github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-17 06:36:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updates the libinjection

Browse Source
This commit is contained in:
Felipe Zimmerle 2017-04-27 18:40:50 -03:00
parent 2c07a17fa3
commit a4724dfdab
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
7 changed files with 1155 additions and 699 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,6 +1,8 @@
DD MMM YYYY - 2.9.2 - To be released DD MMM YYYY - 2.9.2 - To be released
------------------------------------ ------------------------------------
* Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
[ModSecurity team]
* {dis|en}able-handler-logging: Option to disable logging of Apache handler * {dis|en}able-handler-logging: Option to disable logging of Apache handler
in audit log in audit log
[Issue #1070, #1381 - Marc Stern] [Issue #1070, #1381 - Marc Stern]

8
apache2/libinjection/libinjection.h
View File

@ -1,5 +1,5 @@
/** /**
* Copyright 2012, 2013 Nick Galbreath * Copyright 2012-2016 Nick Galbreath
* nickg@client9.com * nickg@client9.com
* BSD License -- see COPYING.txt for details * BSD License -- see COPYING.txt for details
* *
@ -7,8 +7,8 @@
* *
*/ */
#ifndef _LIBINJECTION_H #ifndef LIBINJECTION_H
#define _LIBINJECTION_H #define LIBINJECTION_H
#ifdef __cplusplus #ifdef __cplusplus
# define LIBINJECTION_BEGIN_DECLS extern "C" { # define LIBINJECTION_BEGIN_DECLS extern "C" {
@ -62,4 +62,4 @@ int libinjection_xss(const char* s, size_t slen);
LIBINJECTION_END_DECLS LIBINJECTION_END_DECLS
#endif /* _LIBINJECTION_H */ #endif /* LIBINJECTION_H */

60
apache2/libinjection/libinjection_html5.c
View File

@ -102,8 +102,16 @@ int libinjection_h5_next(h5_state_t* hs)
* *
*/ */
static int h5_is_white(char ch) static int h5_is_white(char ch)
{ {
/*
* \t = horizontal tab = 0x09
* \n = newline = 0x0A
* \v = vertical tab = 0x0B
* \f = form feed = 0x0C
* \r = cr = 0x0D
*/
return strchr(" \t\n\v\f\r", ch) != NULL; return strchr(" \t\n\v\f\r", ch) != NULL;
} }
@ -450,7 +458,7 @@ static int h5_state_attribute_value_quote(h5_state_t* hs, char qchar)
TRACE(); TRACE();
/* skip initial quote in normal case. /* skip initial quote in normal case.
* dont do this is pos == 0 since it means we have started * don't do this "if (pos == 0)" since it means we have started
* in a non-data state. given an input of '><foo * in a non-data state. given an input of '><foo
* we want to make 0-length attribute name * we want to make 0-length attribute name
*/ */
@ -705,10 +713,13 @@ static int h5_state_comment(h5_state_t* hs)
char ch; char ch;
const char* idx; const char* idx;
size_t pos; size_t pos;
size_t offset;
const char* end = hs->s + hs->len;
TRACE(); TRACE();
pos = hs->pos; pos = hs->pos;
while (1) { while (1) {
idx = (const char*) memchr(hs->s + pos, CHAR_DASH, hs->len - pos); idx = (const char*) memchr(hs->s + pos, CHAR_DASH, hs->len - pos);
/* did not find anything or has less than 3 chars left */ /* did not find anything or has less than 3 chars left */
@ -719,21 +730,62 @@ static int h5_state_comment(h5_state_t* hs)
hs->token_type = TAG_COMMENT; hs->token_type = TAG_COMMENT;
return 1; return 1;
} }
ch = *(idx + 1); offset = 1;
/* skip all nulls */
while (idx + offset < end && *(idx + offset) == 0) {
offset += 1;
}
if (idx + offset == end) {
hs->state = h5_state_eof;
hs->token_start = hs->s + hs->pos;
hs->token_len = hs->len - hs->pos;
hs->token_type = TAG_COMMENT;
return 1;
}
ch = *(idx + offset);
if (ch != CHAR_DASH && ch != CHAR_BANG) { if (ch != CHAR_DASH && ch != CHAR_BANG) {
pos = (size_t)(idx - hs->s) + 1; pos = (size_t)(idx - hs->s) + 1;
continue; continue;
} }
ch = *(idx + 2);
/* need to test */
#if 0
/* skip all nulls */
while (idx + offset < end && *(idx + offset) == 0) {
offset += 1;
}
if (idx + offset == end) {
hs->state = h5_state_eof;
hs->token_start = hs->s + hs->pos;
hs->token_len = hs->len - hs->pos;
hs->token_type = TAG_COMMENT;
return 1;
}
#endif
offset += 1;
if (idx + offset == end) {
hs->state = h5_state_eof;
hs->token_start = hs->s + hs->pos;
hs->token_len = hs->len - hs->pos;
hs->token_type = TAG_COMMENT;
return 1;
}
ch = *(idx + offset);
if (ch != CHAR_GT) { if (ch != CHAR_GT) {
pos = (size_t)(idx - hs->s) + 1; pos = (size_t)(idx - hs->s) + 1;
continue; continue;
} }
offset += 1;
/* ends in --> or -!> */ /* ends in --> or -!> */
hs->token_start = hs->s + hs->pos; hs->token_start = hs->s + hs->pos;
hs->token_len = (size_t)(idx - hs->s) - hs->pos; hs->token_len = (size_t)(idx - hs->s) - hs->pos;
hs->pos = (size_t)(idx - hs->s) + 3; hs->pos = (size_t)(idx + offset - hs->s);
hs->state = h5_state_data; hs->state = h5_state_data;
hs->token_type = TAG_COMMENT; hs->token_type = TAG_COMMENT;
return 1; return 1;

120
apache2/libinjection/libinjection_sqli.c
View File

@ -1,5 +1,5 @@
/** /**
* Copyright 2012,2013 Nick Galbreath * Copyright 2012,2016 Nick Galbreath
* nickg@client9.com * nickg@client9.com
* BSD License -- see COPYING.txt for details * BSD License -- see COPYING.txt for details
* *
@ -112,16 +112,12 @@ memchr2(const char *haystack, size_t haystack_len, char c0, char c1)
} }
while (cur < last) { while (cur < last) {
if (cur[0] == c0) { /* safe since cur < len - 1 always */
if (cur[1] == c1) { if (cur[0] == c0 && cur[1] == c1) {
return cur; return cur;
} else {
cur += 2; /* (c0 == c1) ? 1 : 2; */
} }
} else {
cur += 1; cur += 1;
} }
}
return NULL; return NULL;
} }
@ -191,11 +187,11 @@ static int char_is_white(char ch) {
/* ' ' space is 0x32 /* ' ' space is 0x32
'\t 0x09 \011 horizontal tab '\t 0x09 \011 horizontal tab
'\n' 0x0a \012 new line '\n' 0x0a \012 new line
'\v' 0x0b \013 verical tab '\v' 0x0b \013 vertical tab
'\f' 0x0c \014 new page '\f' 0x0c \014 new page
'\r' 0x0d \015 carriage return '\r' 0x0d \015 carriage return
0x00 \000 null (oracle) 0x00 \000 null (oracle)
0xa0 \240 is latin1 0xa0 \240 is Latin-1
*/ */
return strchr(" \t\n\v\f\r\240\000", ch) != NULL; return strchr(" \t\n\v\f\r\240\000", ch) != NULL;
} }
@ -294,7 +290,7 @@ static void st_clear(stoken_t * st)
static void st_assign_char(stoken_t * st, const char stype, size_t pos, size_t len, static void st_assign_char(stoken_t * st, const char stype, size_t pos, size_t len,
const char value) const char value)
{ {
/* done to elimiate unused warning */ /* done to eliminate unused warning */
(void)len; (void)len;
st->type = (char) stype; st->type = (char) stype;
st->pos = pos; st->pos = pos;
@ -402,7 +398,7 @@ static size_t parse_eol_comment(struct libinjection_sqli_state * sf)
} }
} }
/** In Ansi mode, hash is an operator /** In ANSI mode, hash is an operator
* In MYSQL mode, it's a EOL comment like '--' * In MYSQL mode, it's a EOL comment like '--'
*/ */
static size_t parse_hash(struct libinjection_sqli_state * sf) static size_t parse_hash(struct libinjection_sqli_state * sf)
@ -842,7 +838,7 @@ static size_t parse_bstring(struct libinjection_sqli_state *sf)
/* /*
* hex literal string * hex literal string
* re: [XX]'[0123456789abcdefABCDEF]*' * re: [xX]'[0123456789abcdefABCDEF]*'
* mysql has requirement of having EVEN number of chars, * mysql has requirement of having EVEN number of chars,
* but pgsql does not * but pgsql does not
*/ */
@ -1072,7 +1068,7 @@ static size_t parse_money(struct libinjection_sqli_state *sf)
/* we have $foobar$ ... find it again */ /* we have $foobar$ ... find it again */
strend = my_memmem(cs+xlen+2, slen - (pos+xlen+2), cs + pos, xlen+2); strend = my_memmem(cs+xlen+2, slen - (pos+xlen+2), cs + pos, xlen+2);
if (strend == NULL) { if (strend == NULL || ((size_t)(strend - cs) < (pos+xlen+2))) {
/* fell off edge */ /* fell off edge */
st_assign(sf->current, TYPE_STRING, pos+xlen+2, slen - pos - xlen - 2, cs+pos+xlen+2); st_assign(sf->current, TYPE_STRING, pos+xlen+2, slen - pos - xlen - 2, cs+pos+xlen+2);
sf->current->str_open = '$'; sf->current->str_open = '$';
@ -1104,7 +1100,6 @@ static size_t parse_number(struct libinjection_sqli_state * sf)
const char *cs = sf->s; const char *cs = sf->s;
const size_t slen = sf->slen; const size_t slen = sf->slen;
size_t pos = sf->pos; size_t pos = sf->pos;
int have_dot = 0;
int have_e = 0; int have_e = 0;
int have_exp = 0; int have_exp = 0;
@ -1136,7 +1131,6 @@ static size_t parse_number(struct libinjection_sqli_state * sf)
