waffit integration. - Githubissues

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool

http://sqlmap.org

Other

32.3k stars 5.7k forks source link

waffit integration. #290

Closed unionor closed 11 years ago

unionor commented 11 years ago

is it possible to integrate waffit into sqlmap? or it's already done?

http://code.google.com/p/waffit/

stamparm commented 11 years ago

It's a cool tool, but looks unmaintained for some time. Now, personally, I believe that sqlmap would profit from using same logic inside (detecting backend WAFs), but I am also scared that it would be too strenuous to maintain along with other stuff.

IMO, I am for (new from glance) implementation into our code (code from there uses it's custom connection wrappers) using "testing vectors" from there - slow implementation with LOW priority.

p.s. an idea of using a modular approach like in "tamper scripts" comes to my mind ;)

antisnatchor commented 11 years ago

It is unmaintained Miro, you're right. Implementing new code, maybe partially based on waffit techniques would be better IMHO.

stamparm commented 11 years ago

Added new switch --identify-waf. Principle is similar as with --tamper. All scripts from waf directory are run against the target to identify the WAF/IDS/IPS product. Currently there are 16 of those implemented. Big thanks goes to @whenov ;)

stamparm commented 11 years ago

p.s. all requests in this checking are cached so there are no unnecessary requests going on.

antisnatchor commented 11 years ago

Nice one ;-) I will try it soon.

Miroslav Stampar mailto:notifications@github.com February 21, 2013 1:57 PM

Added new switch |--identify-waf|. Principle is similar as with |--tamper|. All scripts from |./waf| directories are run against the target to identify the WAF/IDS/IPS product. Currently there are 16 of those implemented. Big thanks goes to @whenov https://github.com/whenov ;)

— Reply to this email directly or view it on GitHub https://github.com/sqlmapproject/sqlmap/issues/290#issuecomment-13889535.

champ1 commented 11 years ago

fucking great..:)

I look forward too auto use tamper script based on waf output.. hehe

Thx guys..:)

stamparm commented 11 years ago

There was a "bug" involved prior to commit f6b43b4 in "Set-Cookie" based WAF scripts. Now fixed.

stamparm commented 11 years ago

$ ls -1 sqlmap/waf

airlock.py
barracuda.py
bigip.py
binarysec.py
ciscoacexml.py
cloudflare.py
datapower.py
denyall.py
dotdefender.py
hyperguard.py
incapsula.py
__init__.py
isaserver.py
modsecurity.py
netcontinuum.py
netscaler.py
profense.py
proventia.py
secureiis.py
teros.py
trafficshield.py
uspses.py
webappsecure.py
webknight.py

kirtixs commented 11 years ago

Wow, very nice :)