Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 378653a

Browse files
stamparmstamparm
committed
added IDS payload testing
1 parent bdb9c37 commit 378653a

4 files changed

Lines changed: 51 additions & 30 deletions

File tree

lib/parse/cmdline.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -488,6 +488,10 @@ def cmdLineParser():
488488
action="store_true", default=False,
489489
help="Replicate dumped data into a sqlite3 database")
490490

491+
miscellaneous.add_option("--check-payload", dest="checkPayload",
492+
action="store_true", default=False,
493+
help="IDS detection testing of injection payload")
494+
491495
miscellaneous.add_option("--beep", dest="beep",
492496
action="store_true", default=False,
493497
help="Alert with audio beep when sql injection found")

lib/request/connect.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
from lib.request.direct import direct
3131
from lib.request.comparison import comparison
3232
from lib.request.methodrequest import MethodRequest
33+
from lib.utils.detection import checkPayload
3334

3435

3536
class Connect:
@@ -309,6 +310,9 @@ def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent
309310
for function in kb.tamperFunctions:
310311
value = function(place, value)
311312

313+
if conf.checkPayload:
314+
checkPayload(value)
315+
312316
if "GET" in conf.parameters:
313317
get = conf.parameters["GET"] if place != "GET" or not value else value
314318

lib/utils/detection.py

Lines changed: 15 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,12 @@
1212

1313
from lib.core.common import getCompiledRegex
1414
from lib.core.common import readXmlFile
15+
from lib.core.convert import urldecode
1516
from lib.core.data import conf
1617
from lib.core.data import paths
1718
from lib.core.data import logger
1819

20+
1921
rules = None
2022

2123
def __adjustGrammar(string):
@@ -27,28 +29,30 @@ def __adjustGrammar(string):
2729

2830
return string
2931

30-
def checkPayload(string):
32+
def checkPayload(payload):
3133
"""
3234
This method checks if the generated payload is detectable by the
3335
PHPIDS filter rules
3436
"""
3537

3638
global rules
3739

40+
payload = urldecode(payload)
41+
3842
if not rules:
3943
xmlrules = readXmlFile(paths.DETECTION_RULES_XML)
4044
rules = []
4145

4246
for xmlrule in xmlrules.getElementsByTagName("filter"):
47+
rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue
48+
desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
49+
rules.append((rule, desc))
50+
51+
if payload:
52+
for rule, desc in rules:
4353
try:
44-
rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue
45-
desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
46-
rules.append((rule, desc))
47-
except sre_constants.error: # Some issues with some regex expressions in Python 2.5
54+
regObj = getCompiledRegex(rule)
55+
if regObj.search(payload):
56+
logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
57+
except: # Some issues with some regex expressions in Python 2.5
4858
pass
49-
50-
for rule, desc in rules:
51-
regObj = getCompiledRegex(rule)
52-
53-
if regObj.search(string):
54-
logger.warn("highly probable IDS/IPS detection: '%s'" % desc)