} }
if (pos < slen && cs[pos] == '.') { if (pos < slen && cs[pos] == '.') {
have_dot = 1;
pos += 1; pos += 1;
while (pos < slen && ISDIGIT(cs[pos])) { while (pos < slen && ISDIGIT(cs[pos])) {
pos += 1; pos += 1;
@ -1185,7 +1179,7 @@ static size_t parse_number(struct libinjection_sqli_state * sf)
} }
} }
if (have_dot == 1 && have_e == 1 && have_exp == 0) { if (have_e == 1 && have_exp == 0) {
/* very special form of /* very special form of
* "1234.e" * "1234.e"
* "10.10E" * "10.10E"
@ -1241,22 +1235,6 @@ int libinjection_sqli_tokenize(struct libinjection_sqli_state * sf)
*/ */
const unsigned char ch = (unsigned char) (s[*pos]); const unsigned char ch = (unsigned char) (s[*pos]);
/*
* if not ascii, then continue...
* actually probably need to just assuming
* it's a string
*/
if (ch > 127) {
/* 160 or 0xA0 or octal 240 is "latin1 non-breaking space"
* but is treated as a space in mysql.
*/
if (ch == 160) {
fnptr = parse_white;
} else {
fnptr = parse_word;
}
} else {
/* /*
* look up the parser, and call it * look up the parser, and call it
* *
@ -1264,7 +1242,7 @@ int libinjection_sqli_tokenize(struct libinjection_sqli_state * sf)
* charparsers[ch]() * charparsers[ch]()
*/ */
fnptr = char_parse_map[ch]; fnptr = char_parse_map[ch];
}
*pos = (*fnptr) (sf); *pos = (*fnptr) (sf);
/* /*
@ -1349,16 +1327,22 @@ static int syntax_merge_words(struct libinjection_sqli_state * sf,stoken_t * a,
a->type == TYPE_UNION || a->type == TYPE_UNION ||
a->type == TYPE_FUNCTION || a->type == TYPE_FUNCTION ||
a->type == TYPE_EXPRESSION || a->type == TYPE_EXPRESSION ||
a->type == TYPE_TSQL ||
a->type == TYPE_SQLTYPE)) { a->type == TYPE_SQLTYPE)) {
return CHAR_NULL; return FALSE;
} }
if (b->type != TYPE_KEYWORD && b->type != TYPE_BAREWORD && if (!
b->type != TYPE_OPERATOR && b->type != TYPE_SQLTYPE && (b->type == TYPE_KEYWORD ||
b->type != TYPE_LOGIC_OPERATOR && b->type == TYPE_BAREWORD ||
b->type != TYPE_FUNCTION && b->type == TYPE_OPERATOR ||
b->type != TYPE_UNION && b->type != TYPE_EXPRESSION) { b->type == TYPE_UNION ||
return CHAR_NULL; b->type == TYPE_FUNCTION ||
b->type == TYPE_EXPRESSION ||
b->type == TYPE_TSQL ||
b->type == TYPE_SQLTYPE ||
b->type == TYPE_LOGIC_OPERATOR)) {
return FALSE;
} }
sz1 = a->len; sz1 = a->len;
@ -1374,7 +1358,6 @@ static int syntax_merge_words(struct libinjection_sqli_state * sf,stoken_t * a,
tmp[sz1] = ' '; tmp[sz1] = ' ';
memcpy(tmp + sz1 + 1, b->val, sz2); memcpy(tmp + sz1 + 1, b->val, sz2);
tmp[sz3] = CHAR_NULL; tmp[sz3] = CHAR_NULL;
ch = sf->lookup(sf, LOOKUP_WORD, tmp, sz3); ch = sf->lookup(sf, LOOKUP_WORD, tmp, sz3);
if (ch != CHAR_NULL) { if (ch != CHAR_NULL) {
@ -1450,6 +1433,13 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
sf->tokenvec[2].type == TYPE_COMMA && sf->tokenvec[2].type == TYPE_COMMA &&
sf->tokenvec[3].type == TYPE_LEFTPARENS && sf->tokenvec[3].type == TYPE_LEFTPARENS &&
sf->tokenvec[4].type == TYPE_NUMBER sf->tokenvec[4].type == TYPE_NUMBER
) ||
(
sf->tokenvec[0].type == TYPE_BAREWORD &&
sf->tokenvec[1].type == TYPE_RIGHTPARENS &&
sf->tokenvec[2].type == TYPE_OPERATOR &&
sf->tokenvec[3].type == TYPE_LEFTPARENS &&
sf->tokenvec[4].type == TYPE_BAREWORD
) )
) )
{ {
@ -1541,7 +1531,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
continue; continue;
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_VARIABLE) && } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_VARIABLE) &&
sf->tokenvec[left+1].type == TYPE_LEFTPARENS && ( sf->tokenvec[left+1].type == TYPE_LEFTPARENS && (
