github.com/TeaOSLab/EdgeNode@v1.3.8/internal/waf/injectionutils/libinjection/src/sqli_cli.c (about) 1 /** 2 * Copyright 2012, 2013 Nick Galbreath 3 * nickg@client9.com 4 * BSD License -- see COPYING.txt for details 5 * 6 * This is for testing against files in ../data/ *.txt 7 * Reads from stdin or a list of files, and emits if a line 8 * is a SQLi attack or not, and does basic statistics 9 * 10 */ 11 #include <string.h> 12 #include <stdlib.h> 13 #include <stdio.h> 14 15 #include "libinjection.h" 16 #include "libinjection_sqli.h" 17 18 void print_string(stoken_t* t); 19 void print_var(stoken_t* t); 20 void print_token(stoken_t *t); 21 void usage(void); 22 23 void print_string(stoken_t* t) 24 { 25 /* print opening quote */ 26 if (t->str_open != '\0') { 27 printf("%c", t->str_open); 28 } 29 30 /* print content */ 31 printf("%s", t->val); 32 33 /* print closing quote */ 34 if (t->str_close != '\0') { 35 printf("%c", t->str_close); 36 } 37 } 38 39 void print_var(stoken_t* t) 40 { 41 if (t->count >= 1) { 42 printf("%c", '@'); 43 } 44 if (t->count == 2) { 45 printf("%c", '@'); 46 } 47 print_string(t); 48 } 49 50 void print_token(stoken_t *t) { 51 printf("%c ", t->type); 52 switch (t->type) { 53 case 's': 54 print_string(t); 55 break; 56 case 'v': 57 print_var(t); 58 break; 59 default: 60 printf("%s", t->val); 61 } 62 printf("%s", "\n"); 63 } 64 65 void usage(void) { 66 printf("\n"); 67 printf("libinjection sqli tester\n"); 68 printf("\n"); 69 printf(" -ca parse as ANSI SQL\n"); 70 printf(" -cm parse as MySQL SQL\n"); 71 printf(" -q0 parse as is\n"); 72 printf(" -q1 parse in single-quote mode\n"); 73 printf(" -q2 parse in doiuble-quote mode\n"); 74 printf("\n"); 75 printf(" -f --fold fold results\n"); 76 printf("\n"); 77 printf(" -d --detect detect SQLI. empty reply = not detected\n"); 78 printf("\n"); 79 } 80 81 int main(int argc, const char* argv[]) 82 { 83 size_t slen; 84 char* copy; 85 86 int flags = 0; 87 int fold = 0; 88 int detect = 0; 89 90 int i; 91 int count; 92 int offset = 1; 93 int issqli; 94 95 sfilter sf; 96 97 if (argc < 2) { 98 usage(); 99 return 1; 100 } 101 while (1) { 102 if (strcmp(argv[offset], "-h") == 0 || strcmp(argv[offset], "-?") == 0 || strcmp(argv[offset], "--help") == 0) { 103 usage(); 104 return 1; 105 } 106 if (strcmp(argv[offset], "-m") == 0) { 107 flags |= FLAG_SQL_MYSQL; 108 offset += 1; 109 } 110 else if (strcmp(argv[offset], "-f") == 0 || strcmp(argv[offset], "--fold") == 0) { 111 fold = 1; 112 offset += 1; 113 } else if (strcmp(argv[offset], "-d") == 0 || strcmp(argv[offset], "--detect") == 0) { 114 detect = 1; 115 offset += 1; 116 } else if (strcmp(argv[offset], "-ca") == 0) { 117 flags |= FLAG_SQL_ANSI; 118 offset += 1; 119 } else if (strcmp(argv[offset], "-cm") == 0) { 120 flags |= FLAG_SQL_MYSQL; 121 offset += 1; 122 } else if (strcmp(argv[offset], "-q0") == 0) { 123 flags |= FLAG_QUOTE_NONE; 124 offset += 1; 125 } else if (strcmp(argv[offset], "-q1") == 0) { 126 flags |= FLAG_QUOTE_SINGLE; 127 offset += 1; 128 } else if (strcmp(argv[offset], "-q2") == 0) { 129 flags |= FLAG_QUOTE_DOUBLE; 130 offset += 1; 131 } else { 132 break; 133 } 134 } 135 136 /* ATTENTION: argv is a C-string, null terminated. We copy this 137 * to it's own location, WITHOUT null byte. This way, valgrind 138 * can see if we run past the buffer. 139 */ 140 141 slen = strlen(argv[offset]); 142 copy = (char* ) malloc(slen); 143 memcpy(copy, argv[offset], slen); 144 libinjection_sqli_init(&sf, copy, slen, flags); 145 146 if (detect == 1) { 147 issqli = libinjection_is_sqli(&sf); 148 if (issqli) { 149 printf("%s\n", sf.fingerprint); 150 } 151 } else if (fold == 1) { 152 count = libinjection_sqli_fold(&sf); 153 for (i = 0; i < count; ++i) { 154 print_token(&(sf.tokenvec[i])); 155 } 156 } else { 157 while (libinjection_sqli_tokenize(&sf)) { 158 print_token(sf.current); 159 } 160 } 161 162 free(copy); 163 164 return 0; 165 }