few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")

2025-12-07 13:11:29 +00:00 · 2011-07-06 05:44:47 +00:00
parent b8ffcf9495
commit 93b296e02c
12 changed files with 146 additions and 61 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -57,6 +57,7 @@ from lib.core.settings import CONSTANT_RATIO
 from lib.core.settings import UNKNOWN_DBMS_VERSION
 from lib.core.settings import LOWER_RATIO_BOUND
 from lib.core.settings import UPPER_RATIO_BOUND
+from lib.core.settings import IDS_WAF_CHECK_PAYLOAD
 from lib.core.threads import getCurrentThreadData
 from lib.request.connect import Connect as Request
 from lib.request.inject import checkBooleanExpression
@@ -832,6 +833,60 @@ def checkRegexp():

    return True

+def checkWaf():
+    """
+    Reference: http://seclists.org/nmap-dev/2011/q2/att-1005/http-waf-detect.nse
+    """
+
+    if not conf.checkWaf:
+        return False
+
+    infoMsg = "testing if the target is protected by "
+    infoMsg += "some kind of WAF/IPS/IDS"
+    logger.info(infoMsg)
+
+    retVal = False
+
+    backup = dict(conf.parameters)
+
+    conf.parameters = dict(backup)
+    conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
+    conf.parameters[PLACE.GET] += "%s=%d %s" % (randomStr(), randomInt(), IDS_WAF_CHECK_PAYLOAD)
+
+    kb.matchRatio = None
+    _ = Request.queryPage()
+
+    if kb.errorIsNone and kb.matchRatio is None:
+        kb.matchRatio = LOWER_RATIO_BOUND
+
+    conf.parameters = dict(backup)
+    conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
+    conf.parameters[PLACE.GET] += "%s=%d" % (randomStr(), randomInt())
+
+    trueResult = Request.queryPage()
+
+    if trueResult:
+        conf.parameters = dict(backup)
+        conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
+        conf.parameters[PLACE.GET] += "%s=%d %s" % (randomStr(), randomInt(), IDS_WAF_CHECK_PAYLOAD)
+
+        falseResult = Request.queryPage()
+
+        if not falseResult:
+            retVal = True
+
+    conf.parameters = dict(backup)
+
+    if retVal:
+        warnMsg  = "it appears that the target is protected. "
+        warnMsg += "please consider usage of tampering scripts"
+        logger.warn(warnMsg)
+    else:
+        infoMsg = "it appears that the target is not protected"
+        logger.info(infoMsg)
+
+    return retVal
+
 def checkNullConnection():
    """
    Reference: http://www.wisec.it/sectou.php?id=472f952d79293
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -18,6 +18,7 @@ from lib.controller.checks import checkString
 from lib.controller.checks import checkRegexp
 from lib.controller.checks import checkConnection
 from lib.controller.checks import checkNullConnection
+from lib.controller.checks import checkWaf
 from lib.controller.checks import heuristicCheckSqlInjection
 from lib.controller.checks import simpletonCheckSqlInjection
 from lib.core.agent import agent
@@ -320,6 +321,9 @@ def start():
            if not checkConnection(suppressOutput=conf.forms) or not checkString() or not checkRegexp():
                continue

+            if conf.checkWaf:
+                checkWaf()
+
            if conf.nullConnection:
                checkNullConnection()