From 378653a1eccb337309e09295b28500641ef43c9e Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 25 Oct 2010 15:37:43 +0000 Subject: [PATCH] added IDS payload testing --- lib/parse/cmdline.py | 4 ++++ lib/request/connect.py | 4 ++++ lib/utils/detection.py | 28 ++++++++++++++----------- xml/detection.xml | 47 +++++++++++++++++++++++++----------------- 4 files changed, 52 insertions(+), 31 deletions(-) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 6183fd9b9..cde04eecd 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -488,6 +488,10 @@ def cmdLineParser(): action="store_true", default=False, help="Replicate dumped data into a sqlite3 database") + miscellaneous.add_option("--check-payload", dest="checkPayload", + action="store_true", default=False, + help="IDS detection testing of injection payload") + miscellaneous.add_option("--beep", dest="beep", action="store_true", default=False, help="Alert with audio beep when sql injection found") diff --git a/lib/request/connect.py b/lib/request/connect.py index 7ac8fc212..d4271768e 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -30,6 +30,7 @@ from lib.request.basic import parseResponse from lib.request.direct import direct from lib.request.comparison import comparison from lib.request.methodrequest import MethodRequest +from lib.utils.detection import checkPayload class Connect: @@ -309,6 +310,9 @@ class Connect: for function in kb.tamperFunctions: value = function(place, value) + if conf.checkPayload: + checkPayload(value) + if "GET" in conf.parameters: get = conf.parameters["GET"] if place != "GET" or not value else value diff --git a/lib/utils/detection.py b/lib/utils/detection.py index 86fcee2f1..63a6cafc5 100644 --- a/lib/utils/detection.py +++ b/lib/utils/detection.py @@ -12,10 +12,12 @@ import sre_constants from lib.core.common import getCompiledRegex from lib.core.common import readXmlFile +from lib.core.convert import urldecode from lib.core.data import conf from lib.core.data import paths from lib.core.data import logger + rules = None def __adjustGrammar(string): @@ -27,7 +29,7 @@ def __adjustGrammar(string): return string -def checkPayload(string): +def checkPayload(payload): """ This method checks if the generated payload is detectable by the PHPIDS filter rules @@ -35,20 +37,22 @@ def checkPayload(string): global rules + payload = urldecode(payload) + if not rules: xmlrules = readXmlFile(paths.DETECTION_RULES_XML) rules = [] for xmlrule in xmlrules.getElementsByTagName("filter"): - try: - rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue - desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) - rules.append((rule, desc)) - except sre_constants.error: # Some issues with some regex expressions in Python 2.5 - pass - - for rule, desc in rules: - regObj = getCompiledRegex(rule) + rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue + desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) + rules.append((rule, desc)) - if regObj.search(string): - logger.warn("highly probable IDS/IPS detection: '%s'" % desc) + if payload: + for rule, desc in rules: + try: + regObj = getCompiledRegex(rule) + if regObj.search(payload): + logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload)) + except: # Some issues with some regex expressions in Python 2.5 + pass diff --git a/xml/detection.xml b/xml/detection.xml index 48e3ff23b..cd803fcaf 100644 --- a/xml/detection.xml +++ b/xml/detection.xml @@ -21,7 +21,7 @@ 69 - + finds malicious attribute injection attempts xss @@ -71,7 +71,7 @@ 7 - + Detects JavaScript with(), ternary operators and XML predicate attacks xss @@ -81,7 +81,7 @@ 8 - + Detects self-executing JavaScript functions xss @@ -168,7 +168,7 @@ 16 - \|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]> + ])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]> Detects possible includes and typical script methods xss @@ -180,7 +180,7 @@ 17 - \|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]> + ])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]> Detects JavaScript object properties and methods xss @@ -216,7 +216,7 @@ 20 - \|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]> + \|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]> Detects JavaScript language constructs xss @@ -240,7 +240,7 @@ 22 - + Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces xss @@ -424,7 +424,7 @@ 40 - + Detects MySQL comments, conditions and ch(a)r injections sqli @@ -435,18 +435,18 @@ 41 - ~])]]> + ~])]]> Detects conditional SQL injection attempts sqli id lfi - 4 + 6 42 - + Detects classic SQL injection probings 1/2 sqli @@ -490,7 +490,7 @@ 46 - ^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]> + ^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]> Detects basic SQL authentication bypass attempts 3/3 sqli @@ -501,7 +501,7 @@ 47 - + Detects concatenated basic SQL injection and SQLLFI attempts sqli @@ -512,7 +512,7 @@ 48 - + Detects chained SQL injection attempts 1/2 sqli @@ -522,7 +522,7 @@ 49 - + Detects chained SQL injection attempts 2/2 sqli @@ -532,7 +532,7 @@ 50 - + Detects SQL benchmark and sleep injection attempts including conditional queries sqli @@ -582,7 +582,7 @@ 55 - + Detects MSSQL code execution and information gathering attempts sqli @@ -727,5 +727,14 @@ csrf 4 - - \ No newline at end of file + + + 70 + + finds basic MongoDB SQL injection attempts + + sqli + + 4 + +