mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-03-03 11:45:46 +03:00
Finalizing implementation for an Issue #290
This commit is contained in:
parent
6a2129268d
commit
8e49872d7c
|
@ -36,6 +36,7 @@ from lib.core.common import readInput
|
|||
from lib.core.common import showStaticWords
|
||||
from lib.core.common import singleTimeLogMessage
|
||||
from lib.core.common import singleTimeWarnMessage
|
||||
from lib.core.common import urlencode
|
||||
from lib.core.common import wasLastResponseDBMSError
|
||||
from lib.core.common import wasLastResponseHTTPError
|
||||
from lib.core.data import conf
|
||||
|
@ -43,6 +44,7 @@ from lib.core.data import kb
|
|||
from lib.core.data import logger
|
||||
from lib.core.datatype import AttribDict
|
||||
from lib.core.datatype import InjectionDict
|
||||
from lib.core.decorators import cachedmethod
|
||||
from lib.core.dicts import FROM_DUMMY_TABLE
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import HEURISTIC_TEST
|
||||
|
@ -1045,15 +1047,26 @@ def identifyWaf():
|
|||
infoMsg += "backend WAF/IPS/IDS protection"
|
||||
logger.info(infoMsg)
|
||||
|
||||
@cachedmethod
|
||||
def _(*args, **kwargs):
|
||||
try:
|
||||
if kwargs.get("get"):
|
||||
kwargs["get"] = urlencode(kwargs["get"])
|
||||
kwargs["raise404"] = False
|
||||
return Request.getPage(*args, **kwargs)
|
||||
except Exception, ex:
|
||||
return None, None, None
|
||||
|
||||
retVal = False
|
||||
page, headers, code = Request.getPage()
|
||||
|
||||
for function, product, request in kb.wafFunctions:
|
||||
found = False
|
||||
|
||||
if not request:
|
||||
found = function(page or "", headers or {}, code)
|
||||
found = function(_)
|
||||
else:
|
||||
pass
|
||||
|
||||
if found:
|
||||
retVal = product
|
||||
break
|
||||
|
@ -1063,7 +1076,7 @@ def identifyWaf():
|
|||
warnMsg += "consider usage of tamper scripts (option '--tamper')"
|
||||
logger.critical(warnMsg)
|
||||
else:
|
||||
warnMsg = "no WAF/IDS/IPS were identified"
|
||||
warnMsg = "WAF/IDS/IPS product not identified"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
return retVal
|
||||
|
|
|
@ -150,13 +150,9 @@ class HTTPHEADER:
|
|||
PROXY_CONNECTION = "Proxy-Connection"
|
||||
RANGE = "Range"
|
||||
REFERER = "Referer"
|
||||
SERVER = "Server"
|
||||
USER_AGENT = "User-Agent"
|
||||
|
||||
class WAF_REQUEST:
|
||||
GET = 1
|
||||
POST = 2
|
||||
HEADERS = 3
|
||||
|
||||
class EXPECTED:
|
||||
BOOL = "bool"
|
||||
INT = "int"
|
||||
|
|
|
@ -905,6 +905,9 @@ def _setWafFunctions():
|
|||
dirname, filename = os.path.split(found)
|
||||
dirname = os.path.abspath(dirname)
|
||||
|
||||
if filename == "__init__.py":
|
||||
continue
|
||||
|
||||
debugMsg = "loading WAF script '%s'" % filename[:-3]
|
||||
logger.debug(debugMsg)
|
||||
|
||||
|
|
|
@ -380,7 +380,15 @@ BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
|
|||
BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
|
||||
|
||||
# Payload used for checking of existence of IDS/WAF (dummier the better)
|
||||
IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables"
|
||||
IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1"
|
||||
|
||||
# Vectors used for provoking specific WAF/IDS/IPS behavior(s)
|
||||
WAF_ATTACK_VECTORS = (
|
||||
"search=<script>alert(1)</script>",
|
||||
"file=../../../../etc/passwd",
|
||||
"q=<invalid>foobar",
|
||||
"id=1 %s" % IDS_WAF_CHECK_PAYLOAD
|
||||
)
|
||||
|
||||
# Used for status representation in dictionary attack phase
|
||||
ROTATING_CHARS = ('\\', '|', '|', '/', '-')
|
||||
|
|
8
waf/__init__.py
Normal file
8
waf/__init__.py
Normal file
|
@ -0,0 +1,8 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
pass
|
16
waf/airlock.py
Normal file
16
waf/airlock.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "Airlock (Phion/Ergon)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
16
waf/barracuda.py
Normal file
16
waf/barracuda.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "Barracuda Web Application Firewall (Barracuda Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
26
waf/bigip.py
Normal file
26
waf/bigip.py
Normal file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "BIG-IP Application Security Manager (F5 Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
retval = re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
||||
|
||||
if not retval:
