Automating SQL injection analysis with PHP, sqlmap, Gearman

December 23, 2013 MySQL, PHP As Is, PHP Recipes

If you’re in web development area, you certainly know about SQL injection attack. There is also a well-known joke about it on xkcd:

Little Bobby Tables

There is a tool for automating SQL injection discovery, called sqlmap, you can find it on github

All info you can find in this article is ONLY for educational purposes. Neither LAMPDev nor the author of this article are responsible for any damage caused by 3rd party to any site using techniques explained in this article!

Now assume you have a list of URLs to check against various SQL injection attacks. Something like:

If you run sqlmap against every URL manually, it till take ages. So can we automate it? In order to do so, we will need a machine (ideally Linux based, but I did it all on Win7+Virtualbox ubuntu image) with the following software installed:

  • PHP5 + Gearman client + PDO_MySQL driver
  • MySQL
  • Gearman server
  • python (sqlmap is written on it)
  • sqlmap

Optionally,

  • supervisord if you need to launch certain number of Gearman workers and respawn them automatically
  • git, if you want to clone from github sqlmap project instead of downloading and unpacking .zip/.tar.gz

Let’s get started with PHP, MySQL and importing our initial URL list. I won’t explain PHP and MySQL installation, let’s assume they are both installed.

Below is database tables structure for URL storage we’re going to audit.

You can download this structure .sql file + sample data here.

Now we need to install sqlmap itself. You can do it by cloning sqlmap repo onto your local machine:

git_clone

Install python. Under *nix just use your package manager like apt in Debian/Ubuntu:

Or if you’re running Windows, there is win32 version of it. I think we need 2.7 branch, I remember having issues with 3rd python and sqlmap. Download it here. Once you’re done you may launch sqlmap against an URL to test whether it works.

If it starts checking it, you’re done with the steps above.

Knowing that sqlmap has ‐‐batch option, we’re now theoretically ready to launch it against the whole table of the URLs we created above. So in PHP we will loop through processed = 0 rows and launch sqlmap with every row’s URL and update output and payload columns with sqlmap’s output. This is possible to do with popen()/pclose() or proc_open()/proc_terminate()/proc_close(). BUT what if we want to launch this task asynchronously for every URL? So we don’t want to wait until sqlmap finishes working with one row to go to the next one, but we want multithreading of this task , so that it works on 10-20 rows at a moment and so we want to create a queue. This is where Gearman goes into action.

Gearman is a daemon that listens to a port and accepts tasks from clients. On the other hand there are Gearman worker scripts launched and waiting for tasks to arrive. So in our case:

  • Gearman client – a PHP script that gets ALL processed = 0 rows and in a loop through all of them sends a task to Gearman server
  • Task is a row from sites DB table
  • Worker script is a script that waits for task (a row from sites) and actually launches sqlmap, gets its output and saves to the sites table

One of the killer features of Gearman is that workers and clients can be written in different programming languages. So it is a software + protocol + client libraries for many programming languages. The protocol is unencrypted telnet-like one, so you can debug it by connecting to gearmand server and sending commands to it from your shell. But in this example we will code both client and workers in PHP.

So, install gearman server. If you’re under *nix and using apt package manager, just launch:

If you’re under windows you have two options: either try to compile it in cygwin or install a Java-coded server from here. Note that in case of cygwin you will need libevent1-devel installed (there is a cygwin package). Also note that I tried to compile it this way, but I got troubles with -L and -I options of c++ compiler. For example, it could not find libtest/yatlcon.h header, however, it was there. I read in Gearman mailing list that its developers haven’t yet created a configure for cygwin.

After we’re done with Gearman server, we need to install PHP extension. It can be done with PECL installer, basically

You will need make, autoconf, gcc, libgearman and, I think, php headers of your PHP version installed to compile this PECL extension.

Let’s see how a worker script may look like. I will put comments before certain lines:

The client script is much easier:

Now we need to launch a few workers of Gearman. We obviously want to run and support running a few of them, like 10 for example and we want to respawn them automatically if one or few are terminated for some reason. This can be done with supervisor daemon.

Peraonally I configured it like this guy replied. So:

init.d script is here.

Once copied, you may want to add it to autostart scripts:

I just had to add this option, as I have > 1 workers.

So the config entry of supervisor would look like:

Now we are done, start supervisor:

You may validate that there are PHP workers launched by:

Now just run the client script:

and check if it has started by looking at database sites table.


Leave a Reply

Your email address will not be published