From 48da6483e6d56b6de392fddef94a0f0503478efe Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 24 Sep 2020 13:41:26 +0200
Subject: [PATCH] Add doc

---
 test/sqlmap/README | 70 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 test/sqlmap/README

diff --git a/test/sqlmap/README b/test/sqlmap/README
new file mode 100644
index 00000000000..7405df478b6
--- /dev/null
+++ b/test/sqlmap/README
@@ -0,0 +1,70 @@
+To test there is no SQL injection, we can use:
+
+-- Installation of sqlmap
+-------------------------
+
+git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap
+
+cd sqlmap
+
+./sqlmap.py --update
+
+./sqlmap.py --purge
+
+
+Add, into file ~/git/sqlmap/data/xml/payloads/boolean_blind.xml, the custom rule:
+
+    <!-- Boolean-based blind tests - WHERE/HAVING clause -->
+    <test>
+     <title>Our_ORDERBY_Payload</title>
+        <stype>1</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+     <vector>,(select * from(select (CASE WHEN ([INFERENCE]) THEN 1 ELSE exp(710) END))a)</vector>
+     <request>
+         <payload>,(select * from(select (CASE WHEN (1=1) THEN 1 ELSE exp(710) END))a)</payload>
+     </request>
+     <response>
+         <comparison>,(select * from(select (CASE WHEN (1=2) THEN 1 ELSE exp(710) END))a)</comparison>
+     </response>
+     <details>
+         <dbms>mysql</dbms>
+         <os>linux</os>
+     </details>
+ </test>
+
+
+
+
+-- Launch sqlmap on a given url/parameter
+-----------------------------------------
+
+Introduce a vulnerability by changing the GETPOST on parameter search_status into GETPOST('search_status', 'none') and removing $db->sanitize when parameter is used;
+
+./sqlmap.py  -A "securitytest" --threads=4 -u "http://localhostdev/comm/propal/list.php?search_status=*" --dbms=mysql --os=linux --technique=B --batch --skip-waf \
+	--cookie="DOLSESSID_xxxxxx=yyyyyyyy;" --prefix='1' -v 5 > sqlmap.txt
+
+Check vulnerability is found into sqlmap.txt. Scanner is working.
+
+
+
+-- Launch sqlmap on all the application
+---------------------------------------
+
+Set $dolibarr_nocsrfcheck='1' into conf.php file to make access easier.
+
+With prefix (required to have some rules working)
+
+./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
+  --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
+  --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" --prefix='1' -v
+
+Without prefix
+
+./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
+  --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
+  --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" -v
+
+