/* TSQL functions but common enough to be collumn names */ /* TSQL functions but common enough to be column names */
cstrcasecmp("USER_ID", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || cstrcasecmp("USER_ID", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 ||
cstrcasecmp("USER_NAME", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || cstrcasecmp("USER_NAME", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 ||
@ -1564,7 +1554,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
/* pos is the same /* pos is the same
* other conversions need to go here... for instance * other conversions need to go here... for instance
* password CAN be a function, coalese CAN be a function * password CAN be a function, coalesce CAN be a function
*/ */
sf->tokenvec[left].type = TYPE_FUNCTION; sf->tokenvec[left].type = TYPE_FUNCTION;
continue; continue;
@ -1828,7 +1818,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
* 1,-sin(1) --> 1 (1) * 1,-sin(1) --> 1 (1)
* Here, just do * Here, just do
* 1,-sin(1) --> 1,sin(1) * 1,-sin(1) --> 1,sin(1)
* just remove unary opartor * just remove unary operator
*/ */
st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]); st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]);
pos -= 1; pos -= 1;
@ -1852,8 +1842,20 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
pos -= 1; pos -= 1;
left = 0; left = 0;
continue; continue;
} else if ((sf->tokenvec[left].type == TYPE_FUNCTION) &&
(sf->tokenvec[left+1].type == TYPE_LEFTPARENS) &&
(sf->tokenvec[left+2].type != TYPE_RIGHTPARENS)) {
/*
* whats going on here
* Some SQL functions like USER() have 0 args
* if we get User(foo), then User is not a function
* This should be expanded since it eliminated a lot of false
* positives.
*/
if (cstrcasecmp("USER", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0) {
sf->tokenvec[left].type = TYPE_BAREWORD;
}
} }
/* no folding -- assume left-most token is /* no folding -- assume left-most token is
is good, now use the existing 2 tokens -- is good, now use the existing 2 tokens --
@ -2019,7 +2021,7 @@ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state)
} }
/* /*
* return TRUE if sqli, false is benign * return TRUE if SQLi, false is benign
*/ */
int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state) int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
{ {
@ -2033,10 +2035,10 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
if (tlen > 1 && sql_state->fingerprint[tlen-1] == TYPE_COMMENT) { if (tlen > 1 && sql_state->fingerprint[tlen-1] == TYPE_COMMENT) {
/* /*
* if ending comment is contains 'sp_password' then it's sqli! * if ending comment is contains 'sp_password' then it's SQLi!
* MS Audit log apparently ignores anything with * MS Audit log apparently ignores anything with
* 'sp_password' in it. Unable to find primary refernece to * 'sp_password' in it. Unable to find primary reference to
* this "feature" of SQL Server but seems to be known sqli * this "feature" of SQL Server but seems to be known SQLi
* technique * technique
*/ */
if (my_memmem(sql_state->s, sql_state->slen, if (my_memmem(sql_state->s, sql_state->slen,
@ -2055,7 +2057,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
if (sql_state->fingerprint[1] == TYPE_UNION) { if (sql_state->fingerprint[1] == TYPE_UNION) {
if (sql_state->stats_tokens == 2) { if (sql_state->stats_tokens == 2) {
/* not sure why but 1U comes up in Sqli attack /* not sure why but 1U comes up in SQLi attack
