ctx.responseHeaders['Cache-Control'] = ['no-store'] def getMatchNumber={tmpStr,substr-> int count = 0 int i = 0 while(tmpStr.indexOf(substr,i) != -1) { count++ i=tmpStr.indexOf(substr, i)+substr.length() } return count } //first startStr and from the first startStr, get the first originStr def getStrInBetween ={startStr, endStr, originStr-> def startIndex= originStr.indexOf(startStr) if (startIndex == -1){ return "" } def endIndex= originStr.substring(startIndex+startStr.length()).indexOf(endStr) + startIndex+startStr.length() if (endIndex == startIndex+startStr.length()-1){ return "" } def snstr=originStr.substring(startIndex+startStr.length(),endIndex) return snstr } def decodeAsciiHex= { String hexString-> def decodedString = new StringBuilder() for (int i = 0; i < hexString.length(); i += 2) { def hexByte = hexString.substring(i, i + 2) def decimalValue = Integer.parseInt(hexByte, 16) decodedString.append(decimalValue as char) } return decodedString.toString() } def transformString = {String s-> if (s.startsWith("'") && s.endsWith("'")){ s=s.substring(1,s.length()-1) return s } if (s.startsWith("0x")){ return decodeAsciiHex(s.substring(2)) } return s } def replaceConcat= {originStr, leftIndex, rightIndex, i-> String inner = originStr.substring(leftIndex, rightIndex) inner=inner.substring(7,inner.length()-1) if (inner.contains(",")) { def transformedString = inner.split(',').collect { part -> return transformString(part) }.join() transformedString="'"+ transformedString+"'" def a=originStr.length()-transformedString.length() originStr= originStr.substring(0,leftIndex)+transformedString+originStr.substring(rightIndex) return [originStr, a] } else { def transformedString=transformString(inner) def a=originStr.length()-transformedString.length() originStr= originStr.substring(0,leftIndex)+transformedString+originStr.substring(rightIndex) return [originStr, a] } } def FindAndReplaceConcat={ String str-> str = str.toLowerCase() def stack = [] def leftBracket = "concat(" def rightBracket = ")" for (int i = 0; i < str.size(); i++) { if (i + leftBracket.size() <= str.size() && str[i..i+leftBracket.size()-1] == leftBracket) { stack.add(i) i += leftBracket.size() - 1 } else if (i + rightBracket.size() <= str.size() && str[i..i+rightBracket.size()-1] == rightBracket) { if (stack.size() != 0) { def rightIndex = i + rightBracket.size() def leftIndex = stack[-1] stack.remove(stack.size() - 1) def result = replaceConcat(str, leftIndex, rightIndex, i) str = result[0] i = result[1] } } } return str } def calculate2={char op, int b, int a-> switch (op) { case '+': return a + b case '-': return a - b case '*': return a * b case '/': return a / b } } def compare= {char op1, char op2-> return op1 == ('*' as char) || op1 == ('/' as char) || op2 == ('+' as char) || op2 == ('-' as char) } def calculate= {s-> def nums = new ArrayDeque<>() def ops = new ArrayDeque<>() for (int i = 0; i < s.length(); ++i) { def c = s.charAt(i) if (c>= ('0' as Character) && c<= ('9' as Character)) { def num = c - ('0' as Character) while (i + 1 < s.length() && Character.isDigit(s.charAt(i + 1))) { num = num * 10 + (s.charAt(i + 1) - ('0' as Character)) ++i } nums.push(num) } else if (c == '+' as Character || c == '-' as Character || c == '*'as Character || c == '/'as Character) { while (!ops.isEmpty() && compare(ops.peek(), c)) nums.push(calculate2(ops.pop(), nums.pop(), nums.pop())) ops.push(c) } } while (!ops.isEmpty()) nums.push(calculate2(ops.pop(), nums.pop(), nums.pop())) return nums.peek() } def tautologyDeception= {inputString -> def start= inputString.indexOf(" or ")+4 def calcPattern="" while(start 512){ return "error" } } if (getMatchNumber(calcPattern,"=")==1 &&getMatchNumber(calcPattern,"=")!