In order to automate the injection we must first discover the injection points. The injection points are the HTML form parameters (POST and GET parameters). To extract those parameters I used BeautifulSoup, which is a simple and effective HTML parser.
With BeautifulSoup its easy to build applications that process web pages, such as a web scraper. You can get the parser from this website www.crummy.com/software/BeautifulSoup/download/3.x/BeautifulSoup-3.0.0.py. Change the name of the file to BeautifulSoup.py and then place it under the site-packages folder. For example if you use Windows OS and Python 2.5, it should be under "C:\Python25\Lib\site-packages", if you use Linux OS and Python 2.5, it should be under "/usr/lib/python2.5/site-packages".
The code:
import urllib2,sys
if len(sys.argv) != 3:
print "Usage: post_params.py [GET/POST] [url]"
sys.exit(1)
method = sys.argv[1].lower()
address = sys.argv[2]
if address.find('\\') != -1:
address = address[:-1]
# load the html page into a string variable
html = urllib2.urlopen(address).read()
from BeautifulSoup import BeautifulSoup
#load the string into a BeautifulSoup object and 'prettify' the code
soup = BeautifulSoup(html)
def printParams(forms):
# for each form tag in all form tags, do:
for form in forms:
print "-----------------------------------------------------------"
if form.has_key('action'):
if form['action'].find('://') == -1:
print "action: " + address + "/" + form['action'].strip('/')
else:
print "action: " + address
else:
print "action: " + address
if method == "post":
if form.has_key('method') and form['method'].lower() == 'post':
for post_input in form.findAll("input"):
if post_input.has_key('type'):
if post_input['type'].lower() == 'text' or \
post_input['type'].lower() == 'password' or \
post_input['type'].lower() == 'hidden'or \
post_input['type'].lower() == 'radio':
if post_input.has_key('id'):
print post_input['id']
elif post_input.has_key('name'):
print post_input['name']
elif method == "get":
if form.has_key('method') and form['method'].lower() == 'get' or \
not form.has_key('method'):
for get_input in form.findAll("input"):
if get_input.has_key('type'):
if get_input['type'].lower() == 'text' or \
get_input['type'].lower() == 'password' or \
get_input['type'].lower() == 'hidden'or \
get_input['type'].lower() == 'radio':
if get_input.has_key('id'):
print get_input['id']
elif get_input.has_key('name'):
print get_input['name']
# find all occurrences of the form tag and send it to printParams
printParams(soup.findAll("form"))
You can also download the source file from here.
Usage: form_params.py method url
method: post or get
example: form_params.py post http://www.facebook.com
result:
-----------------------------------------------------------
action: http://www.facebook.com
charset_test
locale
non_com_login
email
pass
pass_placeholder
charset_test
lsd
-----------------------------------------------------------
action: http://www.facebook.com
charset_test
locale
terms
reg_instance
firstname
lastname
reg_email__
reg_passwd__
referrer
challenge
md5pass
captcha_persist_data
captcha_session
extra_challenge_params
captcha_response
-----------------------------------------------------------
action: http://www.facebook.com
locale
confirmation_email
-Herzel
HI,
ReplyDeleteVery thanks for your post. Just wonder how you will use your get functions for a sql injection pen test.....
Doesn't seems works.... ?
This comment has been removed by the author.
ReplyDelete