dolibarr/test/sqlmap/README

To test there is no SQL injection, we can use:

-- Installation of sqlmap
-------------------------

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap

cd sqlmap

./sqlmap.py --update

./sqlmap.py --purge


Add, into file ~/git/sqlmap/data/xml/payloads/boolean_blind.xml, the custom rule:

    <!-- Boolean-based blind tests - WHERE/HAVING clause -->
    <test>
     <title>Our_ORDERBY_Payload</title>
        <stype>1</stype>
        <level>1</level>
        <risk>1</risk>
        <clause>1</clause>
        <where>1</where>
     <vector>,(select * from(select (CASE WHEN ([INFERENCE]) THEN 1 ELSE exp(710) END))a)</vector>
     <request>
         <payload>,(select * from(select (CASE WHEN (1=1) THEN 1 ELSE exp(710) END))a)</payload>
     </request>
     <response>
         <comparison>,(select * from(select (CASE WHEN (1=2) THEN 1 ELSE exp(710) END))a)</comparison>
     </response>
     <details>
         <dbms>mysql</dbms>
         <os>linux</os>
     </details>
 </test>


-- Launch sqlmap on a given url/parameter
-----------------------------------------

Introduce a vulnerability by changing the GETPOST on parameter search_status into GETPOST('search_status', 'none') and removing $db->sanitize when parameter is used;

./sqlmap.py --fresh-queries -u "http://localhostdev/comm/propal/list.php?search_status=*"

./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/comm/propal/list.php?search_status=*" --dbms=mysql --os=linux --technique=B --batch --skip-waf \
	--cookie="DOLSESSID_xxxxxx=yyyyyyyy;" --prefix='1' -v 4 > sqlmap.txt

Check vulnerability is found into sqlmap.txt. Scanner is working.


-- Launch sqlmap on all the application
---------------------------------------

Set $dolibarr_nocsrfcheck='1' into conf.php file to make access easier.

With prefix (required to have some rules working)

./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
  --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
  --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" --prefix='1' -v

Without prefix

./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
  --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
  --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" -v
Add doc 2020-09-24 13:41:26 +02:00			`To test there is no SQL injection, we can use:`

			`-- Installation of sqlmap`
			`-------------------------`

			`git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap`

			`cd sqlmap`

			`./sqlmap.py --update`

			`./sqlmap.py --purge`


			`Add, into file ~/git/sqlmap/data/xml/payloads/boolean_blind.xml, the custom rule:`

			`<!-- Boolean-based blind tests - WHERE/HAVING clause -->`
			`<test>`
			`<title>Our_ORDERBY_Payload</title>`
			`<stype>1</stype>`
			`<level>1</level>`
			`<risk>1</risk>`
			`<clause>1</clause>`
			`<where>1</where>`
			`<vector>,(select * from(select (CASE WHEN ([INFERENCE]) THEN 1 ELSE exp(710) END))a)</vector>`
			`<request>`
			`<payload>,(select * from(select (CASE WHEN (1=1) THEN 1 ELSE exp(710) END))a)</payload>`
			`</request>`
			`<response>`
			`<comparison>,(select * from(select (CASE WHEN (1=2) THEN 1 ELSE exp(710) END))a)</comparison>`
			`</response>`
			`<details>`
			`<dbms>mysql</dbms>`
			`<os>linux</os>`
			`</details>`
			`</test>`




			`-- Launch sqlmap on a given url/parameter`
			`-----------------------------------------`

			`Introduce a vulnerability by changing the GETPOST on parameter search_status into GETPOST('search_status', 'none') and removing $db->sanitize when parameter is used;`

Doc 2020-09-24 16:55:55 +02:00			`./sqlmap.py --fresh-queries -u "http://localhostdev/comm/propal/list.php?search_status=*"`

			`./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/comm/propal/list.php?search_status=*" --dbms=mysql --os=linux --technique=B --batch --skip-waf \`
Doc 2020-09-24 15:45:52 +02:00			`--cookie="DOLSESSID_xxxxxx=yyyyyyyy;" --prefix='1' -v 4 > sqlmap.txt`
Add doc 2020-09-24 13:41:26 +02:00
			`Check vulnerability is found into sqlmap.txt. Scanner is working.`



			`-- Launch sqlmap on all the application`
			`---------------------------------------`

			`Set $dolibarr_nocsrfcheck='1' into conf.php file to make access easier.`

			`With prefix (required to have some rules working)`

			`./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout\|user\/card\|custom\/" \`
			`--skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \`
			`--cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" --prefix='1' -v`

			`Without prefix`

			`./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout\|user\/card\|custom\/" \`
			`--skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \`
			`--cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" -v`