Exemple #1
0
def doline(logline):
    """
    ...GET /diagnostics?id=%22union+select HTTP/1.1
    """
    mo = logre.search(logline)
    if not mo:
        return

    sqli = False
    fp = None
    for key, val in urlparse.parse_qsl(mo.group(1)):
        val = urllib.unquote(val)
        extra = {}
        argsqli = libinjection.detectsqli(val, extra)
        if argsqli:
            fp = extra['fingerprint']
            print urllib.quote(val)
        sqli = sqli or argsqli

    if False:  # and not sqli:
        #print "\n---"
        #print mo.group(1)
        for key, val in urlparse.parse_qsl(mo.group(1)):
            val = urllib.unquote(val)
            extra = {}
            argsqli = libinjection.detectsqli(val, extra)
            if not argsqli and extra['fingerprint'] not in notsqli:
                print "NO", extra['fingerprint'], mo.group(1)
                print "  ", val
Exemple #2
0
    def get(self):
        global fd
        global count
        params = self.request.arguments.get('id', [])
        sqli = False

        if len(params) == 0 or (len(params) == 1 and boring(params[0])):
            # if no args, or a single value with uninteresting input
            # then just exit
            self.write("<html><head><title>safe</title></head><body></body></html>")
            return

        for arg in params:
            sqli = libinjection.detectsqli(arg)
            if sqli:
                break

        # we didn't detect it :-(
        if not sqli:
            count += 1
            args = [ arg.strip() for arg in params ]
            #fd.write(' | '.join(args) + "\n")
            for arg in args:
                extra = {}
                sqli = libinjection.detectsqli(arg, extra)
                logging.error("\t" + arg + "\t" + str(sqli) + "\t" + extra['fingerprint'] + "\n")
            #for arg in param:
            #    fd.write(arg + "\n")
            #    #fd.write(urllib.quote_plus(arg) + "\n")
            self.set_status(500)
            self.write("<html><head><title>safe</title></head><body></body></html>")
        else:
            self.write("<html><head><title>sqli</title></head><body></body></html>")
Exemple #3
0
def doline(logline):
    """
    ...GET /diagnostics?id=%22union+select HTTP/1.1
    """
    mo = logre.search(logline)
    if not mo:
        return

    sqli= False
    fp = None
    for key, val in urlparse.parse_qsl(mo.group(1)):
        val = urllib.unquote(val)
        extra = {}
        argsqli = libinjection.detectsqli(val, extra)
        if argsqli:
            fp = extra['fingerprint']
            print urllib.quote(val)
        sqli = sqli or argsqli

    if False: # and not sqli:
        #print "\n---"
        #print mo.group(1)
        for key, val in urlparse.parse_qsl(mo.group(1)):
            val = urllib.unquote(val)
            extra = {}
            argsqli = libinjection.detectsqli(val, extra)
            if not argsqli and extra['fingerprint'] not in notsqli:
                print "NO", extra['fingerprint'], mo.group(1)
                print "  ", val
Exemple #4
0
    def get(self):
        #unquote = urllib.unquote
        #detectsqli = libinjection.detectsqli

        ids = self.request.arguments.get('id', [])
        if len(ids) == 1:
            formvalue = ids[0]
        else:
            formvalue = ''

        args = []
        extra = {}
        qssqli = False
        for name,values in self.request.arguments.iteritems():
            for val in values:
                # do it one more time include cut-n-paste was already url-encoded
                val = urllib.unquote(val)
                issqli = libinjection.detectsqli(val, extra)

                # True if any issqli values are true
                qssqli = qssqli or issqli
                val = val.replace(',', ', ')
                args.append([name, val, issqli, extra['fingerprint']])

        self.render("form.html",
                    title='libjection sqli diagnositc',
                    version = libinjection.__version__,
                    is_sqli=qssqli,
                    args=args,
                    formvalue=formvalue
                    )
Exemple #5
0
    def get(self):
        global fd
        global count
        params = self.request.arguments.get('id', [])
        sqli = False

        if len(params) == 0 or (len(params) == 1 and boring(params[0])):
            # if no args, or a single value with uninteresting input
            # then just exit
            self.write(
                "<html><head><title>safe</title></head><body></body></html>")
            return

        for arg in params:
            sqli = libinjection.detectsqli(arg)
            if sqli:
                break

        # we didn't detect it :-(
        if not sqli:
            count += 1
            args = [arg.strip() for arg in params]
            #fd.write(' | '.join(args) + "\n")
            for arg in args:
                extra = {}
                sqli = libinjection.detectsqli(arg, extra)
                logging.error("\t" + arg + "\t" + str(sqli) + "\t" +
                              extra['fingerprint'] + "\n")
            #for arg in param:
            #    fd.write(arg + "\n")
            #    #fd.write(urllib.quote_plus(arg) + "\n")
            self.set_status(500)
            self.write(
                "<html><head><title>safe</title></head><body></body></html>")
        else:
            self.write(
                "<html><head><title>sqli</title></head><body></body></html>")