History

Tobe O 17224d011a Roll libinjection		2019-08-16 10:42:40 -04:00
..
data	Roll libinjection	2019-08-16 10:42:40 -04:00
go	Roll libinjection	2019-08-16 10:42:40 -04:00
lua	Roll libinjection	2019-08-16 10:42:40 -04:00
misc	Roll libinjection	2019-08-16 10:42:40 -04:00
php	Roll libinjection	2019-08-16 10:42:40 -04:00
python	Roll libinjection	2019-08-16 10:42:40 -04:00
src	Roll libinjection	2019-08-16 10:42:40 -04:00
tests	Roll libinjection	2019-08-16 10:42:40 -04:00
.gitignore	Roll libinjection	2019-08-16 10:42:40 -04:00
.travis.yml	Roll libinjection	2019-08-16 10:42:40 -04:00
CHANGELOG	Roll libinjection	2019-08-16 10:42:40 -04:00
CHANGELOG.md	Roll libinjection	2019-08-16 10:42:40 -04:00
configure-clang-asan.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
configure-clang.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
configure-gcc-hardened.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
configure-gcov.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
configure-gprof.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
COPYING	Roll libinjection	2019-08-16 10:42:40 -04:00
install-sh	Roll libinjection	2019-08-16 10:42:40 -04:00
make-ci.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
README.md	Roll libinjection	2019-08-16 10:42:40 -04:00
RELEASE-HOWTO.md	Roll libinjection	2019-08-16 10:42:40 -04:00
run-clang-asan.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
run-gcov-samples.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
run-gcov-unittests.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
tags.sh	Roll libinjection	2019-08-16 10:42:40 -04:00
test-gprof.sh	Roll libinjection	2019-08-16 10:42:40 -04:00

README.md

libinjection

SQL / SQLI tokenizer parser analyzer. For

C and C++
PHP
Python
Lua
Java (external port)
[LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)

See https://www.client9.com/ for details and presentations.

Simple example:

#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include "libinjection.h"
#include "libinjection_sqli.h"

int main(int argc, const char* argv[])
{
    struct libinjection_sqli_state state;
    int issqli;

    const char* input = argv[1];
    size_t slen = strlen(input);

    /* in real-world, you would url-decode the input, etc */

    libinjection_sqli_init(&state, input, slen, FLAG_NONE);
    issqli = libinjection_is_sqli(&state);
    if (issqli) {
        fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
    }
    return issqli;
}

$ gcc -Wall -Wextra examples.c libinjection_sqli.c
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'

More advanced samples:

VERSION INFORMATION

See CHANGELOG for details.

Versions are listed as "major.minor.point"

Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.

Minor are C code changes. These may include

logical change to detect or suppress
optimization changes
code refactoring

Point releases are purely data changes. These may be safely applied.

QUALITY AND DIAGNOSITICS

The continuous integration results at https://travis-ci.org/client9/libinjection tests the following:

build and unit-tests under GCC
build and unit-tests under Clang
static analysis using clang static analyzer
static analysis using cppcheck
checks for memory errors using valgrind
code coverage online using coveralls.io

LICENSE

Licensed under the standard BSD 3-Clause open source license. See COPYING for details.

EMBEDDING

The src directory contains everything, but you only need to copy the following into your source tree: