others-how to compile and install libinjection on linux server?

1. Purpose

In this post, I will introduce how to compile and install libinjection on linux server.



2. Solution

1) What is libinjection?

Libinjection is a library used as SQL / SQLI tokenizer parser analyzer , it can be used to analyze web requests to avoid sql injection or xss injection.

libinjection is a powerful and widely-used open-source library designed for parsing and manipulating SQL injections. It was created to help detect, extract, and prevent SQL injection attacks in web applications. The library is written in C and is designed to be fast, efficient, and accurate.

Here’s an introduction to libinjection and its key features:

Key Features:

  1. SQL Parsing: libinjection can parse SQL statements and understand their structure, which is crucial for identifying potential injection points.

  2. Detection: It is capable of detecting SQL injections with high accuracy, even in complex and obfuscated inputs.

  3. Extraction: The library can extract payloads from SQL injections, which is useful for understanding the attack and potentially blocking similar attacks in the future.

  4. Flexibility: libinjection is not limited to a specific type of SQL or database system. It can work with various SQL dialects, including MySQL, PostgreSQL, and others.

  5. Performance: Since it’s written in C, the library is highly performant and suitable for use in high-load environments.

  6. Extensibility: It provides a set of APIs that can be integrated into other applications and services to enhance their security capabilities.

  7. Open Source: Being open source, libinjection benefits from community contributions and is freely available for use under the BSD license.

Usage:

To use libinjection on Linux, you would typically follow these steps:

  1. Installation: Install libinjection using your system’s package manager or compile it from source. For example, on a Debian-based system, you might use:
    sudo apt-get install libinjection
    
  2. Integration: Integrate the library into your application by including the necessary headers and linking against the library.

  3. Detection: Use the library’s functions to parse and analyze SQL queries, looking for signs of SQL injection.

  4. Response: If an injection is detected, take appropriate action, such as blocking the request, logging the incident, or alerting administrators.

Example Code Snippet:

Here’s a simple example of how you might use libinjection to detect SQL injection in a C program:

#include <stdio.h>
#include "libinjection.h"

int main() {
    const char *sql = "SELECT * FROM users WHERE id='123' OR '1'='1'";
    libinjection_sql_state state;
    int is_sql_injection = libinjection_is_sqli(sql, strlen(sql), &state, LIBINJECTION_SQLITE);

    if (is_sql_injection) {
        printf("Possible SQL injection detected!\n");
    } else {
        printf("No SQL injection detected.\n");
    }

    return 0;
}

In this example, libinjection_is_sqli is used to check if the provided SQL query contains an injection attempt.

Security Considerations:

While libinjection is a valuable tool for detecting SQL injections, it is not a silver bullet. It should be used as part of a broader security strategy that includes input validation, parameterized queries, and other best practices to protect against SQL injection attacks.

Conclusion:

libinjection is a robust and efficient library for detecting and preventing SQL injection attacks. By integrating it into your web applications, you can significantly enhance their security and reduce the risk of data breaches and other malicious activities.

2) How to make or compile libinjection?

First , you should clone the library to local directories:

git clone https://github.com/client9/libinjection

You should get a directory as follows:

-rw-r--r-- 1 501 games    18 6月  27 14:11 CHANGELOG
-rw-r--r-- 1 501 games 12791 6月  27 14:11 CHANGELOG.md
-rwxr-xr-x 1 501 games   756 6月  17 14:07 configure-clang-asan.sh
-rwxr-xr-x 1 501 games   737 6月  17 14:07 configure-clang.sh
-rwxr-xr-x 1 501 games   709 6月  17 14:07 configure-gcc-hardened.sh
-rwxr-xr-x 1 501 games   144 6月  17 14:07 configure-gcov.sh
-rwxr-xr-x 1 501 games    85 6月  17 14:07 configure-gprof.sh
-rw-r--r-- 1 501 games  1575 6月  17 14:07 COPYING
drwxr-xr-x 2 501 games  4096 6月  27 14:13 data
drwxr-xr-x 2 501 games    37 6月  27 14:13 go
-rwxr-xr-x 1 501 games 13997 6月  17 14:07 install-sh
drwxr-xr-x 2 501 games   178 6月  27 14:13 lua
-rwxr-xr-x 1 501 games  1697 6月  17 14:07 make-ci.sh
-rw-r--r-- 1 501 games   581 6月  27 14:05 Makefile
drwxr-xr-x 3 501 games  4096 6月  27 14:13 misc
drwxr-xr-x 2 501 games   141 6月  27 14:13 php
drwxr-xr-x 3 501 games   157 6月  27 14:13 python
-rw-r--r-- 1 501 games  3329 6月  27 14:05 README.md
-rw-r--r-- 1 501 games   610 6月  27 14:11 RELEASE-HOWTO.md
-rwxr-xr-x 1 501 games   208 6月  17 14:07 run-clang-asan.sh
-rwxr-xr-x 1 501 games   562 6月  17 14:07 run-gcov-samples.sh
-rwxr-xr-x 1 501 games   570 6月  17 14:07 run-gcov-unittests.sh
drwxr-xr-x 2 501 games  4096 6月  27 14:11 src
-rwxr-xr-x 1 501 games   260 6月  27 14:11 tags.sh
-rwxr-xr-x 1 501 games   257 6月  17 14:07 test-gprof.sh
drwxr-xr-x 2 501 games 20480 6月  27 14:13 tests

Then, compile libinjection:

[root@bswen-k8s-app1 libinjection]# cd src
[root@bswen-k8s-app1 src]# make
./make_parens.py < fingerprints.txt > fingerprints2.txt
mv fingerprints2.txt fingerprints.txt
./sqlparse_map.py > sqlparse_data.json
./sqlparse2c.py < sqlparse_data.json > libinjection_sqli_data.h
cc -Wall -Wextra -Werror -pedantic -ansi -g -O3 -fPIC -c -o libinjection_sqli.o libinjection_sqli.c
cc -Wall -Wextra -Werror -pedantic -ansi -g -O3 -fPIC -c -o libinjection_html5.o libinjection_html5.c
cc -Wall -Wextra -Werror -pedantic -ansi -g -O3 -fPIC -c -o libinjection_xss.o libinjection_xss.c
cc libinjection_sqli.o libinjection_html5.o libinjection_xss.o -shared -lc -o libinjection.so
rm -f libinjection.a
ar -r libinjection.a libinjection_sqli.o libinjection_html5.o libinjection_xss.o
ar: Creating libinjection.a
[root@bswen-k8s-app1 src]#

At last, we can test libinjection as follows:

[root@bswen-k8s-app1 src]# gcc -Wall -Wextra example1.c libinjection_sqli.c
[root@bswen-k8s-app1 src]# ll
-rw-r--r-- 1  501 games    227 6月  17 14:07 alpine.supp
-rwxr-xr-x 1 root root  257416 6月  27 14:15 a.out
-rwxr-xr-x 1  501 games    559 6月  17 14:07 clang.sh
-rw-r--r-- 1  501 games    557 6月  17 14:07 example1.c
-rwxr-xr-x 1  501 games   1338 6月  17 14:07 fingerprints2sqli.py
-rw-r--r-- 1 root root   49668 6月  27 14:14 fingerprints.txt
-rw-r--r-- 1  501 games   2276 6月  17 14:07 fptool.c
-rw-r--r-- 1  501 games   4194 6月  17 14:07 html5_cli.c
-rw-r--r-- 1 root root  762344 6月  27 14:14 libinjection.a
-rw-r--r-- 1  501 games   1633 6月  17 14:07 libinjection.h
-rw-r--r-- 1  501 games  21694 6月  27 14:11 libinjection_html5.c
-rw-r--r-- 1  501 games   4656 6月  17 14:08 libinjection_html5.gcda
-rw-r--r-- 1  501 games    913 6月  17 14:07 libinjection_html5.h
-rw-r--r-- 1 root root   58600 6月  27 14:14 libinjection_html5.o
-rwxr-xr-x 1 root root  602016 6月  27 14:14 libinjection.so
-rw-r--r-- 1  501 games  72134 6月  27 14:11 libinjection_sqli.c
-rw-r--r-- 1  501 games 206900 6月  27 14:14 libinjection_sqli_data.h
-rw-r--r-- 1  501 games  13464 6月  17 14:08 libinjection_sqli.gcda
-rw-r--r-- 1  501 games   7145 6月  27 14:11 libinjection_sqli.h
-rw-r--r-- 1 root root  674176 6月  27 14:14 libinjection_sqli.o
-rw-r--r-- 1  501 games  14531 6月  27 14:11 libinjection_xss.c
-rw-r--r-- 1  501 games   2908 6月  17 14:08 libinjection_xss.gcda
-rw-r--r-- 1  501 games    267 6月  17 14:07 libinjection_xss.h
-rw-r--r-- 1 root root   28672 6月  27 14:14 libinjection_xss.o
-rw-r--r-- 1  501 games   4557 6月  27 14:11 Makefile
-rwxr-xr-x 1  501 games  11598 6月  17 14:07 make_parens.py
-rw-r--r-- 1  501 games   8273 6月  17 14:07 reader.c
-rw-r--r-- 1  501 games   2092 6月  17 14:08 reader.gcda
-rw-r--r-- 1  501 games   4003 6月  27 14:11 sqli_cli.c
-rwxr-xr-x 1  501 games   3800 6月  17 14:07 sqlparse2c.py
-rw-r--r-- 1  501 games 182535 6月  27 14:14 sqlparse_data.json
-rwxr-xr-x 1  501 games  48384 6月  27 14:11 sqlparse_map.py
-rwxr-xr-x 1  501 games    273 6月  17 14:07 test-cppcheck.sh
-rw-r--r-- 1  501 games   8250 6月  17 14:07 testdriver.c
-rw-r--r-- 1  501 games   2144 6月  17 14:08 testdriver.gcda
-rwxr-xr-x 1  501 games    189 6月  17 14:07 test-driver.sh
-rwxr-xr-x 1  501 games     87 6月  17 14:07 test-samples-sqli-negative.sh
-rwxr-xr-x 1  501 games     93 6月  17 14:07 test-samples-sqli-positive.sh
-rwxr-xr-x 1  501 games     89 6月  17 14:07 test-samples-xss-positive.sh
-rw-r--r-- 1  501 games   1498 6月  17 14:07 test_speed_sqli.c
-rwxr-xr-x 1  501 games     45 6月  17 14:07 test-speed-sqli.sh
-rw-r--r-- 1  501 games   2123 6月  17 14:07 test_speed_xss.c
-rwxr-xr-x 1  501 games     44 6月  17 14:07 test-speed-xss.sh
-rwxr-xr-x 1  501 games     97 6月  17 14:07 test-unit.sh
[root@bswen-k8s-app1 src]# ./a.out "-1' and 1 = 1"
sqli with fingerprint of 's&1'
[root@bswen-k8s-app1 src]#

You can see that the sql injection test is successful.



3. Summary

In this post, I demonstrated how to make ,compile and install libinjection library on linux server. That’s it, thanks for your reading.