Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

Arachni nightlies 25-Sep-2016 can not find SQL Injection

Created by: b1ngz

There is a url which has SQL Injection with parameter id (GET method) .

http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364

It's detected when i use arachni arachni-1.4-0.5.10.

command:

./bin/arachni "http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364"  --scope-include-pattern="demo/aisec" --scope-page-limit=1 --checks=sql* --report-save-path=single.afr --output-debug 4> debug.log 
[+] Web Application Security Report - Arachni Framework

 [~] Report generated on: 2016-09-26 11:13:21 +0800
 [~] Report false positives at: http://github.com/Arachni/arachni/issues

 [+] System settings:
 [~] ---------------
 [~] Version:           1.4
 [~] Audit started on:  2016-09-26 11:13:13 +0800
 [~] Audit finished on: 2016-09-26 11:13:21 +0800
 [~] Runtime:           00:00:07

 [~] URL:        http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364
 [~] User agent: Arachni/v1.4

 [*] Audited elements:
 [~] * Links
 [~] * Forms
 [~] * Cookies
 [~] * XMLs
 [~] * JSONs
 [~] * UI inputs
 [~] * UI forms

 [*] Checks: sql_injection, sql_injection_timing, sql_injection_differential

 [*] Filters:
 [~]   Include:
 [~]     (?i-mx:demo\/aisec)

 [~] ===========================

 [+] 1 issues were detected.

 [+] [1] Blind SQL Injection (differential analysis) (Trusted)
 [~] ~~~~~~~~~~~~~~~~~~~~
 [~] Digest:     3010151861
 [~] Severity:   High
 [~] Description:
 [~]
Due to the requirement for dynamic content of today's web applications, many
rely on a database backend to store data that will be called upon and processed
by the web application (or other programs).
Web applications retrieve data from the database by using Structured Query Language
(SQL) queries.

To meet demands of many developers, database servers (such as MSSQL, MySQL,
Oracle etc.) have additional built-in functionality that can allow extensive
control of the database and interaction with the host operating system itself.

An SQL injection occurs when a value originating from the client's request is used
within a SQL query without prior sanitisation. This could allow cyber-criminals
to execute arbitrary SQL code and steal data or use the additional functionality
of the database server to take control of more server components.

The successful exploitation of a SQL injection can be devastating to an
organisation and is one of the most commonly exploited web application vulnerabilities.

This injection was detected as Arachni was able to inject specific SQL queries,
that if vulnerable, result in the responses for each injection being different.
This is known as a blind SQL injection vulnerability.

 [~] Tags: sql, blind, differential, injection, database

 [~] CWE: http://cwe.mitre.org/data/definitions/89.html
 [~] References:
 [~]   OWASP - https://www.owasp.org/index.php/Blind_SQL_Injection
 [~]   MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html
 [~]   WASC - http://projects.webappsec.org/w/page/13246963/SQL%20Injection
 [~]   W3 Schools - http://www.w3schools.com/sql/sql_injection.asp

 [~] URL:        http://demo.aisec.cn/demo/aisec/ajax_link.php
 [~] Element:    link
 [~] All inputs: id, t
 [~] Method:     GET
 [~] Input name: id

 [~] Seed:      "-1839 or 1=1"
 [~] Injected:  "-1839 or 1=1"

 [~] Referring page: http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364

 [~] Affected page:  http://demo.aisec.cn/demo/aisec/ajax_link.php?id=-1839%20or%201=1&t=0.49835766619071364
 [~] HTTP request
GET /demo/aisec/ajax_link.php?id=-1839%20or%201%3D1&t=0.49835766619071364 HTTP/1.1
Host: demo.aisec.cn
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6



 [~] Remarks
 [~] -------
 [~]   By differential_analysis:
 [~]     *  True expression: -1839 or 1=1
 [~]     *  False expression: -1839 or 1=2
 [~]     *  Control false expression: -1839



 [+] Plugin data:
 [~] ---------------


 [*] Health map
 [~] ~~~~~~~~~~~~~~
 [~] Description: Generates a simple list of safe/unsafe URLs.

 [~] Legend:
 [+] No issues
 [-] Has issues

 [-] http://demo.aisec.cn/demo/aisec/ajax_link.php

 [~] Total: 1
 [+] Without issues: 0
 [-] With issues: 1 ( 100% )

 [~] Report saved at: /root/software/arachni-1.4-0.5.10/single.afr [0.0MB]

 [~] Audited 1 pages.
 [~] Audit limited to a max of 1 pages.

 [~] Duration: 00:00:08
 [~] Processed 124/124 HTTP requests.
 [~] -- 24.415 requests/second.
 [~] Processed 0/0 browser jobs.
 [~] -- 0.0 second/job.

 [~] Currently auditing          http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364
 [~] Burst response time sum     23.062 seconds
 [~] Burst response count        64
 [~] Burst average response time 0.36 seconds
 [~] Burst average               23.491 requests/second
 [~] Timed-out requests          0
 [~] Original max concurrency    20
 [~] Throttled max concurrency   20

But when i use Arachni nightlies 25-Sep-2016 (2.0dev latest version) with the same command. It's failed.

[+] Web Application Security Report - Arachni Framework

 [~] Report generated on: 2016-09-26 11:16:19 +0800
 [~] Report false positives at: http://github.com/Arachni/arachni/issues

 [+] System settings:
 [~] ---------------
 [~] Version:           2.0dev
 [~] Seed:              305c3b4fa701bfd22478c9517ebb9815
 [~] Audit started on:  2016-09-26 11:16:13 +0800
 [~] Audit finished on: 2016-09-26 11:16:19 +0800
 [~] Runtime:           00:00:06

 [~] URL:        http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364
 [~] User agent: Arachni/v2.0dev

 [*] Audited elements:
 [~] * Links
 [~] * Forms
 [~] * Cookies
 [~] * XMLs
 [~] * JSONs
 [~] * UI inputs
 [~] * UI forms

 [*] Checks: sql_injection, sql_injection_timing, sql_injection_differential

 [*] Filters:
 [~]   Include:
 [~]     (?i-mx:demo\/aisec)

 [~] ===========================

 [+] 0 issues were detected.


 [+] Plugin data:
 [~] ---------------


 [*] Health map
 [~] ~~~~~~~~~~~~~~
 [~] Description: Generates a simple list of safe/unsafe URLs.

 [~] Legend:
 [+] No issues
 [-] Has issues

 [+] http://demo.aisec.cn/demo/aisec/ajax_link.php

 [~] Total: 1
 [+] Without issues: 1
 [-] With issues: 0 ( 0% )

 [~] Report saved at: /root/software/arachni-2.0-0925/single.afr [0.0MB]

 [~] Audited 1 page snapshots.
 [~] Audit limited to a max of 1 pages.

 [~] Duration: 00:00:06
 [~] Processed 84/84 HTTP requests.
 [~] -- 33.426 requests/second.
 [~] Processed 0/0 browser jobs.
 [~] -- 0.0 second/job.

 [~] Currently auditing          http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.49835766619071364
 [~] Burst response time sum     5.611 seconds
 [~] Burst response count        24
 [~] Burst average response time 0.234 seconds
 [~] Burst average               18.197 requests/second
 [~] Timed-out requests          0
 [~] Original max concurrency    20
 [~] Throttled max concurrency   20