Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'sqli-spaces-encode-to-plus' of https://github.com/cooper-grill/zeek

Browse source 
* 'sqli-spaces-encode-to-plus' of https://github.com/cooper-grill/zeek:
  account for spaces encoding to plus signs in sqli regex detection
This commit is contained in:
Arne Welzel 2024-10-29 14:05:54 +01:00
commit 5200b84fb3
8 changed files with 24 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid method host uri tags
ClEkJM2Vm5giqnMf4h GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+OR+'1'='1&Submit=Submit HTTP::URI_SQLI
C4J4Th3PJpwUYZZ6gc GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+UNION+SELECT+NULL,+version()+#&Submit=Submit HTTP::URI_SQLI
CtPZjS20MLrsMUOJi2 GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=2'+OR+'2'='2&Submit=Submit HTTP::URI_SQLI

4
testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output Normal file
View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.111.148, orig_p=53796/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a}
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.111.148, orig_p=57524/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a}
CtPZjS20MLrsMUOJi2, [orig_h=192.168.111.148, orig_p=40112/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a}

3
testing/btest/Traces/README
View file

@ -32,3 +32,6 @@ Trace Index/Sources:
- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
https://tranalyzer.com/tutorial/pop
https://tranalyzer.com/download/data/pop3.pcap
- http/cooper-grill-dvwa.pcapng
Provided by cooper-grill on #3995
https://github.com/zeek/zeek/pull/3995

BIN
testing/btest/Traces/http/cooper-grill-dvwa.pcapng Normal file
View file

Binary file not shown.

2
testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek
View file

@ -37,6 +37,8 @@ event zeek_init()
add positive_matches["/index.php?id=22 /*!49999 and 1=2*/-- and 1=1"];
add positive_matches["/index.php?ID=59 and (select count(table_name) from user_tables)>0 and 1=1"];
add positive_matches["/index.php?ID=60 and exists (select * from [news])"];
add positive_matches["?id=1'+OR+'1'='1"];
add positive_matches["?id=1'+UNION+SELECT+NULL,+version()+#"];
# These are not detected currently.
#add positive_matches["/index.asp?ARF_ID=(1/(1-(asc(mid(now(),18,1))\(2^7) mod 2)))"];