diff --git a/src/libinjection_sqli.c b/src/libinjection_sqli.c index cecbbea3..8b4df139 100644 --- a/src/libinjection_sqli.c +++ b/src/libinjection_sqli.c @@ -244,18 +244,21 @@ static int streq(const char *a, const char *b) * given a mapping/hash of string to char * this is just * typecode = mapping[key.upper()] - */ + +// key 代表 需要查询的值 +// len 代表这个查询的长度 +// keyword_t 代表sql_keywords 的指针 +// numb 代表 sql_keywords_sz 的size + */ static char bsearch_keyword_type(const char *key, size_t len, const keyword_t * keywords, size_t numb) { size_t pos; size_t left = 0; size_t right = numb - 1; - while (left < right) { pos = (left + right) >> 1; - /* arg0 = upper case only, arg1 = mixed case */ if (cstrcasecmp(keywords[pos].word, key, len) < 0) { left = pos + 1; @@ -428,23 +431,23 @@ static size_t parse_dash(struct libinjection_sqli_state * sf) * 5) -[not dash] '-' is a unary operator */ - if (pos + 2 < slen && cs[pos + 1] == '-' && char_is_white(cs[pos+2]) ) { + if (pos + 2 == slen && cs[pos + 1] == '-' && char_is_white(cs[pos+2]) ) { return parse_eol_comment(sf); } else if (pos +2 == slen && cs[pos + 1] == '-') { return parse_eol_comment(sf); - } else if (pos + 1 < slen && cs[pos + 1] == '-' && (sf->flags & FLAG_SQL_ANSI)) { + } else if (pos + 1 == slen && cs[pos + 1] == '-' && (sf->flags & FLAG_SQL_ANSI)) { /* --[not-white] not-white case: * */ sf->stats_comment_ddx += 1; return parse_eol_comment(sf); + } else { - st_assign_char(sf->current, TYPE_OPERATOR, pos, 1, '-'); + st_assign_char(sf->current, TYPE_OPERATOR, pos, 1, '-'); return pos + 1; } } - /** This detects MySQL comments, comments that * start with /x! We just ban these now but * previously we attempted to parse the inside @@ -1235,6 +1238,9 @@ int libinjection_sqli_tokenize(struct libinjection_sqli_state * sf) */ const unsigned char ch = (unsigned char) (s[*pos]); + + + /* * look up the parser, and call it * @@ -1248,11 +1254,15 @@ int libinjection_sqli_tokenize(struct libinjection_sqli_state * sf) /* * */ + + if (current->type != CHAR_NULL) { sf->stats_tokens += 1; + return TRUE; } } + return FALSE; } @@ -1396,7 +1406,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf) break; } } - + if (! more) { /* If input was only comments, unary or (, then exit */ return 0; @@ -1884,7 +1894,6 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf) if (left > LIBINJECTION_SQLI_MAX_TOKENS) { left = LIBINJECTION_SQLI_MAX_TOKENS; } - return (int)left; } @@ -1927,6 +1936,9 @@ const char* libinjection_sqli_fingerprint(struct libinjection_sqli_state * sql_s sql_state->fingerprint[i] = sql_state->tokenvec[i].type; } + + + /* * make the fingerprint pattern a c-string (null delimited) */ @@ -1953,7 +1965,6 @@ const char* libinjection_sqli_fingerprint(struct