README
¶
____ ___ _ ____
__ _ _ __ __ _ _ __ ___/ ___| / _ \| | / ___| ___
/ _` | '__/ _` | '_ \ / _ \___ \| | | | | | | _ / _ \
| (_| | | | (_| | |_) | __/___) | |_| | |__| |_| | (_) |
\__, |_| \__,_| .__/ \___|____/ \__\_\_____\____|\___/
|___/ |_| grapeSQLI is easy to use Sql Inject & XSS Parser
grapeSQLI
grapeSQLI是一种简单易用的Sql inject & XSS分析程序。
兼容且使用libinjection指纹数据以及搜索模式。
libinjection已经拥有非常完美的思维模式,没必要颠覆它,所以我的大部分代码来自于libinjection,并针对GOLANG做出优化。
经过针对GO语言的优化,目前的性能在可以接受的范围内,具体请参考Benchmark节。
用法
go get github.com/lixiangzhong/golibinjection
xss例子
package main
import (
"github.com/lixiangzhong/golibinjection"
)
func main() {
if golibinjection.XSSParser("<a href=\" javascript:alert(1);\" >") {
// todo something
}
}
xss benchmark
Benchmark_XSSParser-8 3000000 458 ns/op 80 B/op 1 allocs/op
Benchmark_XSSParserParallel-8 10000000 150 ns/op 80 B/op 1 allocs/op
SQLI例子
package main
import (
"github.com/lixiangzhong/golibinjection"
)
func main() {
if err:= golibinjection.SQLInject("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--");err != nil {
// todo something
}
}
SQLI Benchmark
BenchmarkSQLInject-8 300000 5019 ns/op 1376 B/op 61 allocs/op
BenchmarkSQLInjectParallel-8 1000000 2873 ns/op 1376 B/op 61 allocs/op
Thanks
Use Jetbrains Ide for project
Documentation
¶
Index ¶
Constants ¶
View Source
const ( DATA_TEXT = iota TAG_NAME_OPEN TAG_NAME_CLOSE TAG_NAME_SELFCLOSE TAG_DATA TAG_CLOSE ATTR_NAME ATTR_VALUE TAG_COMMENT DOCTYPE )
View Source
const ( CHAR_EOF = -1 CHAR_NULL = 0 CHAR_BANG = 33 CHAR_DOUBLE = 34 CHAR_PERCENT = 37 CHAR_SINGLE = 39 CHAR_DASH = 45 CHAR_SLASH = 47 CHAR_LT = 60 CHAR_EQUALS = 61 CHAR_GT = 62 CHAR_QUESTION = 63 CHAR_RIGHTB = 93 CHAR_TICK = 96 )
View Source
const ( DATA_STATE = iota VALUE_NO_QUOTE VALUE_SINGLE_QUOTE VALUE_DOUBLE_QUOTE VALUE_BACK_QUOTE )
View Source
const ( TYPE_TK_NONE = 0 TYPE_KEYWORD = 'k' TYPE_UNION = 'U' TYPE_GROUP = 'B' TYPE_EXPRESSION = 'E' TYPE_SQLTYPE = 't' TYPE_FUNCTION = 'f' TYPE_BAREWORD = 'n' TYPE_NUMBER = '1' TYPE_VARIABLE = 'v' TYPE_STRING = 's' TYPE_OPERATOR = 'o' TYPE_LOGIC_OPERATOR = '&' TYPE_COMMENT = 'c' TYPE_COLLATE = 'A' TYPE_LEFTPARENS = '(' TYPE_RIGHTPARENS = ')' /* not used? */ TYPE_LEFTBRACE = '{' TYPE_RIGHTBRACE = '}' TYPE_DOT = '.' TYPE_COMMA = ',' TYPE_COLON = ':' TYPE_SEMICOLON = ';' TYPE_TSQL = 'T' /* TSQL start */ TYPE_UNKNOWN = '?' TYPE_EVIL = 'X' /* unparsable, abort */ TYPE_FINGERPRINT = 'F' /* not really a token */ TYPE_BACKSLASH = '\\' )
View Source
const ( FLAG_NONE = 0 FLAG_QUOTE_NONE = 1 /* 1 << 0 */ FLAG_QUOTE_SINGLE = 2 /* 1 << 1 */ FLAG_QUOTE_DOUBLE = 4 /* 1 << 2 */ FLAG_SQL_ANSI = 8 /* 1 << 3 */ FLAG_SQL_MYSQL = 16 /* 1 << 4 */ )
View Source
const ( LOOKUP_WORD = 1 LOOKUP_TYPE = 2 LOOKUP_OPERATOR = 3 LOOKUP_FINGERPRINT = 4 )
View Source
const ( TYPE_NONE = iota TYPE_BLACK /* ban always */ TYPE_ATTR_URL /* attribute value takes a URL-like object */ TYPE_STYLE TYPE_ATTR_INDIRECT /* attribute *name* is given in *value* */ )
View Source
const (
LIBINJECTION_SQLI_MAX_TOKENS = 5
)
View Source
const (
LIBINJECTION_SQLI_TOKEN_SIZE = 32
)
Variables ¶
View Source
var BLACKATTR = []stringtype_t{ {"ACTION", TYPE_ATTR_URL}, {"ATTRIBUTENAME", TYPE_ATTR_INDIRECT}, {"BY", TYPE_ATTR_URL}, {"BACKGROUND", TYPE_ATTR_URL}, {"DATAFORMATAS", TYPE_BLACK}, {"DATASRC", TYPE_BLACK}, {"DYNSRC", TYPE_ATTR_URL}, {"FILTER", TYPE_STYLE}, {"FORMACTION", TYPE_ATTR_URL}, {"FOLDER", TYPE_ATTR_URL}, {"FROM", TYPE_ATTR_URL}, {"HANDLER", TYPE_ATTR_URL}, {"HREF", TYPE_ATTR_URL}, {"LOWSRC", TYPE_ATTR_URL}, {"POSTER", TYPE_ATTR_URL}, {"SRC", TYPE_ATTR_URL}, {"STYLE", TYPE_STYLE}, {"TO", TYPE_ATTR_URL}, {"VALUES", TYPE_ATTR_URL}, {"XLINK:HREF", TYPE_ATTR_URL}, }
* view-source: * data: * javascript:
View Source
var BLACKTAG = []string{
"APPLET",
"BASE",
"COMMENT",
"EMBED",
"FRAME",
"FRAMESET",
"HANDLER",
"IFRAME",
"IMPORT",
"ISINDEX",
"LINK",
"LISTENER",
"META",
"NOSCRIPT",
"OBJECT",
"SCRIPT",
"STYLE",
"VMLFRAME",
"XML",
"XSS",
}
Functions ¶
Types ¶
type Sqlifingerprint ¶
type Sqlifingerprint struct {
Charmap []string `json:"charmap"`
Fingerprints []string `json:"fingerprints"`
Keywords map[string]Keyword `json:"keywords"`
}
func UnmarshalSqlifingerprint ¶
func UnmarshalSqlifingerprint(data []byte) (Sqlifingerprint, error)
func (*Sqlifingerprint) Marshal ¶
func (r *Sqlifingerprint) Marshal() ([]byte, error)
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.