xml/detection.xml

Lines changed: 28 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
</filter>
2222
<filter>
2323
<id>69</id>
24-
<rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style)=[$"\w])]]></rule>
24+
<rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>
2525
<description>finds malicious attribute injection attempts</description>
2626
<tags>
2727
<tag>xss</tag>
@@ -71,7 +71,7 @@
7171
</filter>
7272
<filter>
7373
<id>7</id>
74-
<rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule>
74+
<rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
7575
<description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
7676
<tags>
7777
<tag>xss</tag>
@@ -81,7 +81,7 @@
8181
</filter>
8282
<filter>
8383
<id>8</id>
84-
<rule><![CDATA[(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
84+
<rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
8585
<description>Detects self-executing JavaScript functions</description>
8686
<tags>
8787
<tag>xss</tag>
@@ -168,7 +168,7 @@
168168
</filter>
169169
<filter>
170170
<id>16</id>
171-
<rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
171+
<rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
172172
<description>Detects possible includes and typical script methods</description>
173173
<tags>
174174
<tag>xss</tag>
@@ -180,7 +180,7 @@
180180
</filter>
181181
<filter>
182182
<id>17</id>
183-
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]></rule>
183+
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
184184
<description>Detects JavaScript object properties and methods</description>
185185
<tags>
186186
<tag>xss</tag>
@@ -216,7 +216,7 @@
216216
</filter>
217217
<filter>
218218
<id>20</id>
219-
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
219+
<rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>
220220
<description>Detects JavaScript language constructs</description>
221221
<tags>
222222
<tag>xss</tag>
@@ -240,7 +240,7 @@
240240
</filter>
241241
<filter>
242242
<id>22</id>
243-
<rule><![CDATA[(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
243+
<rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
244244
<description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
245245
<tags>
246246
<tag>xss</tag>
@@ -424,7 +424,7 @@
424424
</filter>
425425
<filter>
426426
<id>40</id>
427-
<rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
427+
<rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
428428
<description>Detects MySQL comments, conditions and ch(a)r injections</description>
429429
<tags>
430430
<tag>sqli</tag>
@@ -435,18 +435,18 @@
435435
</filter>
436436
<filter>
437437
<id>41</id>
438-
<rule><![CDATA[(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
438+
<rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
439439
<description>Detects conditional SQL injection attempts</description>
440440
<tags>
441441
<tag>sqli</tag>
442442
<tag>id</tag>
443443
<tag>lfi</tag>
444444
</tags>
445-
<impact>4</impact>
445+
<impact>6</impact>
446446
</filter>
447447
<filter>
448448
<id>42</id>
449-
<rule><![CDATA[(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
449+
<rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
450450
<description>Detects classic SQL injection probings 1/2</description>
451451
<tags>
452452
<tag>sqli</tag>
@@ -490,7 +490,7 @@
490490
</filter>
491491
<filter>
492492
<id>46</id>
493-
<rule><![CDATA[(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
493+
<rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
494494
<description>Detects basic SQL authentication bypass attempts 3/3</description>
495495
<tags>
496496
<tag>sqli</tag>
@@ -501,7 +501,7 @@
501501
</filter>
502502
<filter>
503503
<id>47</id>
504-
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]></rule>
504+
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
505505
<description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
506506
<tags>
507507
<tag>sqli</tag>
@@ -512,7 +512,7 @@
512512
</filter>
513513
<filter>
514514
<id>48</id>
515-
<rule><![CDATA[(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])]]></rule>
515+
<rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
516516
<description>Detects chained SQL injection attempts 1/2</description>
517517
<tags>
518518
<tag>sqli</tag>
@@ -522,7 +522,7 @@
522522
</filter>
523523
<filter>
524524
<id>49</id>
525-
<rule><![CDATA[(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()]]></rule>
525+
<rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
526526
<description>Detects chained SQL injection attempts 2/2</description>
527527
<tags>
528528
<tag>sqli</tag>
@@ -532,7 +532,7 @@
532532
</filter>
533533
<filter>
534534
<id>50</id>
535-
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)]]></rule>
535+
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
536536
<description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
537537
<tags>
538538
<tag>sqli</tag>
@@ -582,7 +582,7 @@
582582
</filter>
583583
<filter>
584584
<id>55</id>
585-
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
585+
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
586586
<description>Detects MSSQL code execution and information gathering attempts</description>
587587
<tags>
588588
<tag>sqli</tag>
@@ -727,5 +727,14 @@
727727
<tag>csrf</tag>
728728
</tags>
729729
<impact>4</impact>
730-
</filter>
731-
</filters>
730+
</filter>
731+
<filter>
732+
<id>70</id>
733+
<rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
734+
<description>finds basic MongoDB SQL injection attempts</description>
735+
<tags>
736+
<tag>sqli</tag>
737+
</tags>
738+
<impact>4</impact>
739+
</filter>
740+
</filters>

0 commit comments

Comments
 (0)