Added Libjection

2025-09-30 11:44:32 +03:00 · 2013-04-18 22:51:07 -04:00
parent f10669b34b
commit 417d7daf20
9 changed files with 7365 additions and 4 deletions
--- a/apache2/re_operators.c
+++ b/apache2/re_operators.c
@@ -27,6 +27,9 @@
 #include <arpa/inet.h>
 #endif

+#include "libinjection/sqlparse.h"
+#include "libinjection/sqli_fingerprints.h"
+
 /**
 *
 */
@@ -2129,6 +2132,38 @@ static int msre_op_contains_execute(modsec_rec *msr, msre_rule *rule, msre_var *
    return 0;
 }

+/** libinjection detectSQLi
+*   links against files in libinjection directory
+ *  See www.client9.com/libinjection for details
+ * `is_sqli_pattern` right now is a hardwired set of sqli fingerprints.
+ * In future, change to read from file.
+*/
+static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
+    char **error_msg) {
+    sfilter sf;
+    int issqli = is_sqli(&sf, var->value, var->value_len, is_sqli_pattern);
+    int capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+
+    if (issqli) {
+        set_match_to_tx(msr, capture, sf.pat, 0);
+
+        *error_msg = apr_psprintf(msr->mp, "detected SQLi using libinjection fingerprint '%s'",
+                sf.pat);
+        if (msr->txcfg->debuglog_level >= 9) {
+            msr_log(msr, 9, "ISSQL: libinjection fingerprint '%s' matched input '%s'",
+                    sf.pat,
+                    log_escape_ex(msr->mp, var->value, var->value_len));
+        }
+    } else {
+        if (msr->txcfg->debuglog_level >= 9) {
+            msr_log(msr, 9, "ISSQL: not sqli, no libinjection sqli fingerprint matched input '%s'",
+                    log_escape_ex(msr->mp, var->value, var->value_len));
+        }
+    }
+
+    return issqli;
+}
+
 /* containsWord */

 static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
@@ -4502,7 +4537,14 @@ void msre_engine_register_default_operators(msre_engine *engine) {
        msre_op_containsWord_execute
    );

-    /* is */
+    /* detectSQLi */
+    msre_engine_op_register(engine,
+        "detectSQLi",
+         NULL,
+         msre_op_detectSQLi_execute
+    );
+
+    /* streq */
    msre_engine_op_register(engine,
        "streq",
        NULL, /* ENH init function to flag var substitution */