Merge pull request #215 from buixor/master

[WIP] LibInjection Module
add: LibInjection Module

bin/LibInjection.py

@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+# -*-coding:UTF-8 -*
+
+"""
+The LibInjection Module
+================================
+
+This module is consuming the Redis-list created by the Web module.
+
+It tries to identify SQL Injections with libinjection.
+
+"""
+
+import time
+import string
+import urllib.request
+import re
+import pylibinjection
+import pprint
+
+from pubsublogger import publisher
+from Helper import Process
+from packages import Paste
+from pyfaup.faup import Faup
+
+def analyse(url, path):
+    faup.decode(url)
+    url_parsed = faup.get()
+    pprint.pprint(url_parsed)
+    resource_path = url_parsed['resource_path']
+    query_string = url_parsed['query_string']
+
+    result_path = {'sqli' : False}
+    result_query = {'sqli' : False}
+
+    if resource_path is not None:
+        result_path = pylibinjection.detect_sqli(resource_path)
+        print("path is sqli : {0}".format(result_path))
+
+    if query_string is not None:
+        result_query = pylibinjection.detect_sqli(query_string)
+        print("query is sqli : {0}".format(result_query))
+
+    if result_path['sqli'] is True or result_query['sqli'] is True:
+        paste = Paste.Paste(path)
+        print("Detected (libinjection) SQL in URL: ")
+        print(urllib.request.unquote(url))
+        to_print = 'LibInjection;{};{};{};{};{}'.format(paste.p_source, paste.p_date, paste.p_name, "Detected SQL in URL", paste.p_path)
+        publisher.warning(to_print)
+        #Send to duplicate
+        p.populate_set_out(path, 'Duplicate')
+        #send to Browse_warning_paste
+        p.populate_set_out('sqlinjection;{}'.format(path), 'alertHandler')
+        msg = 'infoleak:automatic-detection="sql-injection";{}'.format(path)
+        p.populate_set_out(msg, 'Tags')
+
+if __name__ == '__main__':
+    # If you wish to use an other port of channel, do not forget to run a subscriber accordingly (see launch_logs.sh)
+    # Port of the redis instance used by pubsublogger
+    publisher.port = 6380
+    # Script is the default channel used for the modules.
+    publisher.channel = 'Script'
+
+    # Section name in bin/packages/modules.cfg
+    config_section = 'LibInjection'
+
+    # Setup the I/O queues
+    p = Process(config_section)
+
+    # Sent to the logging a description of the module
+    publisher.info("Try to detect SQL injection with LibInjection")
+
+    faup = Faup()
+
+    # Endless loop getting messages from the input queue
+    while True:
+        # Get one message from the input queue
+        message = p.get_from_set()
+
+        if message is None:
+            publisher.debug("{} queue is empty, waiting".format(config_section))
+            time.sleep(10)
+            continue
+
+        else:
+            # Do something with the message from the queue
+            url, date, path = message.split()
+            analyse(url, path)

bin/packages/modules.cfg

@@ -70,6 +70,10 @@ publish = Redis_Url,ZMQ_Url
 [WebStats]
 subscribe = Redis_Url
 
+[LibInjection]
+subscribe = Redis_Url
+publish = Redis_alertHandler,Redis_Duplicate,Redis_Tags
+
 [SQLInjectionDetection]
 subscribe = Redis_Url
 publish = Redis_alertHandler,Redis_Duplicate,Redis_Tags

pip3_packages_requirement.txt

@@ -67,3 +67,6 @@ https://github.com/trolldbois/python3-adns/archive/master.zip
 https://github.com/trolldbois/python-cymru-services/archive/master.zip
 
 https://github.com/saffsd/langid.py/archive/master.zip
+
+#LibInjection bindings
+pylibinjection