.png)
3 years ago
198 
SQL / SQLI tokenizer parser analyzer. For
C and C++ PHP Python Lua Java (external port) [LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)See https://www.client9.com/ for details and presentations.
Simple example:
fingerprint of '%s'\n", state.fingerprint); } return issqli; } ">
#include <stdio.h>#include <strings.h>
#include <errno.h>
#include "libinjection.h"
#include "libinjection_sqli.h"
int main(int argc, const char* argv[])
{
struct libinjection_sqli_state state;
int issqli;
const char* input = argv[1];
size_t slen = strlen(input);
/* in real-world, you would url-decode the input, etc */
libinjection_sqli_init(&state, input, slen, FLAG_NONE);
issqli = libinjection_is_sqli(&state);
if (issqli) {
fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
}
return issqli;
}
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'
More advanced samples:
sqli_cli.c reader.c fptoolVERSION INFORMATION
See CHANGELOG for details.
Versions are listed as "major.minor.point"
Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.
Minor are C code changes. These may include
logical change to detect or suppress optimization changes code refactoringPoint releases are purely data changes. These may be safely applied.
QUALITY AND DIAGNOSITICS
The continuous integration results at https://travis-ci.org/client9/libinjection tests the following:
build and unit-tests under GCC build and unit-tests under Clang static analysis using clang static analyzer static analysis using cppcheck checks for memory errors using valgrind code coverage online using coveralls.ioEMBEDDING
The src directory contains everything, but you only need to copy the following into your source tree:
src/libinjection.h src/libinjection_sqli.c src/libinjection_sqli_data.h COPYING
Bengali (Bangladesh) · 
English (United States) ·