From 1b863ecf9327a828aee1bb45cdf5738fab6c8238 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 23 Jun 2016 12:03:05 +0200
Subject: [PATCH] Far better detection of SecureIIS (WAF)

---
 lib/core/settings.py |  2 +-
 waf/generic.py       |  2 --
 waf/modsecurity.py   |  1 -
 waf/secureiis.py     | 18 +++++++++++++-----
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index c9cb02c09..a87d86735 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import OS
 from lib.core.revision import getRevisionNumber
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.6.49"
+VERSION = "1.0.6.50"
 REVISION = getRevisionNumber()
 STABLE = VERSION.count('.') <= 2
 VERSION_STRING = "sqlmap/%s#%s" % (VERSION, "stable" if STABLE else "dev")
diff --git a/waf/generic.py b/waf/generic.py
index 898ab0484..56171b090 100644
--- a/waf/generic.py
+++ b/waf/generic.py
@@ -5,8 +5,6 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
-import re
-
 from lib.core.settings import IDS_WAF_CHECK_PAYLOAD
 from lib.core.settings import WAF_ATTACK_VECTORS
 
diff --git a/waf/modsecurity.py b/waf/modsecurity.py
index 063419a14..89e14e3d3 100644
--- a/waf/modsecurity.py
+++ b/waf/modsecurity.py
@@ -19,7 +19,6 @@ def detect(get_page):
         page, headers, code = get_page(get=vector)
         retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page or "", re.I) is None
         retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
-        retval |= code == 406  # specific for mod_security (and forks)
         retval |= "This error was generated by Mod_Security" in (page or "")
         if retval:
             break
diff --git a/waf/secureiis.py b/waf/secureiis.py
index 77f467db3..4f6ef9638 100644
--- a/waf/secureiis.py
+++ b/waf/secureiis.py
@@ -5,13 +5,21 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
-from lib.core.enums import HTTP_HEADER
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "SecureIIS Web Server Security (BeyondTrust)"
 
 def detect(get_page):
-    _, _, code = get_page()
-    retval = code != 404
-    _, _, code = get_page(auxHeaders={HTTP_HEADER.TRANSFER_ENCODING: 'a' * 1025, HTTP_HEADER.ACCEPT_ENCODING: "identity"})
-    retval = retval and code == 404
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, _, _ = get_page(get=vector)
+        retval = re.search(r"SecureIIS[^<]+Web Server Protection", page or "") is not None
+        retval |= "http://www.eeye.com/SecureIIS/" in (page or "")
+        retval |= "?subject=SecureIIS Error" in (page or "")
+        if retval:
+            break
+
     return retval