Monday, October 13, 2008

Wrapper for Microsoft SQL Injection Source Code Analyzer Tool

Microsoft has released a SQL Injection Source Code Analyzer for ASP code. Refer to KB 954476 for more information about the tool. However the analyzer can only check one ASP page at a time. It does not automatically recursive scan all ASP files in a folder. Therefore I wrote a simple wrapper around it. Here is the source code:
@echo off
setlocal
set source=\\servername\applicationname
set include=%source%\include
set logfile=check_applicationname.log
IF EXIST %logfile% DEL %logfile%
FOR /F "usebackq tokens=1 delims=?" %%i IN (`dir /S /B %source%\*.asp`) DO (
msscasi_asp.exe /NoLogo /GlobalAsaPath=%source% /input="%%i" /IncludePaths=%include% >> %logfile%
)
endlocal

2 comments:

rlively said...

The script provided doesn't work for folders with spaces in them - it needs quotes around many places. Try:

@echo off
setlocal

set source=C:\My Documents\Source Code\Blah blah\
set include=%source%\Includes
set logfile=logfilenamehere.log

IF EXIST "%logfile%" DEL "%logfile%"
echo Will scan these files from "%source%":
dir /S /B "%source%\*.asp"
echo.
pause
echo.
::FOR Loop
FOR /F "usebackq tokens=1 delims=?" %%i IN (`dir /S /B "%source%\*.asp"`) DO (call :WorkWithFile %%i)

echo.
echo Completed scan. Press enter to display log.
pause
"%logfile%"
echo.
exit

:WorkWithFile
echo msscasi_asp.exe scanning: "%*"
REM echo cmdline: msscasi_asp.exe /NoLogo /GlobalAsaPath="%source%" /input="%*" /IncludePaths="%include%"
echo.
msscasi_asp.exe /NoLogo /GlobalAsaPath="%source%" /input="%*" /IncludePaths="%include%" >> "%logfile%"
GOTO :EOF

endlocal

rlively said...
This comment has been removed by a blog administrator.