Making OWASP SQLiX module
From OWASP Live CD 2008
Contents |
Get the source for OWASP SQLiX
Go to the OWASP SQLiX website and navigate to the section. In the downloads section, you'll see two links to download the source. Only one of those worked for me - the one here. Grab the latest version which is SQLiX_v1.0.tar.tar at the time of this writing. BTW, the file extensions are wrong, it should be a tar.gz file not a tar.tar.
Go ahead and extract the download into the working/temp directory:
$ cp /home/mtesauro/owasp-live-cd/tools-in-SoC-release/SQLiX_v1.0.tar.tar temp/ $ $ file temp/SQLiX_v1.0.tar.tar temp/SQLiX_v1.0.tar.tar: gzip compressed data, from Unix, last modified: Thu Aug 17 08:06:20 2006 $ mv temp/SQLiX_v1.0.tar.tar temp/SQLiX_v1.0.tar.gz $ cd temp/ $ tar -xjvf SQLiX_v1.0.tar.gz $ cd ../
Create the needed directories in fakeroot
Eventually, we'll use dir2lzm to make the module, so lets get the directories created that we need:
$ mkdir -p ./fakeroot/opt/owasp/ $ mkdir -p ./fakeroot/usr/bin $ mkdir -p ./fakeroot/usr/share/aplications $ mkdir -p ./fakeroot/usr/share/pixmaps
Create and put the module's files into the fakeroot directory
Since we are getting a interpreted source, lets get the Perl source where it needs to go.
$ mv temp/SQLiX_v1.0 fakeroot/opt/owasp/ $ mv fakeroot/opt/owasp/SQLiX_v1.0/ fakeroot/opt/owasp/sqlix
Next, well need a script to start SQLiX in fakeroot/usr/bin. This one is very easy:
$ vi fakeroot/usr/bin/sqlix [create script] $ cat fakeroot/usr/bin/sqlix #!/bin/sh cd /opt/owasp/sqlix/ perl SQLiX.pl "$@"
Because SQLiX is a command line tool, we're going to create a startup script to be used by the menu item below.
$ vi fakeroot/usr/bin/startup-sqlix [create script] $ cat fakeroot/usr/bin/startup-sqlix #/bin/sh echo " " echo " " echo " OWASP SQLiX - SQL Injection Scanner" echo " (part of the OWASP Live CD 2008)" echo " " echo "======================================================" echo " -- SQLiX --" echo " © Copyright 2006 Cedric COCHIN, All Rights Reserved." echo "======================================================" echo " " echo " ** Type 'sqlix --help' for command-line options **" echo " " echo "** Maximize the window to aid reading the help output **" echo " "
Creating SQLiX's menu file is a bit more complicated since it opens in a terminal. Use a text editor and create the file sqlix.desktop
$ vi fakeroot/usr/share/applications/sqlix.desktop [create the file] $ cat fakeroot/usr/share/applications/sqlix.desktop [Desktop Entry] Categories=Application;Network; Comment= Encoding=UTF-8 Exec[$e]=startup-sqlix; bash GenericName=SQLiX Icon=/usr/share/pixmaps/sqlix-icon.png MimeType=text/html Name=SQL Injection Scanner Path[$e]= StartupNotify=false Terminal=1 TerminalOptions=-T "SQLiX - SQL Injection Scanner" Type=Application X-KDE-StartupNotify=true X-KDE-SubstituteUID=false X-KDE-Username=
For the icon, there were no images in the source download. Also, since this is a text based application, there's nothing to screen capture. I defaulted to an OWASP icon I have since its an OWASP tool. I then moved that into fakeroot.
$ cp temp/owasp-icon.png fakeroot/usr/share/pixmaps/sqlix-icon.png
SQLiX requires Perl. Fortunately for me, Perl is already part of SLAX. Unfortunately for me, there are few to no Perl modules on the disk - certainly not the ones needed for SQLiX. Also unfortunately, I didn't find this out until after I installed the first, non-working version of this module. I had to add those Perl modules, here's how I did it:
NOTE: The testing below was done in a Live CD environment after I installed the first version of this module.