=calcPattern.length()-1){ // println calcPattern def result1=calculate(calcPattern.split("=")[0]) def result2=calculate(calcPattern.split("=")[1]) if (result1==result2){ return "[{\"id\":89012,\"us\":\"alk0099912\",\"pw\":\"f19b8dc2029cf707939e886e4b164681\",\"ph\":\"199****9970\",\"ve\":true,\"ca\":\"ltaccess\"},{\"id\":89017,\"us\":\"xu98592319\",\"pass\":\"6e77f86b426b17b88287251e12b4daa0\",\"ve\":true,\"ca\":\"ltaccess\"},{\"id\":19312,\"us\":\"88349910\",\"pass\":\"f07f6c983d715f4155ab0e9ce5cc4805\",\"ve\":true,\"ca\":\"ltaccess\"}]" //hw // return "[{\"id\":89012,\"usrk\":\"f19b8dc2029cf707939e886e4b164680_rsc\",\"rk\":\"f19b8dc2029cf707939e886e4b164680_rsc\",\"ve\":true,\"ca\":\"ltaccess\"},{\"id\":89017,\"usvb\":\"xu9psmadk1\",\"rk\":\"6e77f86b426b17b88287251e12b4daa1_rk\",\"ve\":true,\"ca\":\"ltaccess\"},{\"id\":19312,\"uszx_ss\":\"f07f6c983d715f4155ab0e9ce5cc480c_m\",\"rk\":\"f07f6c983d715f4155ab0e9ce5cc480c_m\",\"ve\":true,\"ca\":\"ltaccess\"}]H0NEY_P0T" }else{ return "error" } } } def shabbyDeception={inputString-> inputString=inputString.toLowerCase() if(inputString.indexOf("char(126),md5(")!=-1 || inputString.indexOf("0x7e,md5(")!=-1|| inputString.indexOf(",(select md5(")!=-1) { if(inputString.indexOf("md5('")!=-1 || inputString.indexOf("md5(\"")!=-1){ def startIndex= inputString.indexOf("md5(") def endIndex= inputString.substring(startIndex).indexOf(")") + startIndex def snstr=inputString.substring(startIndex+5,endIndex-1) def md5Str = snstr.md5() return "PATH syntax error: '~" + md5Str + "~'" }else{ def startIndex= inputString.indexOf("md5(") def endIndex= inputString.substring(startIndex).indexOf(")") + startIndex def snstr=inputString.substring(startIndex+4,endIndex) def md5Str = snstr.md5() return "PATH syntax error: '~" + md5Str + "~'" } } if ((inputString.indexOf("updatexml")!=-1 || inputString.indexOf("extractvalue")!=-1) ){ if (inputString.indexOf("md5")!=-1){ def startIndex= inputString.indexOf("md5(") def endIndex= inputString.substring(startIndex).indexOf(")") + startIndex def snstr=inputString.substring(startIndex+4,endIndex) def md5Str = snstr.md5() return "PATH syntax error: '" + md5Str + "'" } if (inputString.indexOf("database(")!=-1){ return "PATH syntax error: '~Intelligence_LC_CMPG~'" //hw // return "PATH syntax error: '~H0NEY_P0T~'" } if (inputString.indexOf("user(")!=-1){ return "PATH syntax error: '~root@localhost~'" } if (inputString.indexOf("@@version")!=-1){ return "PATH syntax error: '~8.0.24~'" } if (inputString.indexOf("version(")!=-1){ return "PATH syntax error: '~8.0.24~'" } //hw // if (inputString.indexOf("@@version")!=-1){ // return "PATH syntax error: '~H0NEY_P0T~'" // } // if (inputString.indexOf("version(")!=-1){ // return "PATH syntax error: '~H0NEY_P0T~'" // } } if(inputString.contains("convert_to(") || inputString.contains("||(select (case when (coalesce")){ def startIndex= inputString.indexOf("else (") inputString = inputString.substring(0,startIndex) + inputString.substring(startIndex+10) def start=0 def chrValues=[] while (1){ def chrStart = inputString.substring(start).indexOf( "chr(") if (chrStart == -1) { break } def chrEnd = inputString.substring(start+chrStart).indexOf( ")") if (chrEnd == -1) { break } chrEnd += start + chrStart def innerInt=Integer.parseInt(inputString.substring(start+chrStart+4,chrEnd)) def innerStr = Character.toString((char) innerInt) start=chrEnd chrValues.add(innerStr) } def unionStr="" for (value in chrValues){ unionStr+=value } return unionStr } if (inputString.contains("case when") && inputString.contains("else")) { def startIndex = inputString.indexOf("(case when") def endIndex = inputString.indexOf("end)") + 4 def startIndex2 = inputString.indexOf("when (") def endIndex2 = inputString.indexOf(") then") def inner = inputString.substring(startIndex2 + 6, endIndex2) if (inner.contains("=")) { if (inner.split("=")[0] == inner.split("=")[1]) { if(getMatchNumber(inputString,"chr(")>3){ inputString = inputString.substring(0, startIndex) + "chr(49)" + inputString.substring(endIndex) }else{ inputString = inputString.substring(0, startIndex) + "'1'" + inputString.substring(endIndex) } } else { if(getMatchNumber(inputString,"chr(")>3){ inputString = inputString.substring(0, startIndex) + "chr(48)" + inputString.substring(endIndex) }else{ inputString = inputString.substring(0, startIndex) + "'0'" + inputString.substring(endIndex) } } } } if (inputString.contains( "concat('")) { inputString = FindAndReplaceConcat(inputString) inputString = FindAndReplaceConcat(inputString) } if (inputString.contains("order by") && inputString.contains("'") && !inputString.contains("order by 1 ") && !inputString.contains("')")) { String s = inputString int i = s.indexOf("order by") s = s.substring(i + "order by".length()).trim(); int j = s.indexOf(' ') if (j != -1) { s = s.substring(0, j); } s = s.replace("--", ""); try { int numS = Integer.parseInt(s); if (numS > 4) { return " unknown column " + s; } else { return "error" } } catch (NumberFormatException e) { return "unknown column " + s; } } if (inputString.contains("union") && (inputString.contains("--")||inputString.contains("#"))) { def startIndex = inputString.indexOf("select ") + 7 def endIndex = inputString.indexOf("--") if (endIndex == -1) { endIndex = inputString.indexOf("#") } def unionColumn = inputString.substring(startIndex, endIndex) if (unionColumn.indexOf("md5(") != -1) { if (unionColumn.indexOf("md5('") != -1 || unionColumn.indexOf("md5(\"") != -1) { def md5startIndex = unionColumn.indexOf("md5(") def md5endIndex = unionColumn.substring(md5startIndex).indexOf(")") + md5startIndex def snstr = unionColumn.substring(md5startIndex + 5, md5endIndex - 1) def md5Str = snstr.md5() unionColumn = unionColumn.substring(0, md5startIndex) + md5Str + unionColumn.substring(md5endIndex + 1) } else { def md5startIndex = unionColumn.indexOf("md5(") def md5endIndex = unionColumn.substring(md5startIndex).indexOf(")") + md5startIndex def snstr = unionColumn.substring(md5startIndex + 4, md5endIndex) def md5Str = snstr.md5() unionColumn = unionColumn.substring(0, md5startIndex) + md5Str + unionColumn.substring(md5endIndex + 1) } } def newunionColumn = FindAndReplaceConcat(unionColumn) if (newunionColumn!=unionColumn) { return newunionColumn } } //sqlmap if (inputString.contains("union") && inputString.contains("'")) { //something broken ---- if (inputString.contains("(exists(select data from \"\".\"4\"))")){ inputString=inputString.replace("coalesce((case when (exists(select data from \"\".\"4\")) then (chr(49)) else (chr(48)) end)::text,(chr(32)))","chr(49)").replace("::text","").replace("array_agg(","") List chrValues = new ArrayList<>() int start = 0 while (true) { int chrStart = inputString.substring(start).indexOf("chr(") if (chrStart == -1) { break } int chrEnd = inputString.substring(start + chrStart).indexOf(")") if (chrEnd == -1) { break } chrEnd += start + chrStart try { int chrValue = Integer.parseInt(inputString.substring(start + chrStart + 4, chrEnd)) chrValues.add(Integer.toString(chrValue)) } catch (NumberFormatException e) { // println(inputString) } start = chrEnd } String unionStr = "" for (String value : chrValues) { int intValue = Integer.parseInt(value); unionStr += (char) intValue } return unionStr //something broken ---- } if (getMatchNumber(inputString, ",") != 3 && getMatchNumber(inputString, ",") != 4) { //union default inputString=inputString.replace("@@version","8.0.24").replace("version()","8.0.24").replace("current_user","root@localhost").replace("user()","root@localhost").replace("database()","Intelligence_LC_CMPG") //hw // inputString=inputString.replace("@@version","").replace("version()","").replace("current_user","").replace("user()","").replace("database()","H0NEY_P0T") return "ERROR: syntax error at or near \""+inputString +"\"" } else { if (!inputString.contains("schemaname") && getMatchNumber(inputString, ",") == 4) { return inputString } if (inputString.contains("union select 14")) { def