ail-framework/bin/modules/SQLInjectionDetection.py

#!/usr/bin/env python3
# -*-coding:UTF-8 -*

"""
The SQLInjectionDetection Module
================================

This module is consuming the Redis-list created by the Urls module.

It test different possibility to makes some sqlInjection.

"""

import os
import sys
import re
import urllib.request

from datetime import datetime
from pyfaup.faup import Faup
from urllib.parse import unquote

sys.path.append(os.environ['AIL_BIN'])
##################################
# Import Project packages
##################################
from modules.abstract_module import AbstractModule
from lib.ConfigLoader import ConfigLoader
from lib.objects.Items import Item
# from lib import Statistics

class SQLInjectionDetection(AbstractModule):
    """docstring for SQLInjectionDetection module."""

    # # TODO: IMPROVE ME
    # Reference: https://github.com/stamparm/maltrail/blob/master/core/settings.py
    SQLI_REGEX = r"information_schema|sysdatabases|sysusers|floor\(rand\(|ORDER BY \d+|\bUNION\s+(ALL\s+)?SELECT\b|\b(UPDATEXML|EXTRACTVALUE)\(|\bCASE[^\w]+WHEN.*THEN\b|\bWAITFOR[^\w]+DELAY\b|\bCONVERT\(|VARCHAR\(|\bCOUNT\(\*\)|\b(pg_)?sleep\(|\bSELECT\b.*\bFROM\b.*\b(WHERE|GROUP|ORDER)\b|\bSELECT \w+ FROM \w+|\b(AND|OR|SELECT)\b.*/\*.*\*/|/\*.*\*/.*\b(AND|OR|SELECT)\b|\b(AND|OR)[^\w]+\d+['\") ]?[=><]['\"( ]?\d+|ODBC;DRIVER|\bINTO\s+(OUT|DUMP)FILE"

    def __init__(self):
        super(SQLInjectionDetection, self).__init__()

        self.faup = Faup()

        self.logger.info(f"Module: {self.module_name} Launched")

    def compute(self, message):
        url = message
        item = self.get_obj()

        if self.is_sql_injection(url):
            self.faup.decode(url)
            url_parsed = self.faup.get()

            print(f"Detected SQL in URL: {item.id}")
            print(urllib.request.unquote(url))
            to_print = f'SQLInjection;{item.get_source()};{item.get_date()};{item.get_basename()};Detected SQL in URL;{self.obj.get_global_id()}'
            self.redis_logger.warning(to_print)

            # Tag
            tag = f'infoleak:automatic-detection="sql-injection"'
            self.add_message_to_queue(message=tag, queue='Tags')

            # statistics
            # tld = url_parsed['tld']
            # if tld is not None:
            #     # # TODO: # FIXME: remove me
            #     try:
            #         tld = tld.decode()
            #     except:
            #         pass
            #     date = datetime.now().strftime("%Y%m")
            #     Statistics.add_module_tld_stats_by_date(self.module_name, date, tld, 1)

    # Try to detect if the url passed might be an sql injection by applying the regex
    # defined above on it.
    def is_sql_injection(self, url_parsed):
        line = unquote(url_parsed)
        return re.search(SQLInjectionDetection.SQLI_REGEX, line, re.I) is not None


if __name__ == "__main__":
    module = SQLInjectionDetection()
    module.run()
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00			`#!/usr/bin/env python3`
			`# --coding:UTF-8 -`

			`"""`
			`The SQLInjectionDetection Module`
			`================================`

			`This module is consuming the Redis-list created by the Urls module.`

			`It test different possibility to makes some sqlInjection.`

			`"""`

			`import os`
			`import sys`
			`import re`
			`import urllib.request`

			`from datetime import datetime`
			`from pyfaup.faup import Faup`
chg: [crawler + core + cve] migrate crawler to lacus + add new CVE object and correlation + migrate core 2022-10-25 14:25:19 +00:00			`from urllib.parse import unquote`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00
			`sys.path.append(os.environ['AIL_BIN'])`
			`##################################`
			`# Import Project packages`
			`##################################`
			`from modules.abstract_module import AbstractModule`
			`from lib.ConfigLoader import ConfigLoader`
chg: [crawler + core + cve] migrate crawler to lacus + add new CVE object and correlation + migrate core 2022-10-25 14:25:19 +00:00			`from lib.objects.Items import Item`
chg: [stats] disable statistics 2023-03-30 13:23:41 +00:00			`# from lib import Statistics`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00
			`class SQLInjectionDetection(AbstractModule):`
			`"""docstring for SQLInjectionDetection module."""`

