Copyright | (c) Joel Burget |
---|---|
License | BSD3 |
Maintainer | erkokl@gmail.com |
Stability | experimental |
Safe Haskell | None |
Language | Haskell2010 |
Implement the symbolic evaluation of a language which operates on strings in a way similar to bash. It's possible to do different analyses, but this example finds program inputs which result in a query containing a SQL injection.
Documentation
Simple expression language
Instances
IsString SQLExpr Source # | Literals strings can be lifted to be constant programs |
Defined in Documentation.SBV.Examples.Strings.SQLInjection fromString :: String -> SQLExpr # |
type M = StateT (SFunArray String String) (WriterT [SString] Symbolic) Source #
Evaluation monad. The state argument is the environment to store variables as we evaluate.
exampleProgram :: SQLExpr Source #
A simple program to query all messages with a given topic id. In SQL like notation:
query ("SELECT msg FROM msgs where topicid='" ++ my_topicid ++ "'")
statementRe :: RegExp Source #
We'll greatly simplify here and say a statement is either a select or a drop:
The exploit: We're looking for a DROP TABLE after at least one legitimate command.
findInjection :: SQLExpr -> IO String Source #
Analyze the program for inputs which result in a SQL injection. There are
other possible injections, but in this example we're only looking for a
DROP TABLE
command.
Remember that our example program (in pseudo-code) is:
query ("SELECT msg FROM msgs WHERE topicid='" ++ my_topicid ++ "'")
Depending on your z3 version, you might see an output of the form:
ghci> findInjection exampleProgram "kg'; DROP TABLE 'users"
though the topic might change obviously. Indeed, if we substitute the suggested string, we get the program:
query ("SELECT msg FROM msgs WHERE topicid='kg'; DROP TABLE 'users'")
which would query for topic kg
and then delete the users table!
Here, we make sure that the injection ends with the malicious string:
>>>
("'; DROP TABLE 'users" `Data.List.isSuffixOf`) <$> findInjection exampleProgram
True