Finalizing implementation for an Issue #290

2025-03-03 11:45:46 +03:00 · 2013-02-21 14:33:12 +01:00 · 2013-02-21 14:33:12 +01:00 · 8e49872d7c
commit 8e49872d7c
parent 6a2129268d
22 changed files with 344 additions and 25 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -36,6 +36,7 @@ from lib.core.common import readInput
 from lib.core.common import showStaticWords
 from lib.core.common import singleTimeLogMessage
 from lib.core.common import singleTimeWarnMessage
+from lib.core.common import urlencode
 from lib.core.common import wasLastResponseDBMSError
 from lib.core.common import wasLastResponseHTTPError
 from lib.core.data import conf
@ -43,6 +44,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.datatype import AttribDict
 from lib.core.datatype import InjectionDict
+from lib.core.decorators import cachedmethod
 from lib.core.dicts import FROM_DUMMY_TABLE
 from lib.core.enums import DBMS
 from lib.core.enums import HEURISTIC_TEST
@ -1045,15 +1047,26 @@ def identifyWaf():
    infoMsg += "backend WAF/IPS/IDS protection"
    logger.info(infoMsg)

+    @cachedmethod
+    def _(*args, **kwargs):
+        try:
+            if kwargs.get("get"):
+                kwargs["get"] = urlencode(kwargs["get"])
+            kwargs["raise404"] = False
+            return Request.getPage(*args, **kwargs)
+        except Exception, ex:
+            return None, None, None
+
    retVal = False
-    page, headers, code = Request.getPage()

    for function, product, request in kb.wafFunctions:
        found = False
+
        if not request:
-            found = function(page or "", headers or {}, code)
+            found = function(_)
        else:
            pass
+
        if found:
            retVal = product
            break
@ -1063,7 +1076,7 @@ def identifyWaf():
        warnMsg += "consider usage of tamper scripts (option '--tamper')"
        logger.critical(warnMsg)
    else:
-        warnMsg = "no WAF/IDS/IPS were identified"
+        warnMsg = "WAF/IDS/IPS product not identified"
        logger.warn(warnMsg)

    return retVal
--- a/lib/core/enums.py
+++ b/lib/core/enums.py
@ -150,13 +150,9 @@ class HTTPHEADER:
    PROXY_CONNECTION = "Proxy-Connection"
    RANGE = "Range"
    REFERER = "Referer"
+    SERVER = "Server"
    USER_AGENT = "User-Agent"

-class WAF_REQUEST:
-    GET = 1
-    POST = 2
-    HEADERS = 3
-
 class EXPECTED:
    BOOL = "bool"
    INT = "int"
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -905,6 +905,9 @@ def _setWafFunctions():
            dirname, filename = os.path.split(found)
            dirname = os.path.abspath(dirname)

+            if filename == "__init__.py":
+                continue
+
            debugMsg = "loading WAF script '%s'" % filename[:-3]
            logger.debug(debugMsg)

--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -380,7 +380,15 @@ BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
 BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"

 # Payload used for checking of existence of IDS/WAF (dummier the better)
-IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables"
+IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1"
+
+# Vectors used for provoking specific WAF/IDS/IPS behavior(s)
+WAF_ATTACK_VECTORS = (
+                        "search=<script>alert(1)</script>",
+                        "file=../../../../etc/passwd",
+                        "q=<invalid>foobar",
+                        "id=1 %s" % IDS_WAF_CHECK_PAYLOAD
+                     )

 # Used for status representation in dictionary attack phase
 ROTATING_CHARS = ('\\', '|', '|', '/', '-')
--- a/waf/init.py
+++ b/waf/init.py
@ -0,0 +1,8 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+pass
--- a/waf/airlock.py
+++ b/waf/airlock.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Airlock (Phion/Ergon)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
--- a/waf/barracuda.py
+++ b/waf/barracuda.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Barracuda Web Application Firewall (Barracuda Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
--- a/waf/bigip.py
+++ b/waf/bigip.py
@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "BIG-IP Application Security Manager (F5 Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    retval = re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+
+    if not retval:
+        for vector in WAF_ATTACK_VECTORS:
+            page, headers, code = get_page(get=vector)
+            retval = headers.get("X-Cnection", "").lower() == "close"
+            if retval:
+                break
+
+    return retval
--- a/waf/binarysec.py
+++ b/waf/binarysec.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "BinarySEC Web Application Firewall (BinarySEC)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
--- a/waf/datapower.py
+++ b/waf/datapower.py
@ -0,0 +1,14 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+__product__ = "IBM WebSphere DataPower (IBM)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
--- a/waf/denyall.py
+++ b/waf/denyall.py
@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Deny All Web Application Firewall (DenyAll)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+
+    if not retval:
+        for vector in WAF_ATTACK_VECTORS:
+            page, headers, code = get_page(get=vector)
+            retval = code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
+            if retval:
+                break
+
+    return retval
--- a/waf/dotdefender.py
+++ b/waf/dotdefender.py
@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "dotDefender (Applicure Technologies)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retVal = headers.get("X-dotDefender-denied", "") == 1
+        if retVal:
+            break
+
+    return retval
--- a/waf/f5asm.py
+++ b/waf/f5asm.py
@ -1,16 +0,0 @@
-#!/usr/bin/env python
-
-"""
-Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
-See the file 'doc/COPYING' for copying permission
-"""
-
-import re
-
-from lib.core.enums import HTTPHEADER
-
-__product__ = "F5 Networks BIG-IP Application Security Manager (ASM)"
-__request__ = ()
-
-def detect(page, headers, code):
-    return re.search(r"^TS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, "")) is not None
--- a/waf/hyperguard.py
+++ b/waf/hyperguard.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Hyperguard Web Application Firewall (art of defence Inc.)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
--- a/waf/modsecurity.py
+++ b/waf/modsecurity.py
@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        if code == 501:
+            retVal = True
+            break
+
+    return retval
--- a/waf/netcontinuum.py
+++ b/waf/netcontinuum.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
--- a/waf/netscaler.py
+++ b/waf/netscaler.py
@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "NetScaler (Citrix Systems)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+
+    if not retval:
+        for vector in WAF_ATTACK_VECTORS:
+            page, headers, code = get_page(get=vector)
+            retval = re.search(r"\Aclose", headers.get("Cneonction", "") or headers.get("nnCoection", ""), re.I) is not None
+            if retval:
+                break
+
+    return retval
--- a/waf/profense.py
+++ b/waf/profense.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "Profense Web Application Firewall (Armorlogic)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
--- a/waf/proventia.py
+++ b/waf/proventia.py
@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.data import kb
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Proventia Web Application Security (IBM)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    if page is None:
+        return False
+    page, headers, code = get_page(url="/Admin_Files/")
+    return page is None
--- a/waf/teros.py
+++ b/waf/teros.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "ISV Teros Web Application Firewall (Teros/Citrix Systems)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return re.search(r"\Ast8id=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
--- a/waf/trafficshield.py
+++ b/waf/trafficshield.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTPHEADER
+
+__product__ = "TrafficShield (F5 Networks)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    return (re.search(r"\AASINFO=", headers.get(HTTPHEADER.COOKIE, ""), re.I) or re.search(r"F5-TrafficShield", headers.get(HTTPHEADER.SERVER, ""), re.I)) is not None
--- a/waf/webappsecure.py
+++ b/waf/webappsecure.py
@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.data import kb
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "webApp.secure (webScurity)"
+
+def detect(get_page):
+    page, headers, code = get_page()
+    if code == 403:
+        return False
+    page, headers, code = get_page(get="nx=@@")
+    return code == 403