			`# # TODO: IMPROVE ME`
			`# Reference: https://github.com/stamparm/maltrail/blob/master/core/settings.py`
			`SQLI_REGEX = r"information_schema\|sysdatabases\|sysusers\|floor\(rand\(\|ORDER BY \d+\|\bUNION\s+(ALL\s+)?SELECT\b\|\b(UPDATEXML\|EXTRACTVALUE)\(\|\bCASE[^\w]+WHEN.THEN\b\|\bWAITFOR[^\w]+DELAY\b\|\bCONVERT\(\|VARCHAR\(\|\bCOUNT\(\\)\|\b(pg_)?sleep\(\|\bSELECT\b.\bFROM\b.\b(WHERE\|GROUP\|ORDER)\b\|\bSELECT \w+ FROM \w+\|\b(AND\|OR\|SELECT)\b./\.\/\|/\.\/.\b(AND\|OR\|SELECT)\b\|\b(AND\|OR)[^\w]+\d+['\") ]?[=><]['\"( ]?\d+\|ODBC;DRIVER\|\bINTO\s+(OUT\|DUMP)FILE"`

			`def __init__(self):`
			`super(SQLInjectionDetection, self).__init__()`

			`self.faup = Faup()`

chg: [logs] add new logger 2023-05-12 13:29:53 +00:00			`self.logger.info(f"Module: {self.module_name} Launched")`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00
			`def compute(self, message):`
chg: [queues] track object + check if object processed 2023-06-22 13:38:04 +00:00			`url = message`
			`item = self.get_obj()`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00
			`if self.is_sql_injection(url):`
			`self.faup.decode(url)`
			`url_parsed = self.faup.get()`

fix: [module] fix SQLInjectionDetection object ID 2024-03-08 12:54:14 +00:00			`print(f"Detected SQL in URL: {item.id}")`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00			`print(urllib.request.unquote(url))`
fix: [dashboard] fix objects links 2024-03-13 10:58:40 +00:00			`to_print = f'SQLInjection;{item.get_source()};{item.get_date()};{item.get_basename()};Detected SQL in URL;{self.obj.get_global_id()}'`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00			`self.redis_logger.warning(to_print)`

			`# Tag`
fix: [module] fix SQLInjectionDetection object ID 2024-03-08 12:54:14 +00:00			`tag = f'infoleak:automatic-detection="sql-injection"'`
chg: [queues] track object + check if object processed 2023-06-22 13:38:04 +00:00			`self.add_message_to_queue(message=tag, queue='Tags')`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00
			`# statistics`
chg: [stats] disable statistics 2023-03-30 13:23:41 +00:00			`# tld = url_parsed['tld']`
			`# if tld is not None:`
			`# # # TODO: # FIXME: remove me`
			`# try:`
			`# tld = tld.decode()`
			`# except:`
			`# pass`
			`# date = datetime.now().strftime("%Y%m")`
			`# Statistics.add_module_tld_stats_by_date(self.module_name, date, tld, 1)`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00
chg: [crawler + core + cve] migrate crawler to lacus + add new CVE object and correlation + migrate core 2022-10-25 14:25:19 +00:00			`# Try to detect if the url passed might be an sql injection by applying the regex`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00			`# defined above on it.`
			`def is_sql_injection(self, url_parsed):`
chg: [crawler + core + cve] migrate crawler to lacus + add new CVE object and correlation + migrate core 2022-10-25 14:25:19 +00:00			`line = unquote(url_parsed)`
chg: [SQLInjectionDetection LibInjection modules] add module class 2021-06-07 14:07:08 +00:00			`return re.search(SQLInjectionDetection.SQLI_REGEX, line, re.I) is not None`


			`if __name__ == "__main__":`
			`module = SQLInjectionDetection()`
			`module.run()`