnerabilities 2008 had 1480 vulns of type: SQL Injection 2008 had 981 vulns of type: Cross-Site Scripting 2008 had 582 vulns of type: Buffer Errors 2008 had 574 vulns of type: Permissions, Privileges, and Access Control 2008 had 467 vulns of type: Input Validation 2008 had 447 vulns of type: Path Traversal 2008 had 385 vulns of type: Code Injection 2008 had 322 vulns of type: Resource Management Errors 2008 had 222 vulns of type: Authentication Issues 2008 had 221 vulns of type: Information Leak / Disclosure 2008 had 177 vulns of type: Link Following 2008 had 166 vulns of type: Numeric Errors 2008 had 119 vulns of type: Cross-Site Request Forgery (CSRF) 2008 had 69 vulns of type: Credentials Management 2008 had 61 vulns of type: Cryptographic Issues 2008 had 41 vulns of type: Configuration 2008 had 33 vulns of type: Format String Vulnerability 2008 had 25 vulns of type: Race Conditions 2008 had 12 vulns of type: OS Command Injections Total vulns in 2008 with CWE: 6384 Percentage of vulns with CWE: 90.797895036268% Year 2009 has 4848 vulnerabilities 2009 had 734 vulns of type: Cross-Site Scripting 2009 had 673 vulns of type: SQL Injection 2009 had 558 vulns of type: Buffer Errors 2009 had 329 vulns of type: Permissions, Privileges, and Access Control 2009 had 266 vulns of type: Code Injection 2009 had 247 vulns of type: Input Validation 2009 had 245 vulns of type: Path Traversal 2009 had 237 vulns of type: Resource Management Errors 2009 had 164 vulns of type: Numeric Errors 2009 had 148 vulns of type: Authentication Issues 2009 had 141 vulns of type: Information Leak / Disclosure 2009 had 86 vulns of type: Cryptographic Issues 2009 had 84 vulns of type: Cross-Site Request Forgery (CSRF) 2009 had 56 vulns of type: Credentials Management 2009 had 47 vulns of type: Configuration 2009 had 32 vulns of type: Race Conditions 2009 had 29 vulns of type: Link Following 2009 had 23 vulns of type: Format String Vulnerability 2009 had 11 vulns of type: OS Command Injections Total vulns in 2009 with CWE: 4110 Percentage of vulns with CWE: 84.7772277227723% Year 2010 has 4696 vulnerabilities 2010 had 578 vulns of type: SQL Injection 2010 had 566 vulns of type: Cross-Site Scripting 2010 had 536 vulns of type: Buffer Errors 2010 had 319 vulns of type: Permissions, Privileges, and Access Control 2010 had 299 vulns of type: Input Validation 2010 had 270 vulns of type: Resource Management Errors 2010 had 256 vulns of type: Path Traversal 2010 had 248 vulns of type: Code Injection 2010 had 162 vulns of type: Information Leak / Disclosure 2010 had 154 vulns of type: Numeric Errors 2010 had 66 vulns of type: Cross-Site Request Forgery (CSRF) 2010 had 62 vulns of type: Cryptographic Issues 2010 had 56 vulns of type: Authentication Issues 2010 had 51 vulns of type: Credentials Management 2010 had 33 vulns of type: Race Conditions 2010 had 26 vulns of type: Link Following 2010 had 21 vulns of type: Configuration 2010 had 12 vulns of type: Format String Vulnerability 2010 had 12 vulns of type: OS Command Injections Total vulns in 2010 with CWE: 3727 Percentage of vulns with CWE: 79.3654173764906% Year 2011 has 3733 vulnerabilities 2011 had 648 vulns of type: Buffer Errors 2011 had 372 vulns of type: Input Validation 2011 had 367 vulns of type: Cross-Site Scripting 2011 had 366 vulns of type: Resource Management Errors 2011 had 295 vulns of type: Information Leak / Disclosure 2011 had 285 vulns of type: Permissions, Privileges, and Access Control 2011 had 120 vulns of type: Numeric Errors 2011 had 107 vulns of type: SQL Injection 2011 had 92 vulns of type: Code Injection 2011 had 91 vulns of type: Path Traversal 2011 had 60 vulns of type: Authentication Issues 2011 had 57 vulns of type: Cross-Site Request Forgery (CSRF) 2011 had 57 vulns of type: Cryptographic Issues 2011 had 34 vulns of type: Configuration 2011 had 32 vulns of type: Credentials Management 2011 had 26 vulns of type: Link Following 2011 had 14 vulns of type: Race Conditions 2011 had 13 vulns of type: OS Command Injections 2011 had 8 vulns of type: Format String Vulnerability Total vulns in 2011 with CWE: 3044 Percentage of vulns with CWE: 81.5429949102599% Total: 49439To be honest, I am a bit dismayed at the quality of the data. 2001 only categorized 1.7% of the vulns recorded (I am sure most, if not all, were added retroactively). The highest percentage of vulns that had been categorized was 90% in 2008. I find it interesting that the first few years are dominated by buffer overflows (perhaps because of poor data), and then around 2008, web vulns become the top recorded and categorized. Perhaps this is because of the vast amount new web technologies emerging. That is, until 2011 where buffer overflows are once again the most. I used the xml files from the NIST and my source code that I used to generate the stats is on github. Using LINQ, so it isn't super speedy. Takes a few minutes. Works with Mono or .NET.
Subscribe to:
Posts (Atom)