added sql injection scanner tutorial

Author: x4nth055

ethical-hacking/sql-injection-detector/README.md

@@ -0,0 +1,12 @@
+# [How to Build a SQL Injection Scanner in Python](https://www.thepythoncode.com/code/sql-injection-vulnerability-detector-in-python)
+To run this:
+- `pip3 install -r requirements.txt`
+- Provide the URL in the command line arguments, as follows:
+    ```
+    python sql_injection_detector.py http://testphp.vulnweb.com/artists.php?artist=1
+    ```
+    **Output:**
+    ```
+    [!] Trying http://testphp.vulnweb.com/artists.php?artist=1"
+    [+] SQL Injection vulnerability detected, link: http://testphp.vulnweb.com/artists.php?artist=1"
+    ```

ethical-hacking/sql-injection-detector/page.html

@@ -0,0 +1 @@
+<pre>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1</pre>

ethical-hacking/sql-injection-detector/requirements.txt

@@ -0,0 +1,2 @@
+requests
+bs4

ethical-hacking/sql-injection-detector/sql_injection_detector.py

@@ -0,0 +1,127 @@
+import requests
+# import re # uncomment this for DVWA
+from bs4 import BeautifulSoup as bs
+from urllib.parse import urljoin
+from pprint import pprint
+
+s = requests.Session()
+s.headers["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36"
+
+# below code is for logging to your local DVWA
+# uncomment it if you want to use this on DVWA
+# login_payload = {
+#     "username": "admin",
+#     "password": "password",
+#     "Login": "Login",
+# }
+# # change URL to the login page of your DVWA login URL
+# login_url = "http://localhost:8080/DVWA-master/login.php"
+
+# # login
+# r = s.get(login_url)
+# token = re.search("user_token'\s*value='(.*?)'", r.text).group(1)
+# login_payload['user_token'] = token
+# s.post(login_url, data=login_payload)
+
+
+def get_all_forms(url):
+    """Given a `url`, it returns all forms from the HTML content"""
+    soup = bs(s.get(url).content, "html.parser")
+    return soup.find_all("form")
+
+
+def get_form_details(form):
+    """
+    This function extracts all possible useful information about an HTML `form`
+    """
+    details = {}
+    # get the form action (target url)
+    try:
+        action = form.attrs.get("action").lower()
+    except:
+        action = None
+    # get the form method (POST, GET, etc.)
+    method = form.attrs.get("method", "get").lower()
+    # get all the input details such as type and name
+    inputs = []
+    for input_tag in form.find_all("input"):
+        input_type = input_tag.attrs.get("type", "text")
+        input_name = input_tag.attrs.get("name")
+        input_value = input_tag.attrs.get("value", "")
+        inputs.append({"type": input_type, "name": input_name, "value": input_value})
+    # put everything to the resulting dictionary
+    details["action"] = action
+    details["method"] = method
+    details["inputs"] = inputs
+    return details
+
+
+def is_vulnerable(response):
+    """A simple boolean function that determines whether a page 
+    is SQL Injection vulnerable from its `response`"""
+    errors = {
+        # MySQL
+        "you have an error in your sql syntax;",
+        "warning: mysql",
+        # SQL Server
+        "unclosed quotation mark after the character string",
+        # Oracle
+        "quoted string not properly terminated",
+    }
+    for error in errors:
+        # if you find one of these errors, return True
+        if error in response.content.decode().lower():
+            return True
+    # no error detected
+    return False
+
+
+def scan_sql_injection(url):
+    # test on URL
+    for c in "\"'":
+        # add quote/double quote character to the URL
+        new_url = f"{url}{c}"
+        print("[!] Trying", new_url)
+        # make the HTTP request
+        res = s.get(new_url)
+        if is_vulnerable(res):
+            # SQL Injection detected on the URL itself, 
+            # no need to preceed for extracting forms and submitting them
+            print("[+] SQL Injection vulnerability detected, link:", new_url)
+            return
+    # test on HTML forms
+    forms = get_all_forms(url)
+    print(f"[+] Detected {len(forms)} forms on {url}.")
+    for form in forms:
+        form_details = get_form_details(form)
+        for c in "\"'":
+            # the data body we want to submit
+            data = {}
+            for input_tag in form_details["inputs"]:
+                if input_tag["value"] or input_tag["type"] == "hidden":
+                    # any input form that has some value or hidden,
+                    # just use it in the form body
+                    try:
+                        data[input_tag["name"]] = input_tag["value"] + c
+                    except:
+                        pass
+                elif input_tag["type"] != "submit":
+                    # all others except submit, use some junk data with special character
+                    data[input_tag["name"]] = f"test{c}"
+            # join the url with the action (form request URL)
+            url = urljoin(url, form_details["action"])
+            if form_details["method"] == "post":
+                res = s.post(url, data=data)
+            elif form_details["method"] == "get":
+                res = s.get(url, params=data)
+            # test whether the resulting page is vulnerable
+            if is_vulnerable(res):
+                print("[+] SQL Injection vulnerability detected, link:", url)
+                print("[+] Form:")
+                pprint(form_details)
+                break   
+
+if __name__ == "__main__":
+    import sys
+    url = sys.argv[1]
+    scan_sql_injection(url)