Copyright | (c) Joel Burget |
---|---|
License | BSD3 |
Maintainer | erkokl@gmail.com |
Stability | experimental |
Safe Haskell | None |
Language | Haskell2010 |
Implement the symbolic evaluation of a language which operates on strings in a way similar to bash. It's possible to do different analyses, but this example finds program inputs which result in a query containing a SQL injection.
Documentation
Simple expression language
type M = StateT (SFunArray String String) (WriterT [SString] Symbolic) Source #
Evaluation monad. The state argument is the environment to store variables as we evaluate.
exampleProgram :: SQLExpr Source #
A simple program to query all messages with a given topic id. In SQL like notation:
query ("SELECT msg FROM msgs where topicid='" ++ my_topicid ++ "'")
statementRe :: RegExp Source #
We'll greatly simplify here and say a statement is either a select or a drop:
The exploit: We're looking for a DROP TABLE after at least one legitimate command.
findInjection :: SQLExpr -> IO String Source #
Analyze the program for inputs which result in a SQL injection. There are
other possible injections, but in this example we're only looking for a
DROP TABLE
command.
Remember that our example program (in pseudo-code) is:
query ("SELECT msg FROM msgs where topicid='" ++ my_topicid ++ "'")
We have:
>>>
findInjection exampleProgram
"h'; DROP TABLE 'users"
Indeed, if we substitute the suggested string, we get the program:
query ("SELECT msg FROM msgs where topicid=h
; DROP TABLEusers
")
which would query for topic h
and then delete the users table!