injectable_presentation

do you all watch Mr Robot?; philosophy; scraping for good, no interesting code

is_sql_injectable(domain)

or let's protect websites whose username tables are up for grabs

By Pascal van Kooten

MSc Methods&Statistics

Working at Jibes Data Analytics

Open source projects:

20 lines mime vs ..>

rather than single page consider, consider whole domain

don't abuse

gather from reddit, github, pypi, BDFL, twitter, stackoverflow

latest greatest xtoy

yagmail send emails in 2 lines (html/attach) 246 sky next-gen intelligent web scraping 57 gittyleaks find users/keys/pass in git repos 18 pytrending discover trending python 10 xtoy automatic prep/model/predict 2

Interesting for python because:

"big data" cloud scraping sending email

Demo

http://www.gtbit.org/news/viewitem.php?id=40

{"domain": "http://www.gtbit.org",
 "url": "http://www.gtbit.org/news/viewitem.php?id=40",
 "injectable": true,
 "on line": true,
 "error": false,
 "at line": false,
 "time": "Wed Oct 28 00:59:39 2015",
 "warning": true,
 "failed_request": false,
 "emails": ["gtbit@rediffmail.com", "inderjeet@gmail.com"],
 "sql": true}

What could a hacker do with this?

He could use sqlmap (written in Python) to figure out which tables are in the database.
He could then obtain the username table
He could then do password attacks on the website using the usernames
Possibly find other useful information in the tables

Testing injectability

CommonCrawl Action Amount Web data of 145TB 1.81 billion URL contains "php?" 109.715 Keep only unique domains 27.046 Append single quote Test for SQL errors on page 1.742 if error: scan homepage + contact for email 692

control micro fleet

script being run on aws

gather from S3 using GreenPool, do the computations

Scripts:

aws_master.py aws_client.py ec2_template.py injectable.py

part = r'[^?@ ><\'":\\\/]+'
email_re = re.compile(part + '@' + part + r'\.' + part)

for wet_path in wetpaths:
    swp = slugger(wet_path)
    if swp in dones:
        continue
    t1 = time.time()
    results = []
    # Start a connection to one of the WARC files
    k = Key(pds, wet_path)
    f = warc.WARCFile(fileobj=GzipStreamFile(k))
    for i, record in enumerate(f):
        if record.url is not None and 'php?id=' in record.url:
            results.append(record.url)
    print(time.time() - t1)
    save_file_s3('\n'.join(results), swp)

Crucial lessons:

Typical map+reduce problem Better to spend a little than put extra time We need more distributed stuff...

Questions?

Should I email? kootenpv.github.io PascalvKooten kootenpv kootenpv@gmail.com pascalvkooten

do you all watch Mr Robot?; philosophy; scraping for good, no interesting code is_sql_injectable(domain) or let's protect websites whose username tables are up for grabs By Pascal van Kooten

is_sql_injectable(domain)

kootenpv

is_sql_injectable(domain)

0 0 (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();