others-how to compile and install libinjection on linux server?
1. Purpose
In this post, I will introduce how to compile and install libinjection on linux server.
2. Solution
1) What is libinjection?
Libinjection is a library used as SQL / SQLI tokenizer parser analyzer , it can be used to analyze web requests to avoid sql injection or xss injection.
libinjection
is a powerful and widely-used open-source library designed for parsing and manipulating SQL injections. It was created to help detect, extract, and prevent SQL injection attacks in web applications. The library is written in C and is designed to be fast, efficient, and accurate.
Here’s an introduction to libinjection
and its key features:
Key Features:
-
SQL Parsing:
libinjection
can parse SQL statements and understand their structure, which is crucial for identifying potential injection points. -
Detection: It is capable of detecting SQL injections with high accuracy, even in complex and obfuscated inputs.
-
Extraction: The library can extract payloads from SQL injections, which is useful for understanding the attack and potentially blocking similar attacks in the future.
-
Flexibility:
libinjection
is not limited to a specific type of SQL or database system. It can work with various SQL dialects, including MySQL, PostgreSQL, and others. -
Performance: Since it’s written in C, the library is highly performant and suitable for use in high-load environments.
-
Extensibility: It provides a set of APIs that can be integrated into other applications and services to enhance their security capabilities.
-
Open Source: Being open source,
libinjection
benefits from community contributions and is freely available for use under the BSD license.
Usage:
To use libinjection
on Linux, you would typically follow these steps:
- Installation: Install
libinjection
using your system’s package manager or compile it from source. For example, on a Debian-based system, you might use:sudo apt-get install libinjection
-
Integration: Integrate the library into your application by including the necessary headers and linking against the library.
-
Detection: Use the library’s functions to parse and analyze SQL queries, looking for signs of SQL injection.
- Response: If an injection is detected, take appropriate action, such as blocking the request, logging the incident, or alerting administrators.
Example Code Snippet:
Here’s a simple example of how you might use libinjection
to detect SQL injection in a C program:
#include <stdio.h>
#include "libinjection.h"
int main() {
const char *sql = "SELECT * FROM users WHERE id='123' OR '1'='1'";
libinjection_sql_state state;
int is_sql_injection = libinjection_is_sqli(sql, strlen(sql), &state, LIBINJECTION_SQLITE);
if (is_sql_injection) {
printf("Possible SQL injection detected!\n");
} else {
printf("No SQL injection detected.\n");
}
return 0;
}
In this example, libinjection_is_sqli
is used to check if the provided SQL query contains an injection attempt.
Security Considerations:
While libinjection
is a valuable tool for detecting SQL injections, it is not a silver bullet. It should be used as part of a broader security strategy that includes input validation, parameterized queries, and other best practices to protect against SQL injection attacks.
Conclusion:
libinjection
is a robust and efficient library for detecting and preventing SQL injection attacks. By integrating it into your web applications, you can significantly enhance their security and reduce the risk of data breaches and other malicious activities.
2) How to make or compile libinjection?
First , you should clone the library to local directories:
git clone https://github.com/client9/libinjection
You should get a directory as follows:
-rw-r--r-- 1 501 games 18 6月 27 14:11 CHANGELOG
-rw-r--r-- 1 501 games 12791 6月 27 14:11 CHANGELOG.md
-rwxr-xr-x 1 501 games 756 6月 17 14:07 configure-clang-asan.sh
-rwxr-xr-x 1 501 games 737 6月 17 14:07 configure-clang.sh
-rwxr-xr-x 1 501 games 709 6月 17 14:07 configure-gcc-hardened.sh
-rwxr-xr-x 1 501 games 144 6月 17 14:07 configure-gcov.sh
-rwxr-xr-x 1 501 games 85 6月 17 14:07 configure-gprof.sh
-rw-r--r-- 1 501 games 1575 6月 17 14:07 COPYING
drwxr-xr-x 2 501 games 4096 6月 27 14:13 data
drwxr-xr-x 2 501 games 37 6月 27 14:13 go
-rwxr-xr-x 1 501 games 13997 6月 17 14:07 install-sh
drwxr-xr-x 2 501 games 178 6月 27 14:13 lua
-rwxr-xr-x 1 501 games 1697 6月 17 14:07 make-ci.sh
-rw-r--r-- 1 501 games 581 6月 27 14:05 Makefile
drwxr-xr-x 3 501 games 4096 6月 27 14:13 misc
drwxr-xr-x 2 501 games 141 6月 27 14:13 php
drwxr-xr-x 3 501 games 157 6月 27 14:13 python
-rw-r--r-- 1 501 games 3329 6月 27 14:05 README.md
-rw-r--r-- 1 501 games 610 6月 27 14:11 RELEASE-HOWTO.md
-rwxr-xr-x 1 501 games 208 6月 17 14:07 run-clang-asan.sh
-rwxr-xr-x 1 501 games 562 6月 17 14:07 run-gcov-samples.sh
-rwxr-xr-x 1 501 games 570 6月 17 14:07 run-gcov-unittests.sh
drwxr-xr-x 2 501 games 4096 6月 27 14:11 src
-rwxr-xr-x 1 501 games 260 6月 27 14:11 tags.sh
-rwxr-xr-x 1 501 games 257 6月 17 14:07 test-gprof.sh
drwxr-xr-x 2 501 games 20480 6月 27 14:13 tests
Then, compile libinjection:
[root@bswen-k8s-app1 libinjection]# cd src
[root@bswen-k8s-app1 src]# make
./make_parens.py < fingerprints.txt > fingerprints2.txt
mv fingerprints2.txt fingerprints.txt
./sqlparse_map.py > sqlparse_data.json
./sqlparse2c.py < sqlparse_data.json > libinjection_sqli_data.h
cc -Wall -Wextra -Werror -pedantic -ansi -g -O3 -fPIC -c -o libinjection_sqli.o libinjection_sqli.c
cc -Wall -Wextra -Werror -pedantic -ansi -g -O3 -fPIC -c -o libinjection_html5.o libinjection_html5.c
cc -Wall -Wextra -Werror -pedantic -ansi -g -O3 -fPIC -c -o libinjection_xss.o libinjection_xss.c
cc libinjection_sqli.o libinjection_html5.o libinjection_xss.o -shared -lc -o libinjection.so
rm -f libinjection.a
ar -r libinjection.a libinjection_sqli.o libinjection_html5.o libinjection_xss.o
ar: Creating libinjection.a
[root@bswen-k8s-app1 src]#
At last, we can test libinjection as follows:
[root@bswen-k8s-app1 src]# gcc -Wall -Wextra example1.c libinjection_sqli.c
[root@bswen-k8s-app1 src]# ll
-rw-r--r-- 1 501 games 227 6月 17 14:07 alpine.supp
-rwxr-xr-x 1 root root 257416 6月 27 14:15 a.out
-rwxr-xr-x 1 501 games 559 6月 17 14:07 clang.sh
-rw-r--r-- 1 501 games 557 6月 17 14:07 example1.c
-rwxr-xr-x 1 501 games 1338 6月 17 14:07 fingerprints2sqli.py
-rw-r--r-- 1 root root 49668 6月 27 14:14 fingerprints.txt
-rw-r--r-- 1 501 games 2276 6月 17 14:07 fptool.c
-rw-r--r-- 1 501 games 4194 6月 17 14:07 html5_cli.c
-rw-r--r-- 1 root root 762344 6月 27 14:14 libinjection.a
-rw-r--r-- 1 501 games 1633 6月 17 14:07 libinjection.h
-rw-r--r-- 1 501 games 21694 6月 27 14:11 libinjection_html5.c
-rw-r--r-- 1 501 games 4656 6月 17 14:08 libinjection_html5.gcda
-rw-r--r-- 1 501 games 913 6月 17 14:07 libinjection_html5.h
-rw-r--r-- 1 root root 58600 6月 27 14:14 libinjection_html5.o
-rwxr-xr-x 1 root root 602016 6月 27 14:14 libinjection.so
-rw-r--r-- 1 501 games 72134 6月 27 14:11 libinjection_sqli.c
-rw-r--r-- 1 501 games 206900 6月 27 14:14 libinjection_sqli_data.h
-rw-r--r-- 1 501 games 13464 6月 17 14:08 libinjection_sqli.gcda
-rw-r--r-- 1 501 games 7145 6月 27 14:11 libinjection_sqli.h
-rw-r--r-- 1 root root 674176 6月 27 14:14 libinjection_sqli.o
-rw-r--r-- 1 501 games 14531 6月 27 14:11 libinjection_xss.c
-rw-r--r-- 1 501 games 2908 6月 17 14:08 libinjection_xss.gcda
-rw-r--r-- 1 501 games 267 6月 17 14:07 libinjection_xss.h
-rw-r--r-- 1 root root 28672 6月 27 14:14 libinjection_xss.o
-rw-r--r-- 1 501 games 4557 6月 27 14:11 Makefile
-rwxr-xr-x 1 501 games 11598 6月 17 14:07 make_parens.py
-rw-r--r-- 1 501 games 8273 6月 17 14:07 reader.c
-rw-r--r-- 1 501 games 2092 6月 17 14:08 reader.gcda
-rw-r--r-- 1 501 games 4003 6月 27 14:11 sqli_cli.c
-rwxr-xr-x 1 501 games 3800 6月 17 14:07 sqlparse2c.py
-rw-r--r-- 1 501 games 182535 6月 27 14:14 sqlparse_data.json
-rwxr-xr-x 1 501 games 48384 6月 27 14:11 sqlparse_map.py
-rwxr-xr-x 1 501 games 273 6月 17 14:07 test-cppcheck.sh
-rw-r--r-- 1 501 games 8250 6月 17 14:07 testdriver.c
-rw-r--r-- 1 501 games 2144 6月 17 14:08 testdriver.gcda
-rwxr-xr-x 1 501 games 189 6月 17 14:07 test-driver.sh
-rwxr-xr-x 1 501 games 87 6月 17 14:07 test-samples-sqli-negative.sh
-rwxr-xr-x 1 501 games 93 6月 17 14:07 test-samples-sqli-positive.sh
-rwxr-xr-x 1 501 games 89 6月 17 14:07 test-samples-xss-positive.sh
-rw-r--r-- 1 501 games 1498 6月 17 14:07 test_speed_sqli.c
-rwxr-xr-x 1 501 games 45 6月 17 14:07 test-speed-sqli.sh
-rw-r--r-- 1 501 games 2123 6月 17 14:07 test_speed_xss.c
-rwxr-xr-x 1 501 games 44 6月 17 14:07 test-speed-xss.sh
-rwxr-xr-x 1 501 games 97 6月 17 14:07 test-unit.sh
[root@bswen-k8s-app1 src]# ./a.out "-1' and 1 = 1"
sqli with fingerprint of 's&1'
[root@bswen-k8s-app1 src]#
You can see that the sql injection test is successful.
3. Summary
In this post, I demonstrated how to make ,compile and install libinjection library on linux server. That’s it, thanks for your reading.