* likely part of parameter splitting/etc. * likely part of parameter splitting/etc.
* lots of reasons why "1 union" might be normal * lots of reasons why "1 union" might be normal
* input, so beep only if other SQLi things are present * input, so beep only if other SQLi things are present
@ -2080,7 +2082,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
/* /*
* for fingerprint like 'nc', only comments of /x are treated * for fingerprint like 'nc', only comments of /x are treated
* as SQL... ending comments of "--" and "#" are not sqli * as SQL... ending comments of "--" and "#" are not SQLi
*/ */
if (sql_state->tokenvec[0].type == TYPE_BAREWORD && if (sql_state->tokenvec[0].type == TYPE_BAREWORD &&
sql_state->tokenvec[1].type == TYPE_COMMENT && sql_state->tokenvec[1].type == TYPE_COMMENT &&
@ -2090,7 +2092,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
} }
/* /*
* if '1c' ends with '/x' then it's sqli * if '1c' ends with '/x' then it's SQLi
*/ */
if (sql_state->tokenvec[0].type == TYPE_NUMBER && if (sql_state->tokenvec[0].type == TYPE_NUMBER &&
sql_state->tokenvec[1].type == TYPE_COMMENT && sql_state->tokenvec[1].type == TYPE_COMMENT &&
@ -2113,13 +2115,13 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
if (sql_state->tokenvec[0].type == TYPE_NUMBER && if (sql_state->tokenvec[0].type == TYPE_NUMBER &&
sql_state->tokenvec[1].type == TYPE_COMMENT) { sql_state->tokenvec[1].type == TYPE_COMMENT) {
if (sql_state->stats_tokens > 2) { if (sql_state->stats_tokens > 2) {
/* we have some folding going on, highly likely sqli */ /* we have some folding going on, highly likely SQLi */
sql_state->reason = __LINE__; sql_state->reason = __LINE__;
return TRUE; return TRUE;
} }
/* /*
* we check that next character after the number is either whitespace, * we check that next character after the number is either whitespace,
* or '/' or a '-' ==> sqli. * or '/' or a '-' ==> SQLi.
*/ */
ch = sql_state->s[sql_state->tokenvec[0].len]; ch = sql_state->s[sql_state->tokenvec[0].len];
if ( ch <= 32 ) { if ( ch <= 32 ) {
@ -2141,7 +2143,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
} }
/* /*
* detect obvious sqli scans.. many people put '--' in plain text * detect obvious SQLi scans.. many people put '--' in plain text
* so only detect if input ends with '--', e.g. 1-- but not 1-- foo * so only detect if input ends with '--', e.g. 1-- but not 1-- foo
*/ */
if ((sql_state->tokenvec[1].len > 2) if ((sql_state->tokenvec[1].len > 2)
@ -2177,7 +2179,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
} }
/* /*
* not sqli * not SQLi
*/ */
sql_state->reason = __LINE__; sql_state->reason = __LINE__;
return FALSE; return FALSE;
@ -2186,8 +2188,8 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
streq(sql_state->fingerprint, "1&1") || streq(sql_state->fingerprint, "1&1") ||
streq(sql_state->fingerprint, "1&v") || streq(sql_state->fingerprint, "1&v") ||
streq(sql_state->fingerprint, "1&s")) { streq(sql_state->fingerprint, "1&s")) {
/* 'sexy and 17' not sqli /* 'sexy and 17' not SQLi
* 'sexy and 17<18' sqli * 'sexy and 17<18' SQLi
*/ */
if (sql_state->stats_tokens == 3) { if (sql_state->stats_tokens == 3) {
sql_state->reason = __LINE__; sql_state->reason = __LINE__;
@ -2243,7 +2245,7 @@ int libinjection_is_sqli(struct libinjection_sqli_state * sql_state)
size_t slen = sql_state->slen; size_t slen = sql_state->slen;
/* /*
* no input? not sqli * no input? not SQLi
*/ */
if (slen == 0) { if (slen == 0) {
return FALSE; return FALSE;

