SQL / SQLI tokenizer parser analyzer. For
- C and C++
- PHP
- Python
- Lua
- Java (external port)
- [LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)
See https://www.client9.com/ for details and presentations.
Simple example:
#include<stdio.h>#include<strings.h>#include<errno.h>#include"libinjection.h"#include"libinjection_sqli.h"intmain(intargc, constchar*argv[]){structlibinjection_sqli_statestate; intissqli; constchar*input=argv[1]; size_tslen=strlen(input); /* in real-world, you would url-decode the input, etc */libinjection_sqli_init(&state, input, slen, FLAG_NONE); issqli=libinjection_is_sqli(&state); if (issqli){fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint)} returnissqli}$ gcc -Wall -Wextra examples.c libinjection_sqli.c $ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--" sqli detected with fingerprint of 's&1UE' More advanced samples:
See CHANGELOG for details.
Versions are listed as "major.minor.point"
Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.
Minor are C code changes. These may include
- logical change to detect or suppress
- optimization changes
- code refactoring
Point releases are purely data changes. These may be safely applied.
The continuous integration results at https://travis-ci.org/client9/libinjection tests the following:
- build and unit-tests under GCC
- build and unit-tests under Clang
- static analysis using clang static analyzer
- static analysis using cppcheck
- checks for memory errors using valgrind
- code coverage online using coveralls.io
Copyright (c) 2012-2016 Nick Galbreath
Licensed under the standard BSD 3-Clause open source license. See COPYING for details.
The src directory contains everything, but you only need to copy the following into your source tree: