Now that we have provided a general overview of the logic flow that our exploit engine will implement, we can begin writing some code. As we mentioned before, we plan to extend the scanner developed in the previous chapter so that the exploit engine gets invoked when it detects a potential SQL injection point. We start by making a copy of simpleScanner.pl and calling it extendedScanner.pl .
The first thing we need to do is make some slight modifications to
the existing code. For starters, we need to declare several variables
used for testing before we move into the
on each input request. We do this so that we can reference these
variables from within various subroutines without having to provide
them as inputs to each routine. If you recall, the previous script
declared a few variables and hashes before beginning any testing.
Here are the original declarations:
my ($oRequest,$oResponse, $oStatus, %dirLog, %paramLog);
For the extended scanner, we simply add some variables and arrays to this list. Instead of explaining what each variable or array is used for right now, we will explain each one as we use it. For now, let’s go ahead and modify the preceding line of code as follows:
my ($oRequest,$oResponse, $oStatus, %dirLog, %paramLog, $paramRequest, $sqlVuln, $sqlOrVuln, $sqlUnionVuln, $sqlColumnVuln, $sqlDataTypeVuln, $unionExploitRequest, @dbDataTypeArray, @dtCombinations, $sqlDbType);
Now that we have declared our new variables, let’s move down to the parameter-based ...