Programming bots

Discuss the many weaknesses of browser security and ways to mitigate the threat

Programming bots

Post by fishtits on Wed Dec 01, 2010 12:45 pm
([msg=49726]see Programming bots[/msg])

I log about 20 IP's a day testing my site for vulnerabilities to SQL injections, javascript injections, directory traversal, XSS and more. Theres no way these are humans. Although these things are a pain in the ass because I have to sift through pages of this crap when I'm looking for human activity, I like the idea of programming bots to scour the internet and do stuff for you. How do these bots work, do they use search engines or something? Is there a great deal of programming knowledge required to be able to build a simple bot?
fishtits
New User
New User
 
Posts: 33
Joined: Tue Nov 30, 2010 12:07 pm
Blog: View Blog (0)


Re: Programming bots

Post by insomaniacal on Wed Dec 01, 2010 3:06 pm
([msg=49735]see Re: Programming bots[/msg])

There are plenty of kinds of bots. The kind you are talking about will connect to your site the same way a person would, and just inject code to test if your site is vulnerable.

It's not particularly hard to code a bot. You have to (generally) do the following

1: Connect to a server
2: Request or Receive data from the server.
3: Automate reading through it (Probably by manipulating strings and using if-then statements)
4: Based on #3, have the bot send some sort of reply, or do whatever you want it to do.
It's not who votes that counts, it's who counts the votes
insomaniacal.blog.com
User avatar
insomaniacal
Addict
Addict
 
Posts: 1210
Joined: Sun May 24, 2009 10:21 am
Blog: View Blog (0)


Re: Programming bots

Post by sanddbox on Wed Dec 01, 2010 10:08 pm
([msg=49770]see Re: Programming bots[/msg])

They either use search engines, crawl websites, or are directed to test your specific website (most likely at the command of a skiddie). They're nothing to worry about.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Programming bots

Post by fabianhjr on Thu Dec 02, 2010 7:11 am
([msg=49799]see Re: Programming bots[/msg])

Crawlers or search engines. Here is a sample of an address SQL injection bot:
Code: Select all
<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="noindex, nofollow">
<meta http-equiv="Content-Type" content="text/html; charset=utf-16">
<title>SQLi Scanner</title>
<style type="text/css">
body{
background: #0F0F0F;
color: #FFFFFF;
font-family:  monospace;
font-size: 12px;
}

input{
background: #0F0F0F;
border: 1px solid #00FF00;
color: #00FF00;
}

h2{
color: #55FF2A;
}

a{ color: #5A5A5A; text-decoration: none; }
a:visited, a:active{ color: #5A5A5A; text-decoration: line-through; }
a:hover{ color: #00FF00; text-decoration: line-through; }
.effectok:hover { text-decoration: underline; }
.effectfalse:hover { text-decoration: line-through; }
</style>
</head>
<body>
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
Dork: <input type='text' name='dork' value='filetype:php id OR category' />
<input type='submit' value=' Start ' />
</form>
<hr />
<?php
if(isset($_POST['dork'])&&!is_array($_POST['dork'])) {
   @set_time_limit(0);
   $google = "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=REPLACE_DORK&num=100&hl=en&as_qdr=all&start=REPLACE_START&sa=N";
   $b = 0;

   while($b <= 900) {
      $a = 0;
      echo "<hr />";

      if(preg_match("/did not match any documents/", Connect_Host(str_replace(array("REPLACE_DORK", "REPLACE_START"), array("".$_POST['dork']."", "$b"), $google)), $val)) {
         echo "<hr /><h2>No |more| results found.</h2>";
         break;
      }

      preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", Connect_Host(str_replace(array("REPLACE_DORK", "REPLACE_START"), array("".$_POST['dork']."", "$b"), $google)), $sites);
      echo "Loadiing…<br />";
      flush(); ob_flush();
      while(1) {
         if(preg_match("/You have an error in your SQL|Division by zero in|supplied argument is not a valid MySQL result resource in|Call to a member function|Microsoft JET Database|ODBC Microsoft Access Driver|Microsoft OLE DB Provider for SQL Server|Unclosed quotation mark|Microsoft OLE DB Provider for Oracle|Incorrect syntax near|SQL query failed/", Connect_Host(str_replace("=", "='", $sites[2][$a])))) {
            echo "<a href='".htmlentities(str_replace("=", "='", $sites[2][$a]))."' target='_blank' class='effectok'>".str_replace("=", "='", $sites[2][$a])."</a> <== <font color='green'>SQLi vulnerability detected!</font><br />";
         } else {
         echo "<a href='".htmlentities(str_replace("=", "='", $sites[2][$a]))."' target='_blank' class='effectfalse'>".str_replace("=", "='", $sites[2][$a])."</a> <== <font color='red'>No vulnerability found.</font><br />";
         flush(); ob_flush();
         }
         if($a > count($sites[2])-2) {
            break;
         }
         $a += 1;
      }
      $b += 100;
   }
}

function Connect_Host($url) {
   $ch = curl_init();
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt($ch, CURLOPT_URL, $url);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($ch, CURLOPT_TIMEOUT, 10);
   $data = curl_exec($ch);
   return ($data) ? $data : 0;
}
?>
</body>
</html>
Donate bitcoins to me! [1DhRP3hHgmSLQdRTZyT8VPTmzAj7Z2rsGA]
Dunno what bitcoins are? BitcoinMe
fabianhjr
Poster
Poster
 
Posts: 286
Joined: Tue Sep 21, 2010 7:48 pm
Blog: View Blog (0)


Re: Programming bots

Post by Goatboy on Thu Dec 02, 2010 4:50 pm
([msg=49826]see Re: Programming bots[/msg])

Fabi, when I first started reading your post I saw the HTML and thought "omgwat"
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2751
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Programming bots

Post by fabianhjr on Thu Dec 02, 2010 7:54 pm
([msg=49844]see Re: Programming bots[/msg])

Sorry, it isn't made by me. I got some source code collections and this seemed to be the best and most newby friendly.

Though, this only checks for URL SQL injections and up to 1000 per query.
Last edited by fabianhjr on Fri Dec 03, 2010 7:31 am, edited 1 time in total.
Donate bitcoins to me! [1DhRP3hHgmSLQdRTZyT8VPTmzAj7Z2rsGA]
Dunno what bitcoins are? BitcoinMe
fabianhjr
Poster
Poster
 
Posts: 286
Joined: Tue Sep 21, 2010 7:48 pm
Blog: View Blog (0)


Re: Programming bots

Post by Goatboy on Thu Dec 02, 2010 10:29 pm
([msg=49852]see Re: Programming bots[/msg])

fabianhjr wrote:Sorry, it isn't made by me. I got some source code collections and this seemed to be the best and most newby friendly.

Tough, this only checks for URL SQL injections and up to 1000 per query.

I figured it wasn't yours, but my first thought was still "HTML bot? What is he smoking?"

Also, it's "Though" you should be using. "Tough" es como "duro" y no pienso que es lo que quieres decir.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2751
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Programming bots

Post by sanddbox on Thu Dec 02, 2010 11:47 pm
([msg=49857]see Re: Programming bots[/msg])

Goatboy wrote:
fabianhjr wrote:Sorry, it isn't made by me. I got some source code collections and this seemed to be the best and most newby friendly.

Tough, this only checks for URL SQL injections and up to 1000 per query.

I figured it wasn't yours, but my first thought was still "HTML bot? What is he smoking?"

Also, it's "Though" you should be using. "Tough" es como "duro" y no pienso que es lo que quieres decir.



I actually understood that Spanish. I feel proud.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Programming bots

Post by Goatboy on Fri Dec 03, 2010 4:58 am
([msg=49876]see Re: Programming bots[/msg])

sanddbox wrote:I actually understood that Spanish. I feel proud.

Damn, I should have used the past-tense and made it harder on you. Next time I'll go into Shakespeare mode.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2751
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Programming bots

Post by fabianhjr on Fri Dec 03, 2010 7:31 am
([msg=49878]see Re: Programming bots[/msg])

xD yeah, sorry a typo. @sanddbox: alguna vez haz visitado Mexico?
Donate bitcoins to me! [1DhRP3hHgmSLQdRTZyT8VPTmzAj7Z2rsGA]
Dunno what bitcoins are? BitcoinMe
fabianhjr
Poster
Poster
 
Posts: 286
Joined: Tue Sep 21, 2010 7:48 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests