Bulletdev
diff --git a/‎.pentest/test-sql-injection-quick.sh‎
Lines changed: 150 additions & 57 deletions b/‎.pentest/test-sql-injection-quick.sh‎
Lines changed: 150 additions & 57 deletions
@@ -1,103 +1,196 @@
-#!/bin/bash
-# SQL Injection Protection Test
+#!/usr/bin/env bash
+# SQL Injection Protection Test (Quick)
+#
+# Phase 1 (unauthenticated): confirms endpoints reject unauthenticated requests.
+# Phase 2 (authenticated):   confirms authenticated requests with SQLi payloads
+#                            do NOT trigger SQL errors or return leaked data.
+#
+# For comprehensive SQLi coverage (UNION, error-based, boolean, blind, time-based)
+# run: test-sqli-advanced.sh
 
-API_URL="http://localhost:3333"
+API_URL="${API_URL:-http://localhost:3333}"
+API="${API_URL}/api/v1"
+TEST_EMAIL="${TEST_EMAIL:-test@prostaff.gg}"
+TEST_PASSWORD="${TEST_PASSWORD:-Test123!@#}"
 GREEN='\033[0;32m'
 RED='\033[0;31m'
+YELLOW='\033[1;33m'
 NC='\033[0m'
 
-echo "SQL Injection Protection Test"
-echo "=============================="
+echo "SQL Injection Protection Test (Quick)"
+echo "======================================"
 echo ""
 
 PASSED=0
 FAILED=0
+WARNINGS=0
 
-test_result() {
-  if [ "$1" = "PASS" ]; then
-    echo -e "${GREEN}[PASS]${NC} $2"
-    PASSED=$((PASSED + 1))
-  else
-    echo -e "${RED}[FAIL]${NC} $2"
-    FAILED=$((FAILED + 1))
-  fi
+pass()  { echo -e "${GREEN}[PASS]${NC} $1"; PASSED=$(( PASSED + 1 )); }
+fail()  { echo -e "${RED}[FAIL]${NC} $1"; FAILED=$(( FAILED + 1 )); }
+warn()  { echo -e "${YELLOW}[WARN]${NC} $1"; WARNINGS=$(( WARNINGS + 1 )); }
+
+has_sql_error() {
+  echo "$1" | grep -qiE '(PG::|pg::|syntax error at or near|unterminated quoted|SQLSTATE|ORA-[0-9]{5})'
 }
 
-# All these should return 401 (need auth) or 400/422 (validation error)
-# NOT 500 (SQL error) or 200 with leaked data
+# ---------------------------------------------------------------------------
+# Phase 1: Unauthenticated (must return 401, not 500 or SQL error)
+# ---------------------------------------------------------------------------
+echo "--- Phase 1: Unauthenticated requests ---"
+echo ""
 
-echo "[1/4] Testing SQL injection in search parameter..."
-RESULT=$(curl -s -w "\n%{http_code}" "$API_URL/api/v1/players?search=admin'%20OR%20'1'='1")
+echo "[1/4] Search param (no auth)..."
+RESULT=$(curl -s -w "\n%{http_code}" "${API}/players?search=admin'%20OR%20'1'='1")
 HTTP_CODE=$(echo "$RESULT" | tail -n1)
 BODY=$(echo "$RESULT" | head -n-1)
-
 if [ "$HTTP_CODE" = "401" ]; then
-  test_result "PASS" "Search parameter protected (requires auth)"
-elif [ "$HTTP_CODE" = "500" ] || echo "$BODY" | grep -qi "syntax error\|pg::"; then
-  test_result "FAIL" "SQL injection may be possible (HTTP $HTTP_CODE)"
+  pass "Unauthenticated search blocked (401)"
+elif has_sql_error "$BODY" || [ "$HTTP_CODE" = "500" ]; then
+  fail "SQL error or 500 without auth (HTTP $HTTP_CODE)"
 else
-  test_result "PASS" "Search parameter handled safely (HTTP $HTTP_CODE)"
+  warn "Unexpected HTTP $HTTP_CODE without auth — verify response"
 fi
 
-echo "[2/4] Testing SQL injection in login..."
-RESULT=$(curl -s -w "\n%{http_code}" -X POST "$API_URL/api/v1/auth/login" \
+echo "[2/4] Login SQLi (no auth required)..."
+RESULT=$(curl -s -w "\n%{http_code}" -X POST "${API}/auth/login" \
   -H "Content-Type: application/json" \
   -d "{\"email\":\"admin' OR '1'='1\",\"password\":\"test\"}")
 HTTP_CODE=$(echo "$RESULT" | tail -n1)
 BODY=$(echo "$RESULT" | head -n-1)
-
 if [ "$HTTP_CODE" = "401" ] || [ "$HTTP_CODE" = "422" ]; then
-  test_result "PASS" "Login protected against SQL injection"
-elif [ "$HTTP_CODE" = "500" ] || echo "$BODY" | grep -qi "syntax error\|pg::"; then
-  test_result "FAIL" "SQL injection may be possible in login"
+  pass "Login SQLi rejected (HTTP $HTTP_CODE)"
+elif has_sql_error "$BODY" || [ "$HTTP_CODE" = "500" ]; then
+  fail "SQL error or 500 on login SQLi (HTTP $HTTP_CODE)"
 else
-  test_result "PASS" "Login handled safely (HTTP $HTTP_CODE)"
+  warn "Login SQLi returned HTTP $HTTP_CODE — verify response manually"
 fi
 
-echo "[3/4] Testing UNION-based SQL injection..."
-RESULT=$(curl -s -w "\n%{http_code}" "$API_URL/api/v1/players?role=top'%20UNION%20SELECT%20*%20FROM%20users--")
+echo "[3/4] UNION injection (no auth)..."
+RESULT=$(curl -s -w "\n%{http_code}" "${API}/players?role=top'%20UNION%20SELECT%20*%20FROM%20users--")
 HTTP_CODE=$(echo "$RESULT" | tail -n1)
 BODY=$(echo "$RESULT" | head -n-1)
-
 if [ "$HTTP_CODE" = "401" ]; then
-  test_result "PASS" "UNION injection blocked (requires auth)"
-elif [ "$HTTP_CODE" = "500" ] || echo "$BODY" | grep -qi "syntax error\|pg::"; then
-  test_result "FAIL" "UNION injection may be possible"
+  pass "UNION injection blocked without auth (401)"
+elif has_sql_error "$BODY" || [ "$HTTP_CODE" = "500" ]; then
+  fail "SQL error or 500 on unauthenticated UNION (HTTP $HTTP_CODE)"
 else
-  test_result "PASS" "UNION injection handled safely (HTTP $HTTP_CODE)"
+  warn "HTTP $HTTP_CODE on UNION without auth — verify"
 fi
 
-echo "[4/4] Testing comment-based SQL injection..."
-RESULT=$(curl -s -w "\n%{http_code}" "$API_URL/api/v1/players?role=top';--")
+echo "[4/4] Comment injection (no auth)..."
+RESULT=$(curl -s -w "\n%{http_code}" "${API}/players?role=top';--")
 HTTP_CODE=$(echo "$RESULT" | tail -n1)
 BODY=$(echo "$RESULT" | head -n-1)
-
 if [ "$HTTP_CODE" = "401" ]; then
-  test_result "PASS" "Comment injection blocked (requires auth)"
-elif [ "$HTTP_CODE" = "500" ] || echo "$BODY" | grep -qi "syntax error\|pg::"; then
-  test_result "FAIL" "Comment injection may be possible"
+  pass "Comment injection blocked without auth (401)"
+elif has_sql_error "$BODY" || [ "$HTTP_CODE" = "500" ]; then
+  fail "SQL error or 500 on unauthenticated comment injection (HTTP $HTTP_CODE)"
 else
-  test_result "PASS" "Comment injection handled safely (HTTP $HTTP_CODE)"
+  warn "HTTP $HTTP_CODE on comment injection without auth — verify"
 fi
 
+# ---------------------------------------------------------------------------
+# Phase 2: Authenticated (the real test)
+# ---------------------------------------------------------------------------
 echo ""
-echo "=================================="
-echo "RESULTS"
-echo "=================================="
-echo "Tests run: $((PASSED + FAILED))"
-echo -e "${GREEN}Passed: $PASSED${NC}"
-echo -e "${RED}Failed: $FAILED${NC}"
+echo "--- Phase 2: Authenticated requests ---"
 echo ""
 
-if [ $FAILED -eq 0 ]; then
-  echo -e "${GREEN}✓ SQL Injection protection is SECURE${NC}"
+TOKEN=""
+TMP_AUTH="$(mktemp)"
+AUTH_CODE=$(curl -s -o "${TMP_AUTH}" -w "%{http_code}" --max-time 10 \
+  -X POST "${API}/auth/login" \
+  -H "Content-Type: application/json" \
+  -d "{\"email\":\"${TEST_EMAIL}\",\"password\":\"${TEST_PASSWORD}\"}" 2>/dev/null) || AUTH_CODE="error"
+TOKEN=$(python3 -c "
+import sys, json
+try:
+    d = json.load(open('${TMP_AUTH}'))
+    t = (d.get('access_token') or d.get('token')
+      or d.get('data', {}).get('access_token')
+      or d.get('data', {}).get('token') or '')
+    print(t)
+except Exception:
+    pass
+" 2>/dev/null) || TOKEN=""
+rm -f "${TMP_AUTH}"
+
+if [ -z "${TOKEN}" ]; then
+  warn "Could not obtain auth token (HTTP ${AUTH_CODE}) — skipping Phase 2"
+  warn "Start the API and check TEST_EMAIL / TEST_PASSWORD env vars"
+else
+  echo "Auth token obtained. Running authenticated SQLi checks..."
   echo ""
-  echo "Notes:"
-  echo "- Queries use parameterization"
-  echo "- Authentication required on endpoints"
-  echo "- No SQL errors leaked to client"
+
+  PAYLOADS=(
+    "top' OR '1'='1"
+    "top' OR 1=1--"
+    "top' UNION SELECT NULL,NULL,NULL--"
+    "') UNION SELECT username||'_'||password FROM Users--"
+    "top' AND 1=CAST(version() AS INTEGER)--"
+    "top'; SELECT pg_sleep(1);--"
+    "top' AND (SELECT pg_sleep(1))=''--"
+  )
+  LABELS=(
+    "Classic OR injection"
+    "OR 1=1 with comment"
+    "UNION column count probe"
+    "UNION credential extraction"
+    "Error-based (CAST version)"
+    "Stacked pg_sleep"
+    "Subquery pg_sleep"
+  )
+
+  TOTAL="${#PAYLOADS[@]}"
+  for (( i=0; i<TOTAL; i++ )); do
+    payload="${PAYLOADS[$i]}"
+    label="${LABELS[$i]}"
+    ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${payload//\'/\\\'}', safe=''))" 2>/dev/null)
+    TMP_RESP="$(mktemp)"
+    START_MS=$(date +%s%3N)
+    RESP=$(curl -s -o "${TMP_RESP}" -w "%{http_code}|%{time_total}" --max-time 8 \
+      -H "Authorization: Bearer ${TOKEN}" \
+      "${API}/players?role=${ENCODED}" 2>/dev/null) || RESP="error|0"
+    END_MS=$(date +%s%3N)
+    ELAPSED=$(( END_MS - START_MS ))
+    HTTP_CODE="${RESP%%|*}"
+    RESP_BODY=$(cat "${TMP_RESP}" 2>/dev/null)
+    rm -f "${TMP_RESP}"
+
+    if has_sql_error "${RESP_BODY}"; then
+      fail "${label} -> HTTP ${HTTP_CODE} [SQL ERROR LEAKED]"
+    elif echo "${RESP_BODY}" | grep -qiE '(\$2[aby]\$|password_digest|bcrypt)'; then
+      fail "${label} -> HTTP ${HTTP_CODE} [CREDENTIAL DATA IN RESPONSE]"
+    elif [ "${HTTP_CODE}" = "500" ]; then
+      fail "${label} -> HTTP 500"
+    elif [ "${ELAPSED}" -ge 900 ] && echo "${label}" | grep -qi "sleep"; then
+      fail "${label} -> HTTP ${HTTP_CODE} ${ELAPSED}ms [POSSIBLE TIME INJECTION]"
+    else
+      pass "${label} -> HTTP ${HTTP_CODE} ${ELAPSED}ms"
+    fi
+    sleep 0.1
+  done
+fi
+
+echo ""
+echo "======================================"
+echo "RESULTS"
+echo "======================================"
+echo "Passed  : $PASSED"
+echo "Failed  : $FAILED"
+echo "Warnings: $WARNINGS"
+echo ""
+
+if [ "$FAILED" -gt 0 ]; then
+  echo -e "${RED}VULNERABLE: $FAILED test(s) failed — run test-sqli-advanced.sh for full analysis${NC}"
+  exit 1
+elif [ "$WARNINGS" -gt 0 ]; then
+  echo -e "${YELLOW}UNCERTAIN: $WARNINGS warning(s) — verify manually or run test-sqli-advanced.sh${NC}"
   exit 0
 else
-  echo -e "${RED}✗ SQL Injection vulnerabilities detected!${NC}"
-  exit 1
+  echo -e "${GREEN}SECURE: All quick checks passed${NC}"
+  echo ""
+  echo "For deeper coverage (blind, time-based, second-order):"
+  echo "  bash test-sqli-advanced.sh"
+  exit 0
 fi