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval = headers.get("X-Cnection", "").lower() == "close"
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
16
waf/binarysec.py
Normal file
16
waf/binarysec.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "BinarySEC Web Application Firewall (BinarySEC)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
|
14
waf/datapower.py
Normal file
14
waf/datapower.py
Normal file
|
@ -0,0 +1,14 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
__product__ = "IBM WebSphere DataPower (IBM)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
|
26
waf/denyall.py
Normal file
26
waf/denyall.py
Normal file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Deny All Web Application Firewall (DenyAll)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
||||
|
||||
if not retval:
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval = code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
21
waf/dotdefender.py
Normal file
21
waf/dotdefender.py
Normal file
|
@ -0,0 +1,21 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "dotDefender (Applicure Technologies)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retVal = headers.get("X-dotDefender-denied", "") == 1
|
||||
if retVal:
|
||||
break
|
||||
|
||||
return retval
|
16
waf/f5asm.py
16
waf/f5asm.py
|
@ -1,16 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "F5 Networks BIG-IP Application Security Manager (ASM)"
|
||||
__request__ = ()
|
||||
|
||||
def detect(page, headers, code):
|
||||
return re.search(r"^TS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, "")) is not None
|
16
waf/hyperguard.py
Normal file
16
waf/hyperguard.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "Hyperguard Web Application Firewall (art of defence Inc.)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
24
waf/modsecurity.py
Normal file
24
waf/modsecurity.py
Normal file
|
@ -0,0 +1,24 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
if code == 501:
|
||||
retVal = True
|
||||
break
|
||||
|
||||
return retval
|
16
waf/netcontinuum.py
Normal file
16
waf/netcontinuum.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
26
waf/netscaler.py
Normal file
26
waf/netscaler.py
Normal file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "NetScaler (Citrix Systems)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
||||
|
||||
if not retval:
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval = re.search(r"\Aclose", headers.get("Cneonction", "") or headers.get("nnCoection", ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
16
waf/profense.py
Normal file
16
waf/profense.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "Profense Web Application Firewall (Armorlogic)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
|
21
waf/proventia.py
Normal file
21
waf/proventia.py
Normal file
|
@ -0,0 +1,21 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.data import kb
|
||||
from lib.core.enums import HTTPHEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Proventia Web Application Security (IBM)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
if page is None:
|
||||
return False
|
||||
page, headers, code = get_page(url="/Admin_Files/")
|
||||
return page is None
|
16
waf/teros.py
Normal file
16
waf/teros.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "ISV Teros Web Application Firewall (Teros/Citrix Systems)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return re.search(r"\Ast8id=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
|
16
waf/trafficshield.py
Normal file
16
waf/trafficshield.py
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTPHEADER
|
||||
|
||||
__product__ = "TrafficShield (F5 Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
return (re.search(r"\AASINFO=", headers.get(HTTPHEADER.COOKIE, ""), re.I) or re.search(r"F5-TrafficShield", headers.get(HTTPHEADER.SERVER, ""), re.I)) is not None
|
21
waf/webappsecure.py
Normal file
21
waf/webappsecure.py
Normal file
|
@ -0,0 +1,21 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.data import kb
|
||||
from lib.core.enums import HTTPHEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "webApp.secure (webScurity)"
|
||||
|
||||
def detect(get_page):
|
||||
page, headers, code = get_page()
|
||||
if code == 403:
|
||||
return False
|
||||
page, headers, code = get_page(get="nx=@@")
|
||||
return code == 403
|
Loading…
Reference in New Issue
Block a user