# sqlix Can't locate WWW/CheckSite/Spider.pm in @INC (@INC contains: ...[bunch of junk removed]
OK. I'm missing some Perl modules. Time for the CPAN dance:
# find / > /root/pre-cpan
# perl -MCPAN -e shell
[snip]
cpan> install WWW::CheckSite::Spider
[snip]
Writing Makefile for WWW::CheckSite
---- Unsatisfied dependencies detected during [A/AB/ABELTJE/WWW-CheckSite-0.018.tar.gz] -----
WWW::Mechanize
HTML::Template
WWW::RobotRules
LWP
[snip]
Writing Makefile for WWW::Mechanize
---- Unsatisfied dependencies detected during [P/PE/PETDANCE/WWW-Mechanize-1.34.tar.gz] -----
HTML::Form
HTML::HeadParser
HTTP::Status
HTML::TokeParser
LWP::UserAgent
HTML::Parser
HTTP::Daemon
HTTP::Request
LWP
[snip]
Writing Makefile for LWP
---- Unsatisfied dependencies detected during [G/GA/GAAS/libwww-perl-5.814.tar.gz] -----
Compress::Zlib
HTML::Tagset
HTML::Parser
[snip]
Writing Makefile for Compress::Zlib
---- Unsatisfied dependencies detected during [P/PM/PMQS/Compress-Zlib-2.012.tar.gz] -----
IO::Uncompress::Gunzip
IO::Compress::Gzip
Compress::Raw::Zlib
IO::Uncompress::Base
IO::Compress::Gzip::Constants
IO::Compress::Base
IO::Compress::Base::Common
[snip]
Writing Makefile for IO::Compress::Zlib
---- Unsatisfied dependencies detected during [P/PM/PMQS/IO-Compress-Zlib-2.012.tar.gz] -----
IO::Uncompress::Base
IO::Compress::Base
Compress::Raw::Zlib
[snip]
# sqlix
Can't locate HTML/TreeBuilder.pm in @INC (@INC contains: ...[bunch of junk removed]
# perl -MCPAN -e shell
[snip]
cpan> install HTML::TreeBuilder
[snip]
# sqlix
Can't locate Tie/CharArray.pm in @INC (@INC contains: ...[bunch of junk removed]
[snip]
# perl -MCPAN -e shell
[snip]
cpan> install Tie::CharArray
[snip]
# sqlix
Can't locate Algorithm/Diff.pm in @INC (@INC contains: ...[bunch of junk removed]
[snip]
# perl -MCPAN -e shell
[snip]
cpan> install Algorithm::Diff
[snip]
# sqlix
======================================================
-- SQLiX --
© Copyright 2006 Cedric COCHIN, All Rights Reserved.
======================================================
Error: you need to specify a target.
Success (finally). Time to figure out what I installed and put it into the SQLiX module:
# find / > post-cpan
# diff pre-cpan post-cpan | grep changes > changes-cpan
# cp changes-cpan script-to-pull-cpan
# vi script-to-pull-cpan
[edit this file and change it into a shell script to copy the installed CPAN stuff into a directory]
# head script-to-pull-cpan
#!/bin/sh
mkdir -p /root/fakeroot/usr/bin
cp -a /usr/bin/checksite /root/fakeroot/usr/bin
cp -a /usr/bin/mech-dump /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-mirror /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-download /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-rget /root/fakeroot/usr/bin
cp -a /usr/bin/lwp-request /root/fakeroot/usr/bin
mkdir -p /root/fakeroot/usr/lib/perl5/site_perl/5.8.8
# chmod u+x script-to-pull-cpan
Before running this script, lets turn the not-quite-working sqlix-1.0.lzm back into a directory structure:
# mkdir /root/fakeroot
# lzm2dir sqlix-1.0.lzm fakeroot/
[snip]
# ./script-to-pull-cpan
# dir2lzm fakeroot/ sqlix-1.0.lzm
Note: Since the above CPAN dance was in the Live CD after I had installed the first version of the module you can skip some of the steps below on your second go round. Just don't forget to move the new module off the Live CD via USB drive, scp, etc.
Everything is in place to create the modules, a quick final check:
$ find fakeroot fakeroot/ fakeroot/opt fakeroot/opt/owasp fakeroot/opt/owasp/sqlix fakeroot/opt/owasp/sqlix/SQLiX.pl ...
Generate the .lzm module
This is the easy part.
$ ./dir2lzm ./fakeroot sqlix-1.0.lzm
Add the modules to the ISO build directory
Also cake
$ cp -i sqlix-1.0.lzm ../contents/slax/base/ $ chmod 775 ../contents/slax/base/sqlix-1.0.lzm
Test the new module
I like scp'ing the new modules into a running Live CD and using the Module Manager to Add modules to a running system. I typically have the Live CD running in a VM while I create modules so its already up and ready.
You can also gen a new ISO and run it in a VM of your choice.
$ cd ../contents/slax/ $ ./make_iso.sh /home/mtesauro/isos/new-owasp.iso
If anything doesn't work as expected, make the changes needed to ./fakeroot and try again.
Clean up and archive
Once you've got a working module, lets clean up a bit.
$ $ mkdir ./completed_modules/sqlix $ mv sqlix-1.0.lzm ./completed_modules/sqlix/ $ mv temp/SQLiX_v1.0.tar.gz ./completed_modules/sqlix/ $ rm -rf ./temp/*
I usually delete anything under ./fakeroot also.
$ rm -rf ./fakeroot/*