28
apache2/libinjection/libinjection_sqli.h
View File

@ -1,14 +1,14 @@
/** /**
* Copyright 2012, 2013 Nick Galbreath * Copyright 2012-2016 Nick Galbreath
* nickg@client9.com * nickg@client9.com
* BSD License -- see COPYING.txt for details * BSD License -- see `COPYING.txt` for details
* *
* https://libinjection.client9.com/ * https://libinjection.client9.com/
* *
*/ */
#ifndef _LIBINJECTION_SQLI_H #ifndef LIBINJECTION_SQLI_H
#define _LIBINJECTION_SQLI_H #define LIBINJECTION_SQLI_H
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
@ -53,7 +53,7 @@ struct libinjection_sqli_token {
/* count: /* count:
* in type 'v', used for number of opening '@' * in type 'v', used for number of opening '@'
* but maybe unsed in other contexts * but maybe used in other contexts
*/ */
int count; int count;
@ -63,7 +63,7 @@ struct libinjection_sqli_token {
typedef struct libinjection_sqli_token stoken_t; typedef struct libinjection_sqli_token stoken_t;
/** /**
* Pointer to function, takes cstr input, * Pointer to function, takes c-string input,
* returns '\0' for no match, else a char * returns '\0' for no match, else a char
*/ */
struct libinjection_sqli_state; struct libinjection_sqli_state;
@ -97,7 +97,7 @@ struct libinjection_sqli_state {
int flags; int flags;
/* /*
* pos is index in string we are at when tokenizing * pos is the index in the string during tokenization
*/ */
size_t pos; size_t pos;
@ -118,7 +118,7 @@ struct libinjection_sqli_state {
/* /*
* fingerprint pattern c-string * fingerprint pattern c-string
* +1 for ending null * +1 for ending null
* Mimimum of 8 bytes to add gcc's -fstack-protector to work * Minimum of 8 bytes to add gcc's -fstack-protector to work
*/ */
char fingerprint[8]; char fingerprint[8];
@ -156,7 +156,7 @@ struct libinjection_sqli_state {
*/ */
int stats_comment_c; int stats_comment_c;
/* '#' operators or mysql EOL comments found /* '#' operators or MySQL EOL comments found
* *
*/ */
int stats_comment_hash; int stats_comment_hash;
@ -208,8 +208,8 @@ void libinjection_sqli_init(struct libinjection_sqli_state* sql_state,
*/ */
int libinjection_is_sqli(struct libinjection_sqli_state* sql_state); int libinjection_is_sqli(struct libinjection_sqli_state* sql_state);
/* FOR H@CKERS ONLY /* FOR HACKERS ONLY
* * provides deep hooks into the decision making process
*/ */
void libinjection_sqli_callback(struct libinjection_sqli_state* sql_state, void libinjection_sqli_callback(struct libinjection_sqli_state* sql_state,
ptr_lookup_fn fn, ptr_lookup_fn fn,
@ -269,7 +269,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sql_state);
* two functions. With this, you over-ride one part or the other. * two functions. With this, you over-ride one part or the other.
* *
* return libinjection_sqli_blacklist(sql_state) && * return libinjection_sqli_blacklist(sql_state) &&
* libinject_sqli_not_whitelist(sql_state); * libinjection_sqli_not_whitelist(sql_state);
* *
* \param sql_state should be filled out after libinjection_sqli_fingerprint is called * \param sql_state should be filled out after libinjection_sqli_fingerprint is called
*/ */
@ -284,7 +284,7 @@ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state);
/* Given a positive match for a pattern (i.e. pattern is SQLi), this function /* Given a positive match for a pattern (i.e. pattern is SQLi), this function
* does additional analysis to reduce false positives. * does additional analysis to reduce false positives.
* *
* \return TRUE if sqli, false otherwise * \return TRUE if SQLi, false otherwise
*/ */
int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state); int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state);
@ -292,4 +292,4 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state);
} }
#endif #endif
#endif /* _LIBINJECTION_SQLI_H */ #endif /* LIBINJECTION_SQLI_H */

