How to Build a SQL Injection Scanner in Python

Learn how to write a simple Python script to detect SQL Injection vulnerability on web applications using requests and BeautifulSoup in Python.
Abdou Rockikz · 6 min read · Updated jul 2020 · Ethical Hacking


SQL injection is a code injection technique that is used to execute SQL query via the user input data to the vulnerable web application. It is one of the most common and dangerous web hacking techniques.

A successful SQL injection exploit can cause a lot of harmful damage to the database and web application in general. For example, it can read sensitive data such as user passwords from the database, insert, modify and even delete data.

In this tutorial, you will learn how to build a simple Python script to detect SQL injection vulnerability in web applications.

Let's install required libraries for this tutorial:

pip3 install requests bs4

Let's import the necessary modules:

import requests
from bs4 import BeautifulSoup as bs
from urllib.parse import urljoin
from pprint import pprint

Since SQL injection is all about user inputs, we are going to need to extract web forms first. Luckily for us, I've already wrote a tutorial about extracting and filling forms in Python, we gonna need the below functions:

def get_all_forms(url):
    """Given a `url`, it returns all forms from the HTML content"""
    soup = bs(s.get(url).content, "html.parser")
    return soup.find_all("form")


def get_form_details(form):
    """
    This function extracts all possible useful information about an HTML `form`
    """
    details = {}
    # get the form action (target url)
    try:
        action = form.attrs.get("action").lower()
    except:
        action = None
    # get the form method (POST, GET, etc.)
    method = form.attrs.get("method", "get").lower()
    # get all the input details such as type and name
    inputs = []
    for input_tag in form.find_all("input"):
        input_type = input_tag.attrs.get("type", "text")
        input_name = input_tag.attrs.get("name")
        input_value = input_tag.attrs.get("value", "")
        inputs.append({"type": input_type, "name": input_name, "value": input_value})
    # put everything to the resulting dictionary
    details["action"] = action
    details["method"] = method
    details["inputs"] = inputs
    return details

get_all_forms() uses BeautifulSoup library to extract all form tags from HTML and returns them as a Python list, whereas get_form_details() function gets a single form tag object as an argument and parses useful information about the form, such as action (the target URL), method (GET, POST, etc) and all input field attributes (type, name and value).

Next, we define a function that tells us whether a web page has SQL errors in it, this will be handy when checking for SQL injection vulnerability:

def is_vulnerable(response):
    """A simple boolean function that determines whether a page 
    is SQL Injection vulnerable from its `response`"""
    errors = {
        # MySQL
        "you have an error in your sql syntax;",
        "warning: mysql",
        # SQL Server
        "unclosed quotation mark after the character string",
        # Oracle
        "quoted string not properly terminated",
    }
    for error in errors:
        # if you find one of these errors, return True
        if error in response.content.decode().lower():
            return True
    # no error detected
    return False

Obviously, I can't define errors for all database servers, for more reliable checking, you need to use regular expressions to find error matches, check this XML file which has a lot of them (used by sqlmap utility).

Now that we have all the tools, let's define the main function that searches for all forms in the web page and tries to place quote and double quote characters in input fields:

def scan_sql_injection(url):
    # test on URL
    for c in "\"'":
        # add quote/double quote character to the URL
        new_url = f"{url}{c}"
        print("[!] Trying", new_url)
        # make the HTTP request
        res = s.get(new_url)
        if is_vulnerable(res):
            # SQL Injection detected on the URL itself, 
            # no need to preceed for extracting forms and submitting them
            print("[+] SQL Injection vulnerability detected, link:", new_url)
            return
    # test on HTML forms
    forms = get_all_forms(url)
    print(f"[+] Detected {len(forms)} forms on {url}.")
    for form in forms:
        form_details = get_form_details(form)
        for c in "\"'":
            # the data body we want to submit
            data = {}
            for input_tag in form_details["inputs"]:
                if input_tag["type"] == "hidden" or input_tag["value"]:
                    # any input form that is hidden or has some value,
                    # just use it in the form body
                    try:
                        data[input_tag["name"]] = input_tag["value"] + c
                    except:
                        pass
                elif input_tag["type"] != "submit":
                    # all others except submit, use some junk data with special character
                    data[input_tag["name"]] = f"test{c}"
            # join the url with the action (form request URL)
            url = urljoin(url, form_details["action"])
            if form_details["method"] == "post":
                res = s.post(url, data=data)
            elif form_details["method"] == "get":
                res = s.get(url, params=data)
            # test whether the resulting page is vulnerable
            if is_vulnerable(res):
                print("[+] SQL Injection vulnerability detected, link:", url)
                print("[+] Form:")
                pprint(form_details)
                break

Before extracting forms and submitting them, the above function checks for the vulnerability in the URL first, as the URL itself may be vulnerable, this is simply done by appending quote character to the URL.

We then make the request using requests library and check whether the response content has the errors that we're searching for.

After that, we parse the forms and make submissions with quote characters on each form found, here is my run after testing on a known vulnerable web page:

if __name__ == "__main__":
    url = "http://testphp.vulnweb.com/artists.php?artist=1"
    scan_sql_injection(url)

Output:

[!] Trying http://testphp.vulnweb.com/artists.php?artist=1"
[+] SQL Injection vulnerability detected, link: http://testphp.vulnweb.com/artists.php?artist=1"

As you can see, this was vulnerable in the URL itself, but after I tested this on my local vulnerable server (DVWA), I got this output:

[!] Trying http://localhost:8080/DVWA-master/vulnerabilities/sqli/"
[!] Trying http://localhost:8080/DVWA-master/vulnerabilities/sqli/'
[+] Detected 1 forms on http://localhost:8080/DVWA-master/vulnerabilities/sqli/.
[+] SQL Injection vulnerability detected, link: http://localhost:8080/DVWA-master/vulnerabilities/sqli/
[+] Form:
{'action': '#',
 'inputs': [{'name': 'id', 'type': 'text', 'value': ''},
            {'name': 'Submit', 'type': 'submit', 'value': 'Submit'}],
 'method': 'get'}

Note: If you want to test the script on a local vulnerable web applications like DVWA, you need to login first, I've provided the code for logging to DVWA in the script here, you'll find it as a commented code in the beginning.

Conclusion

Note that I've tested this script on many vulnerable websites and it works just fine. However, if you want more reliable SQL injection tool, consider using sqlmap, it is written in Python language as well, and it automates the process of detecting as well as exploiting SQL injection flaws.

You can extend this code by adding exploitation feature, this cheat sheet can help you use the right SQL commands. Or you may want to extract all website links and check for the vulnerability on all site pages, you can do it as well!

Finally, try to use this ethically, we are not responsible for any misuse of this code!

Learn also: How to Build a XSS Vulnerability Scanner in Python.

Happy Hacking ♥

View Full Code
Sharing is caring!



Read Also





Comment panel

   
Comment system is still in Beta, if you find any bug, please consider contacting us here.