Finalizing implementation for an Issue #290

stamparm · stamparm · commit 8e49872d7c63 · 2013-02-21T14:33:12.000+01:00
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
@@ -36,13 +36,15 @@
 from lib.core.common import showStaticWords
 from lib.core.common import singleTimeLogMessage
 from lib.core.common import singleTimeWarnMessage
+from lib.core.common import urlencode
 from lib.core.common import wasLastResponseDBMSError
 from lib.core.common import wasLastResponseHTTPError
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.datatype import AttribDict
 from lib.core.datatype import InjectionDict
+from lib.core.decorators import cachedmethod
 from lib.core.dicts import FROM_DUMMY_TABLE
 from lib.core.enums import DBMS
 from lib.core.enums import HEURISTIC_TEST
@@ -1045,15 +1047,26 @@ def identifyWaf():
     infoMsg += "backend WAF/IPS/IDS protection"
     logger.info(infoMsg)
 
+    @cachedmethod
+    def _(*args, **kwargs):
+        try:
+            if kwargs.get("get"):
+                kwargs["get"] = urlencode(kwargs["get"])
+            kwargs["raise404"] = False
+            return Request.getPage(*args, **kwargs)
+        except Exception, ex:
+            return None, None, None
+
     retVal = False
-    page, headers, code = Request.getPage()
 
     for function, product, request in kb.wafFunctions:
         found = False
+
         if not request:
-            found = function(page or "", headers or {}, code)
+            found = function(_)
         else:
             pass
+
         if found:
             retVal = product
             break
@@ -1063,7 +1076,7 @@ def identifyWaf():
         warnMsg += "consider usage of tamper scripts (option '--tamper')"
         logger.critical(warnMsg)
     else:
-        warnMsg = "no WAF/IDS/IPS were identified"
+        warnMsg = "WAF/IDS/IPS product not identified"
         logger.warn(warnMsg)
 
     return retVal
diff --git a/lib/core/enums.py b/lib/core/enums.py
@@ -150,13 +150,9 @@ class HTTPHEADER:
     PROXY_CONNECTION = "Proxy-Connection"
     RANGE = "Range"
     REFERER = "Referer"
+    SERVER = "Server"
     USER_AGENT = "User-Agent"
 
-class WAF_REQUEST:
-    GET = 1
-    POST = 2
-    HEADERS = 3
-
 class EXPECTED:
     BOOL = "bool"
     INT = "int"
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -905,6 +905,9 @@ def _setWafFunctions():
             dirname, filename = os.path.split(found)
             dirname = os.path.abspath(dirname)
 
+            if filename == "__init__.py":
+                continue
+
             debugMsg = "loading WAF script '%s'" % filename[:-3]
             logger.debug(debugMsg)
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -380,7 +380,15 @@
 BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
 
 # Payload used for checking of existence of IDS/WAF (dummier the better)
-IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables"
+IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1"
+
+# Vectors used for provoking specific WAF/IDS/IPS behavior(s)
+WAF_ATTACK_VECTORS = (
+                        "search=<script>alert(1)</script>",
+                        "file=../../../../etc/passwd",
+                        "q=<invalid>foobar",
+                        "id=1 %s" % IDS_WAF_CHECK_PAYLOAD
+                     )
 
 # Used for status representation in dictionary attack phase
 ROTATING_CHARS = ('\\', '|', '|', '/', '-')
diff --git a/waf/__init__.py b/waf/__init__.py
@@ -0,0 +1,8 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+pass
diff --git a/waf/airlock.py b/waf/airlock.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Airlock (Phion/Ergon)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
diff --git a/waf/barracuda.py b/waf/barracuda.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Barracuda Web Application Firewall (Barracuda Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
diff --git a/waf/bigip.py b/waf/bigip.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "BIG-IP Application Security Manager (F5 Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    retval = re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+
+    if not retval:
+        for vector in WAF_ATTACK_VECTORS:
+            page, headers, code = get_page(get=vector)
+            retval = headers.get("X-Cnection", "").lower() == "close"
+            if retval:
+                break
+
+    return retval
diff --git a/waf/binarysec.py b/waf/binarysec.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "BinarySEC Web Application Firewall (BinarySEC)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
diff --git a/waf/datapower.py b/waf/datapower.py
@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+__product__ = "IBM WebSphere DataPower (IBM)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
diff --git a/waf/denyall.py b/waf/denyall.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Deny All Web Application Firewall (DenyAll)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+
+    if not retval:
+        for vector in WAF_ATTACK_VECTORS:
+            page, headers, code = get_page(get=vector)
+            retval = code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
+            if retval:
+                break
+
+    return retval
diff --git a/waf/dotdefender.py b/waf/dotdefender.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "dotDefender (Applicure Technologies)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retVal = headers.get("X-dotDefender-denied", "") == 1
+        if retVal:
+            break
+
+    return retval
diff --git a/waf/f5asm.py b/waf/f5asm.py
diff --git a/waf/hyperguard.py b/waf/hyperguard.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Hyperguard Web Application Firewall (art of defence Inc.)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
diff --git a/waf/modsecurity.py b/waf/modsecurity.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        if code == 501:
+            retVal = True
+            break
+
+    return retval
diff --git a/waf/netcontinuum.py b/waf/netcontinuum.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
diff --git a/waf/netscaler.py b/waf/netscaler.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "NetScaler (Citrix Systems)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+
+    if not retval:
+        for vector in WAF_ATTACK_VECTORS:
+            page, headers, code = get_page(get=vector)
+            retval = re.search(r"\Aclose", headers.get("Cneonction", "") or headers.get("nnCoection", ""), re.I) is not None
+            if retval:
+                break
+
+    return retval
diff --git a/waf/profense.py b/waf/profense.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Profense Web Application Firewall (Armorlogic)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
diff --git a/waf/proventia.py b/waf/proventia.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.data import kb
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Proventia Web Application Security (IBM)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    if page is None:
+        return False
+    page, headers, code = get_page(url="/Admin_Files/")
+    return page is None
diff --git a/waf/teros.py b/waf/teros.py
diff --git a/waf/trafficshield.py b/waf/trafficshield.py
diff --git a/waf/webappsecure.py b/waf/webappsecure.py
