def doline(logline):
"""
...GET /diagnostics?id=%22union+select HTTP/1.1
"""
mo = logre.search(logline)
if not mo:
return
sqli = False
fp = None
for key, val in urlparse.parse_qsl(mo.group(1)):
val = urllib.unquote(val)
extra = {}
argsqli = libinjection.detectsqli(val, extra)
if argsqli:
fp = extra['fingerprint']
print urllib.quote(val)
sqli = sqli or argsqli
if False: # and not sqli:
#print "\n---"
#print mo.group(1)
for key, val in urlparse.parse_qsl(mo.group(1)):
val = urllib.unquote(val)
extra = {}
argsqli = libinjection.detectsqli(val, extra)
if not argsqli and extra['fingerprint'] not in notsqli:
print "NO", extra['fingerprint'], mo.group(1)
print " ", val
def get(self):
global fd
global count
params = self.request.arguments.get('id', [])
sqli = False
if len(params) == 0 or (len(params) == 1 and boring(params[0])):
# if no args, or a single value with uninteresting input
# then just exit
self.write("<html><head><title>safe</title></head><body></body></html>")
return
for arg in params:
sqli = libinjection.detectsqli(arg)
if sqli:
break
# we didn't detect it :-(
if not sqli:
count += 1
args = [ arg.strip() for arg in params ]
#fd.write(' | '.join(args) + "\n")
for arg in args:
extra = {}
sqli = libinjection.detectsqli(arg, extra)
logging.error("\t" + arg + "\t" + str(sqli) + "\t" + extra['fingerprint'] + "\n")
#for arg in param:
# fd.write(arg + "\n")
# #fd.write(urllib.quote_plus(arg) + "\n")
self.set_status(500)
self.write("<html><head><title>safe</title></head><body></body></html>")
else:
self.write("<html><head><title>sqli</title></head><body></body></html>")
def doline(logline):
"""
...GET /diagnostics?id=%22union+select HTTP/1.1
"""
mo = logre.search(logline)
if not mo:
return
sqli= False
fp = None
for key, val in urlparse.parse_qsl(mo.group(1)):
val = urllib.unquote(val)
extra = {}
argsqli = libinjection.detectsqli(val, extra)
if argsqli:
fp = extra['fingerprint']
print urllib.quote(val)
sqli = sqli or argsqli
if False: # and not sqli:
#print "\n---"
#print mo.group(1)
for key, val in urlparse.parse_qsl(mo.group(1)):
val = urllib.unquote(val)
extra = {}
argsqli = libinjection.detectsqli(val, extra)
if not argsqli and extra['fingerprint'] not in notsqli:
print "NO", extra['fingerprint'], mo.group(1)
print " ", val
def get(self):
#unquote = urllib.unquote
#detectsqli = libinjection.detectsqli
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
args = []
extra = {}
qssqli = False
for name,values in self.request.arguments.iteritems():
for val in values:
# do it one more time include cut-n-paste was already url-encoded
val = urllib.unquote(val)
issqli = libinjection.detectsqli(val, extra)
# True if any issqli values are true
qssqli = qssqli or issqli
val = val.replace(',', ', ')
args.append([name, val, issqli, extra['fingerprint']])
self.render("form.html",
title='libjection sqli diagnositc',
version = libinjection.__version__,
is_sqli=qssqli,
args=args,
formvalue=formvalue
)
def get(self):
global fd
global count
params = self.request.arguments.get('id', [])
sqli = False
if len(params) == 0 or (len(params) == 1 and boring(params[0])):
# if no args, or a single value with uninteresting input
# then just exit
self.write(
"<html><head><title>safe</title></head><body></body></html>")
return
for arg in params:
sqli = libinjection.detectsqli(arg)
if sqli:
break
# we didn't detect it :-(
if not sqli:
count += 1
args = [arg.strip() for arg in params]
#fd.write(' | '.join(args) + "\n")
for arg in args:
extra = {}
sqli = libinjection.detectsqli(arg, extra)
logging.error("\t" + arg + "\t" + str(sqli) + "\t" +
extra['fingerprint'] + "\n")
#for arg in param:
# fd.write(arg + "\n")
# #fd.write(urllib.quote_plus(arg) + "\n")
self.set_status(500)
self.write(
"<html><head><title>safe</title></head><body></body></html>")
else:
self.write(
"<html><head><title>sqli</title></head><body></body></html>")
