2021-06-07 14:07:08 +00:00
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
The SQLInjectionDetection Module
== == == == == == == == == == == == == == == ==
This module is consuming the Redis - list created by the Urls module .
It test different possibility to makes some sqlInjection .
"""
import os
import sys
import re
import urllib . request
from datetime import datetime
from pyfaup . faup import Faup
2022-10-25 14:25:19 +00:00
from urllib . parse import unquote
2021-06-07 14:07:08 +00:00
sys . path . append ( os . environ [ ' AIL_BIN ' ] )
##################################
# Import Project packages
##################################
from modules . abstract_module import AbstractModule
from lib . ConfigLoader import ConfigLoader
2022-10-25 14:25:19 +00:00
from lib . objects . Items import Item
2021-06-07 14:07:08 +00:00
class SQLInjectionDetection ( AbstractModule ) :
""" docstring for SQLInjectionDetection module. """
# # TODO: IMPROVE ME
# Reference: https://github.com/stamparm/maltrail/blob/master/core/settings.py
SQLI_REGEX = r " information_schema|sysdatabases|sysusers|floor \ (rand \ (|ORDER BY \ d+| \ bUNION \ s+(ALL \ s+)?SELECT \ b| \ b(UPDATEXML|EXTRACTVALUE) \ (| \ bCASE[^ \ w]+WHEN.*THEN \ b| \ bWAITFOR[^ \ w]+DELAY \ b| \ bCONVERT \ (|VARCHAR \ (| \ bCOUNT \ ( \ * \ )| \ b(pg_)?sleep \ (| \ bSELECT \ b.* \ bFROM \ b.* \ b(WHERE|GROUP|ORDER) \ b| \ bSELECT \ w+ FROM \ w+| \ b(AND|OR|SELECT) \ b.*/ \ *.* \ */|/ \ *.* \ */.* \ b(AND|OR|SELECT) \ b| \ b(AND|OR)[^ \ w]+ \ d+[ ' \" ) ]?[=><][ ' \" ( ]? \ d+|ODBC;DRIVER| \ bINTO \ s+(OUT|DUMP)FILE "
def __init__ ( self ) :
super ( SQLInjectionDetection , self ) . __init__ ( )
self . faup = Faup ( )
config_loader = ConfigLoader ( )
self . server_statistics = config_loader . get_redis_conn ( " ARDB_Statistics " )
self . redis_logger . info ( f " Module: { self . module_name } Launched " )
def compute ( self , message ) :
2022-10-25 14:25:19 +00:00
url , item_id = message . split ( )
2021-06-07 14:07:08 +00:00
if self . is_sql_injection ( url ) :
self . faup . decode ( url )
url_parsed = self . faup . get ( )
2022-10-25 14:25:19 +00:00
item = Item ( item_id )
2021-06-07 14:07:08 +00:00
item_id = item . get_id ( )
print ( f " Detected SQL in URL: { item_id } " )
print ( urllib . request . unquote ( url ) )
to_print = f ' SQLInjection; { item . get_source ( ) } ; { item . get_date ( ) } ; { item . get_basename ( ) } ;Detected SQL in URL; { item_id } '
self . redis_logger . warning ( to_print )
# Send to duplicate
self . send_message_to_queue ( item_id , ' Duplicate ' )
# Tag
msg = f ' infoleak:automatic-detection= " sql-injection " ; { item_id } '
self . send_message_to_queue ( msg , ' Tags ' )
# statistics
tld = url_parsed [ ' tld ' ]
if tld is not None :
2022-10-25 14:25:19 +00:00
# # TODO: # FIXME: remove me
2021-06-07 14:07:08 +00:00
try :
tld = tld . decode ( )
except :
pass
date = datetime . now ( ) . strftime ( " % Y % m " )
self . server_statistics . hincrby ( f ' SQLInjection_by_tld: { date } ' , tld , 1 )
2022-10-25 14:25:19 +00:00
# Try to detect if the url passed might be an sql injection by applying the regex
2021-06-07 14:07:08 +00:00
# defined above on it.
def is_sql_injection ( self , url_parsed ) :
2022-10-25 14:25:19 +00:00
line = unquote ( url_parsed )
2021-06-07 14:07:08 +00:00
return re . search ( SQLInjectionDetection . SQLI_REGEX , line , re . I ) is not None
if __name__ == " __main__ " :
module = SQLInjectionDetection ( )
module . run ( )