1157
apache2/libinjection/libinjection_sqli_data.h
View File

File diff suppressed because it is too large Load Diff

31
apache2/libinjection/libinjection_xss.c
View File

@ -6,13 +6,6 @@
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#ifndef DEBUG
#include <stdio.h>
#define TRACE() printf("%s:%d\n", __FUNCTION__, __LINE__)
#else
#define TRACE()
#endif
typedef enum attribute { typedef enum attribute {
TYPE_NONE TYPE_NONE
, TYPE_BLACK /* ban always */ , TYPE_BLACK /* ban always */
@ -173,7 +166,7 @@ static stringtype_t BLACKATTR[] = {
}; };
/* xmlns */ /* xmlns */
/* xml-stylesheet > <eval>, <if expr=> */ /* `xml-stylesheet` > <eval>, <if expr=> */
/* /*
static const char* BLACKATTR[] = { static const char* BLACKATTR[] = {
@ -247,8 +240,8 @@ static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
} }
/* /*
* Does an HTML encoded binary string (const char*, lenght) start with * Does an HTML encoded binary string (const char*, length) start with
* a all uppercase c-string (null terminated), case insenstive! * a all uppercase c-string (null terminated), case insensitive!
* *
* also ignore any embedded nulls in the HTML string! * also ignore any embedded nulls in the HTML string!
* *
@ -282,7 +275,7 @@ static int htmlencode_startswith(const char *a, const char *b, size_t n)
} }
if (cb == 10) { if (cb == 10) {
/* always ignore vtab characters in user input */ /* always ignore vertical tab characters in user input */
/* who allows this?? */ /* who allows this?? */
continue; continue;
} }
@ -347,9 +340,9 @@ static attribute_t is_black_attr(const char* s, size_t len)
return TYPE_NONE; return TYPE_NONE;
} }
/* javascript on.* */ /* JavaScript on.* */
if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) { if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
/* printf("Got javascript on- attribute name\n"); */ /* printf("Got JavaScript on- attribute name\n"); */
return TYPE_BLACK; return TYPE_BLACK;
} }
@ -387,19 +380,17 @@ static int is_black_url(const char* s, size_t len)
static const char* javascript_url = "JAVA"; static const char* javascript_url = "JAVA";
/* skip whitespace */ /* skip whitespace */
while (len > 0) { while (len > 0 && (*s <= 32 || *s >= 127)) {
/* /*
* HEY: this is a signed character. * HEY: this is a signed character.
* We are intentionally skipping high-bit characters too * We are intentionally skipping high-bit characters too
* since they are not ascii, and Opera sometimes uses UTF8 whitespace * since they are not ASCII, and Opera sometimes uses UTF-8 whitespace.
*
* Also in EUC-JP some of the high bytes are just ignored.
*/ */
if (*s <= 32) {
++s; ++s;
--len; --len;
} }
break;
}
if (htmlencode_startswith(data_url, s, len)) { if (htmlencode_startswith(data_url, s, len)) {
return 1; return 1;
@ -491,7 +482,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
(h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) { (h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) {
return 1; return 1;
} }
if ((h5.token_start[0] == 'x' || h5.token_start[1] == 'X') && if ((h5.token_start[0] == 'x' || h5.token_start[0] == 'X') &&
(h5.token_start[1] == 'm' || h5.token_start[1] == 'M') && (h5.token_start[1] == 'm' || h5.token_start[1] == 'M') &&
(h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) { (h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) {
return 1; return 1;