2021-06-07 16:07:08 +02:00
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
The SQLInjectionDetection Module
== == == == == == == == == == == == == == == ==
This module is consuming the Redis - list created by the Urls module .
It test different possibility to makes some sqlInjection .
"""
import os
import sys
import re
import urllib . request
from datetime import datetime
from pyfaup . faup import Faup
2022-10-25 16:25:19 +02:00
from urllib . parse import unquote
2021-06-07 16:07:08 +02:00
sys . path . append ( os . environ [ ' AIL_BIN ' ] )
##################################
# Import Project packages
##################################
from modules . abstract_module import AbstractModule
from lib . ConfigLoader import ConfigLoader
2022-10-25 16:25:19 +02:00
from lib . objects . Items import Item
2023-03-30 15:23:41 +02:00
# from lib import Statistics
2021-06-07 16:07:08 +02:00
class SQLInjectionDetection ( AbstractModule ) :
""" docstring for SQLInjectionDetection module. """
# # TODO: IMPROVE ME
# Reference: https://github.com/stamparm/maltrail/blob/master/core/settings.py
SQLI_REGEX = r " information_schema|sysdatabases|sysusers|floor \ (rand \ (|ORDER BY \ d+| \ bUNION \ s+(ALL \ s+)?SELECT \ b| \ b(UPDATEXML|EXTRACTVALUE) \ (| \ bCASE[^ \ w]+WHEN.*THEN \ b| \ bWAITFOR[^ \ w]+DELAY \ b| \ bCONVERT \ (|VARCHAR \ (| \ bCOUNT \ ( \ * \ )| \ b(pg_)?sleep \ (| \ bSELECT \ b.* \ bFROM \ b.* \ b(WHERE|GROUP|ORDER) \ b| \ bSELECT \ w+ FROM \ w+| \ b(AND|OR|SELECT) \ b.*/ \ *.* \ */|/ \ *.* \ */.* \ b(AND|OR|SELECT) \ b| \ b(AND|OR)[^ \ w]+ \ d+[ ' \" ) ]?[=><][ ' \" ( ]? \ d+|ODBC;DRIVER| \ bINTO \ s+(OUT|DUMP)FILE "
def __init__ ( self ) :
super ( SQLInjectionDetection , self ) . __init__ ( )
self . faup = Faup ( )
2023-05-12 15:29:53 +02:00
self . logger . info ( f " Module: { self . module_name } Launched " )
2021-06-07 16:07:08 +02:00
def compute ( self , message ) :
2023-06-22 15:38:04 +02:00
url = message
item = self . get_obj ( )
2021-06-07 16:07:08 +02:00
if self . is_sql_injection ( url ) :
self . faup . decode ( url )
url_parsed = self . faup . get ( )
print ( f " Detected SQL in URL: { item_id } " )
print ( urllib . request . unquote ( url ) )
to_print = f ' SQLInjection; { item . get_source ( ) } ; { item . get_date ( ) } ; { item . get_basename ( ) } ;Detected SQL in URL; { item_id } '
self . redis_logger . warning ( to_print )
# Tag
2023-06-22 15:38:04 +02:00
tag = f ' infoleak:automatic-detection= " sql-injection " ; { item_id } '
self . add_message_to_queue ( message = tag , queue = ' Tags ' )
2021-06-07 16:07:08 +02:00
# statistics
2023-03-30 15:23:41 +02:00
# tld = url_parsed['tld']
# if tld is not None:
# # # TODO: # FIXME: remove me
# try:
# tld = tld.decode()
# except:
# pass
# date = datetime.now().strftime("%Y%m")
# Statistics.add_module_tld_stats_by_date(self.module_name, date, tld, 1)
2021-06-07 16:07:08 +02:00
2022-10-25 16:25:19 +02:00
# Try to detect if the url passed might be an sql injection by applying the regex
2021-06-07 16:07:08 +02:00
# defined above on it.
def is_sql_injection ( self , url_parsed ) :
2022-10-25 16:25:19 +02:00
line = unquote ( url_parsed )
2021-06-07 16:07:08 +02:00
return re . search ( SQLInjectionDetection . SQLI_REGEX , line , re . I ) is not None
if __name__ == " __main__ " :
module = SQLInjectionDetection ( )
module . run ( )