def get_tokens(self):
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
val = urllib.unquote(formvalue)
parsed = []
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL))
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render("tokens.html",
title='libjection sqli token parsing diagnostics',
version = libinjection.version(),
parsed=parsed,
formvalue=val,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
def get_tokens(self):
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
val = urllib.unquote(formvalue)
parsed = []
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL))
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render("tokens.html",
title='libjection sqli token parsing diagnostics',
version = libinjection.version(),
parsed=parsed,
formvalue=val,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
def get_fingerprints(self):
#unquote = urllib.unquote
#detectsqli = libinjection.detectsqli
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
args = []
extra = {}
qssqli = False
sqlstate = libinjection.sqli_state()
allfp = {}
for name,values in self.request.arguments.iteritems():
if name == 'type':
continue
fps = []
val = values[0]
val = urllib.unquote(val)
if len(val) == 0:
continue
libinjection.sqli_init(sqlstate, val, 0)
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['unquoted', 'ansi', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['unquoted', 'mysql', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['single', 'ansi', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['single', 'mysql', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['double', 'mysql', issqli, pat])
allfp[name] = {
'value': breakify(breakapart(val)),
'fingerprints': fps
}
for name,values in self.request.arguments.iteritems():
if name == 'type':
continue
for val in values:
# do it one more time include cut-n-paste was already url-encoded
val = urllib.unquote(val)
if len(val) == 0:
continue
# swig returns 1/0, convert to True False
libinjection.sqli_init(sqlstate, val, 0)
issqli = bool(libinjection.is_sqli(sqlstate))
# True if any issqli values are true
qssqli = qssqli or issqli
val = breakapart(val)
pat = sqlstate.fingerprint
if not issqli:
pat = 'see below'
args.append([name, val, issqli, pat])
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render("form.html",
title='libjection sqli diagnostic',
version = libinjection.version(),
is_sqli=qssqli,
args=args,
allfp = allfp,
formvalue=formvalue,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
def get_fingerprints(self):
#unquote = urllib.unquote
#detectsqli = libinjection.detectsqli
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
args = []
extra = {}
qssqli = False
sqlstate = libinjection.sqli_state()
allfp = {}
for name,values in self.request.arguments.iteritems():
if name == 'type':
continue
fps = []
val = values[0]
val = urllib.unquote(val)
if len(val) == 0:
continue
libinjection.sqli_init(sqlstate, val, 0)
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['unquoted', 'ansi', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['unquoted', 'mysql', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['single', 'ansi', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['single', 'mysql', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['double', 'mysql', issqli, pat])
allfp[name] = {
'value': breakify(breakapart(val)),
'fingerprints': fps
}
for name,values in self.request.arguments.iteritems():
if name == 'type':
continue
for val in values:
# do it one more time include cut-n-paste was already url-encoded
val = urllib.unquote(val)
if len(val) == 0:
continue
# swig returns 1/0, convert to True False
libinjection.sqli_init(sqlstate, val, 0)
issqli = bool(libinjection.is_sqli(sqlstate))
# True if any issqli values are true
qssqli = qssqli or issqli
val = breakapart(val)
pat = sqlstate.fingerprint
if not issqli:
pat = 'see below'
args.append([name, val, issqli, pat])
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render("form.html",
title='libjection sqli diagnostic',
version = libinjection.version(),
is_sqli=qssqli,
args=args,
allfp = allfp,
formvalue=formvalue,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
