added IDS payload testing

This commit is contained in:
Miroslav Stampar 2010-10-25 15:37:43 +00:00
parent bdb9c37a7e
commit 378653a1ec
4 changed files with 52 additions and 31 deletions

View File

@ -488,6 +488,10 @@ def cmdLineParser():
action="store_true", default=False, action="store_true", default=False,
help="Replicate dumped data into a sqlite3 database") help="Replicate dumped data into a sqlite3 database")
miscellaneous.add_option("--check-payload", dest="checkPayload",
action="store_true", default=False,
help="IDS detection testing of injection payload")
miscellaneous.add_option("--beep", dest="beep", miscellaneous.add_option("--beep", dest="beep",
action="store_true", default=False, action="store_true", default=False,
help="Alert with audio beep when sql injection found") help="Alert with audio beep when sql injection found")

View File

@ -30,6 +30,7 @@ from lib.request.basic import parseResponse
from lib.request.direct import direct from lib.request.direct import direct
from lib.request.comparison import comparison from lib.request.comparison import comparison
from lib.request.methodrequest import MethodRequest from lib.request.methodrequest import MethodRequest
from lib.utils.detection import checkPayload
class Connect: class Connect:
@ -309,6 +310,9 @@ class Connect:
for function in kb.tamperFunctions: for function in kb.tamperFunctions:
value = function(place, value) value = function(place, value)
if conf.checkPayload:
checkPayload(value)
if "GET" in conf.parameters: if "GET" in conf.parameters:
get = conf.parameters["GET"] if place != "GET" or not value else value get = conf.parameters["GET"] if place != "GET" or not value else value

View File

@ -12,10 +12,12 @@ import sre_constants
from lib.core.common import getCompiledRegex from lib.core.common import getCompiledRegex
from lib.core.common import readXmlFile from lib.core.common import readXmlFile
from lib.core.convert import urldecode
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import paths from lib.core.data import paths
from lib.core.data import logger from lib.core.data import logger
rules = None rules = None
def __adjustGrammar(string): def __adjustGrammar(string):
@ -27,7 +29,7 @@ def __adjustGrammar(string):
return string return string
def checkPayload(string): def checkPayload(payload):
""" """
This method checks if the generated payload is detectable by the This method checks if the generated payload is detectable by the
PHPIDS filter rules PHPIDS filter rules
@ -35,20 +37,22 @@ def checkPayload(string):
global rules global rules
payload = urldecode(payload)
if not rules: if not rules:
xmlrules = readXmlFile(paths.DETECTION_RULES_XML) xmlrules = readXmlFile(paths.DETECTION_RULES_XML)
rules = [] rules = []
for xmlrule in xmlrules.getElementsByTagName("filter"): for xmlrule in xmlrules.getElementsByTagName("filter"):
try:
rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue
desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
rules.append((rule, desc)) rules.append((rule, desc))
except sre_constants.error: # Some issues with some regex expressions in Python 2.5
pass
if payload:
for rule, desc in rules: for rule, desc in rules:
try:
regObj = getCompiledRegex(rule) regObj = getCompiledRegex(rule)
if regObj.search(payload):
if regObj.search(string): logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
logger.warn("highly probable IDS/IPS detection: '%s'" % desc) except: # Some issues with some regex expressions in Python 2.5
pass