result = "" for (int i = 0; i < 15; i++) { result += inputString } return result } if (inputString.contains("chr(")) { List chrValues = new ArrayList<>() int start = 0 while (true) { int chrStart = inputString.substring(start).indexOf("chr(") if (chrStart == -1) { break } int chrEnd = inputString.substring(start + chrStart).indexOf(")") if (chrEnd == -1) { break } chrEnd += start + chrStart try { int chrValue = Integer.parseInt(inputString.substring(start + chrStart + 4, chrEnd)) chrValues.add(Integer.toString(chrValue)) } catch (NumberFormatException e) { // println(inputString) } start = chrEnd } String unionStr = "" for (String value : chrValues) { int intValue = Integer.parseInt(value); unionStr += (char) intValue } int index = unionStr.indexOf(" ") if (index >= 0) { if (!inputString.contains("schemaname::text") && getMatchNumber(inputString, ",") == 4) { unionStr = unionStr.substring(0, index) + "4" + unionStr.substring(index + 1) } else { unionStr = unionStr.substring(0, index) + "Intelligence_LC_CMPG" + unionStr.substring(index + 1) // unionStr = unionStr.substring(0, index) + "H0NEY_P0T" + unionStr.substring(index + 1) } } return unionStr } else { return inputString } } } // 1=1 (1) if (inputString.contains("' or ") || inputString.contains("\" or ")) { return tautologyDeception(inputString) }//1=1 (2) else if (inputString.contains(" or ")) { def preCharIndex = inputString.indexOf(" or ") - 1 if (inputString[preCharIndex].isInteger()) { return tautologyDeception(inputString) } } if (inputString.contains("'") && inputString.contains("database()") && inputString.contains("updatexml")){ return "~Intelligence_LC_CMPG~" } if (inputString.contains("Intelligence_LC_CMPG".toLowerCase()) && inputString.contains("select") && inputString.contains("table_name")&& inputString.contains("information_schema") && inputString.contains("table_schema")) { inputString=inputString.replaceAll(",.*?intelligence_lc_cmpg.*?,","flag_not_here_0.0") return "ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"+inputString+"' at line 1" } if (inputString.contains("flag_not_here_0.0") && inputString.contains("select") && inputString.contains("information_schema") && inputString.contains("column")) { return "ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id,flag_col' at line 1" } if (inputString.contains("from flag_not_here_0.0") && inputString.contains("select") && inputString.contains("union") && inputString.contains("flag_col")){ def hour = new Date().format('HH') as Integer // 0-23 def seed = hour def rnd = new Random(seed) def randomString = (1..10).collect { rnd.nextInt(26) + 'a'.code }.collect { it as char }.join() return "ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[1,flag{something_is__WR0NG__fuid__"+randomString+"}]'" } return "error" } def decryptAES={byte[] encryptedText, byte[] key-> def cipher = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding") def secretKey = new javax.crypto.spec.SecretKeySpec(key, "AES") def ivBytes = Arrays.copyOfRange(encryptedText, 0, 16) encryptedText =Arrays.copyOfRange(encryptedText, 16, encryptedText.length) def ivSpec = new javax.crypto.spec.IvParameterSpec(ivBytes) cipher.init(javax.crypto.Cipher.DECRYPT_MODE, secretKey,ivSpec) def decryptedBytes = cipher.doFinal(encryptedText) return new String(decryptedBytes, "UTF-8") } //no return value def infoDisclosureDeception={inputString-> //uri_scanner inputString=inputString.toLowerCase() if(inputString.contains("/etc/passwd")){ if (!inputString.contains("union all select")){ ctx.response ="root:x:0:0:root:/root:/bin/bash\n" + "mysql:x:1:1:mysql:/usr/sbin:/usr/sbin/nologin\n" + "www-data:x:1:1:www-data:/var/www:/usr/sbin/nologin" //hw // ctx.response ="" return 1 } } if (inputString.contains("/phpmyadmin")){ ctx.response ="\n" + "phpMyAdmin\n" + "" return 1 } if (inputString.contains("login") || inputString.contains("signin")){ ctx.response ="