Far better detection of SecureIIS (WAF)

2024-11-22 17:46:37 +03:00 · 2016-06-23 12:03:05 +02:00 · 2016-06-23 12:03:05 +02:00 · 1b863ecf93
commit 1b863ecf93
parent ec06037335
4 changed files with 14 additions and 9 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -19,7 +19,7 @@ from lib.core.enums import OS
 from lib.core.revision import getRevisionNumber

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.6.49"
+VERSION = "1.0.6.50"
 REVISION = getRevisionNumber()
 STABLE = VERSION.count('.') <= 2
 VERSION_STRING = "sqlmap/%s#%s" % (VERSION, "stable" if STABLE else "dev")
--- a/waf/generic.py
+++ b/waf/generic.py
@ -5,8 +5,6 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """

-import re
-
 from lib.core.settings import IDS_WAF_CHECK_PAYLOAD
 from lib.core.settings import WAF_ATTACK_VECTORS

--- a/waf/modsecurity.py
+++ b/waf/modsecurity.py
@ -19,7 +19,6 @@ def detect(get_page):
        page, headers, code = get_page(get=vector)
        retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page or "", re.I) is None
        retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
-        retval |= code == 406  # specific for mod_security (and forks)
        retval |= "This error was generated by Mod_Security" in (page or "")
        if retval:
            break
--- a/waf/secureiis.py
+++ b/waf/secureiis.py
@ -5,13 +5,21 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """

-from lib.core.enums import HTTP_HEADER
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "SecureIIS Web Server Security (BeyondTrust)"

 def detect(get_page):
-    _, _, code = get_page()
-    retval = code != 404
-    _, _, code = get_page(auxHeaders={HTTP_HEADER.TRANSFER_ENCODING: 'a' * 1025, HTTP_HEADER.ACCEPT_ENCODING: "identity"})
-    retval = retval and code == 404
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, _, _ = get_page(get=vector)
+        retval = re.search(r"SecureIIS[^<]+Web Server Protection", page or "") is not None
+        retval |= "http://www.eeye.com/SecureIIS/" in (page or "")
+        retval |= "?subject=SecureIIS Error" in (page or "")
+        if retval:
+            break
+
    return retval