View File

@ -21,7 +21,7 @@
</filter> </filter>
<filter> <filter>
<id>69</id> <id>69</id>
<rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style)=[$"\w])]]></rule> <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>
<description>finds malicious attribute injection attempts</description> <description>finds malicious attribute injection attempts</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -71,7 +71,7 @@
</filter> </filter>
<filter> <filter>
<id>7</id> <id>7</id>
<rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule> <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
<description>Detects JavaScript with(), ternary operators and XML predicate attacks</description> <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -81,7 +81,7 @@
</filter> </filter>
<filter> <filter>
<id>8</id> <id>8</id>
<rule><![CDATA[(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule> <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
<description>Detects self-executing JavaScript functions</description> <description>Detects self-executing JavaScript functions</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -168,7 +168,7 @@
</filter> </filter>
<filter> <filter>
<id>16</id> <id>16</id>
<rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule> <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
<description>Detects possible includes and typical script methods</description> <description>Detects possible includes and typical script methods</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -180,7 +180,7 @@
</filter> </filter>
<filter> <filter>
<id>17</id> <id>17</id>
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]></rule> <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
<description>Detects JavaScript object properties and methods</description> <description>Detects JavaScript object properties and methods</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -216,7 +216,7 @@
</filter> </filter>
<filter> <filter>
<id>20</id> <id>20</id>
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule> <rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>
<description>Detects JavaScript language constructs</description> <description>Detects JavaScript language constructs</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -240,7 +240,7 @@
</filter> </filter>
<filter> <filter>
<id>22</id> <id>22</id>
<rule><![CDATA[(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule> <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
<description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description> <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
<tags> <tags>
<tag>xss</tag> <tag>xss</tag>
@ -424,7 +424,7 @@
</filter> </filter>
<filter> <filter>
<id>40</id> <id>40</id>
<rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
<description>Detects MySQL comments, conditions and ch(a)r injections</description> <description>Detects MySQL comments, conditions and ch(a)r injections</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -435,18 +435,18 @@
</filter> </filter>
<filter> <filter>
<id>41</id> <id>41</id>
<rule><![CDATA[(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule> <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
<description>Detects conditional SQL injection attempts</description> <description>Detects conditional SQL injection attempts</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
<tag>id</tag> <tag>id</tag>
<tag>lfi</tag> <tag>lfi</tag>
</tags> </tags>
<impact>4</impact> <impact>6</impact>
</filter> </filter>
<filter> <filter>
<id>42</id> <id>42</id>
<rule><![CDATA[(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule> <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
<description>Detects classic SQL injection probings 1/2</description> <description>Detects classic SQL injection probings 1/2</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -490,7 +490,7 @@
</filter> </filter>
<filter> <filter>
<id>46</id> <id>46</id>
<rule><![CDATA[(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
<description>Detects basic SQL authentication bypass attempts 3/3</description> <description>Detects basic SQL authentication bypass attempts 3/3</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -501,7 +501,7 @@
</filter> </filter>
<filter> <filter>
<id>47</id> <id>47</id>
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]></rule> <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
<description>Detects concatenated basic SQL injection and SQLLFI attempts</description> <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -512,7 +512,7 @@
</filter> </filter>
<filter> <filter>
<id>48</id> <id>48</id>
<rule><![CDATA[(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])]]></rule> <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
<description>Detects chained SQL injection attempts 1/2</description> <description>Detects chained SQL injection attempts 1/2</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -522,7 +522,7 @@
</filter> </filter>
<filter> <filter>
<id>49</id> <id>49</id>
<rule><![CDATA[(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()]]></rule> <rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
<description>Detects chained SQL injection attempts 2/2</description> <description>Detects chained SQL injection attempts 2/2</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -532,7 +532,7 @@
</filter> </filter>
<filter> <filter>
<id>50</id> <id>50</id>
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)]]></rule> <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
<description>Detects SQL benchmark and sleep injection attempts including conditional queries</description> <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -582,7 +582,7 @@
</filter> </filter>
<filter> <filter>
<id>55</id> <id>55</id>
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
<description>Detects MSSQL code execution and information gathering attempts</description> <description>Detects MSSQL code execution and information gathering attempts</description>
<tags> <tags>
<tag>sqli</tag> <tag>sqli</tag>
@ -728,4 +728,13 @@
</tags> </tags>
<impact>4</impact> <impact>4</impact>
</filter> </filter>
<filter>
<id>70</id>
<rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
<description>finds basic MongoDB SQL injection attempts</description>
<tags>
<tag>sqli</tag>
</tags>
<impact>4</impact>
</filter>
</filters> </filters>