libinjection_sqli_state * sql_s sql_state->tokenvec[1].type = CHAR_NULL; } - return sql_state->fingerprint; } @@ -2260,6 +2271,7 @@ int libinjection_is_sqli(struct libinjection_sqli_state * sql_state) libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_NONE | FLAG_SQL_ANSI); if (sql_state->lookup(sql_state, LOOKUP_FINGERPRINT, sql_state->fingerprint, strlen(sql_state->fingerprint))) { + return TRUE; } else if (reparse_as_mysql(sql_state)) { libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_NONE | FLAG_SQL_MYSQL); @@ -2268,6 +2280,8 @@ int libinjection_is_sqli(struct libinjection_sqli_state * sql_state) return TRUE; } } + + /* * if input has a single_quote, then @@ -2302,6 +2316,8 @@ int libinjection_is_sqli(struct libinjection_sqli_state * sql_state) return TRUE; } } + + /* * Hurray, input is not SQLi diff --git a/src/libinjection_sqli_data.h b/src/libinjection_sqli_data.h index f5e14541..08e858ee 100644 --- a/src/libinjection_sqli_data.h +++ b/src/libinjection_sqli_data.h @@ -1,4 +1,3 @@ - #ifndef LIBINJECTION_SQLI_DATA_H #define LIBINJECTION_SQLI_DATA_H @@ -604,6 +603,7 @@ static const keyword_t sql_keywords[] = { {"01&N&F", 'F'}, {"01&N&N", 'F'}, {"01&N&S", 'F'}, + {"01&N(E", 'F'}, {"01&N&V", 'F'}, {"01&N)&", 'F'}, {"01&N)C", 'F'}, @@ -5147,6 +5147,7 @@ static const keyword_t sql_keywords[] = { {"0S&1)C", 'F'}, {"0S&1)O", 'F'}, {"0S&1)U", 'F'}, + {"0S&11S",'F'}, {"0S&1;", 'F'}, {"0S&1;C", 'F'}, {"0S&1;E", 'F'}, @@ -5168,9 +5169,12 @@ static const keyword_t sql_keywords[] = { {"0S&1KS", 'F'}, {"0S&1KV", 'F'}, {"0S&1O(", 'F'}, + {"0S&1OE", 'F'}, {"0S&1OF", 'F'}, {"0S&1OS", 'F'}, {"0S&1OV", 'F'}, + {"0S&1O{", 'F'}, + { "0S&1S", 'F' }, {"0S&1TN", 'F'}, {"0S&1U", 'F'}, {"0S&1U(", 'F'}, @@ -5248,6 +5252,8 @@ static const keyword_t sql_keywords[] = { {"0S&N&N", 'F'}, {"0S&N&S", 'F'}, {"0S&N&V", 'F'}, + { "0S&N()", 'F' }, + {"0S&N(E", 'F'}, {"0S&N)&", 'F'}, {"0S&N)C", 'F'}, {"0S&N)O", 'F'}, @@ -5375,6 +5381,9 @@ static const keyword_t sql_keywords[] = { {"0S&VU;", 'F'}, {"0S&VUC", 'F'}, {"0S&VUE", 'F'}, + {"0S&{(F", 'F'}, + {"0S&{F(", 'F'}, + {"0S&{FF", 'F'}, {"0S(EF(", 'F'}, {"0S(EKF", 'F'}, {"0S(EKN", 'F'}, @@ -6302,7 +6311,9 @@ static const keyword_t sql_keywords[] = { {"0SO1N&", 'F'}, {"0SO1N(", 'F'}, {"0SO1N,", 'F'}, + {"0SO1N1", 'F'}, {"0SO1NE", 'F'}, + {"0SO1NN", 'F'}, {"0SO1NU", 'F'}, {"0SO1SU", 'F'}, {"0SO1SV", 'F'}, @@ -6428,6 +6439,7 @@ static const keyword_t sql_keywords[] = { {"0SONKS", 'F'}, {"0SONKU", 'F'}, {"0SONKV", 'F'}, + {"0SONS", 'F'}, {"0SONSU", 'F'}, {"0SONT(", 'F'}, {"0SONT1", 'F'}, @@ -6636,6 +6648,7 @@ static const keyword_t sql_keywords[] = { {"0SOVUS", 'F'}, {"0SOVUT", 'F'}, {"0SOVUV", 'F'}, + {"0SO{F(", 'F'}, {"0ST(1)", 'F'}, {"0ST(1O", 'F'}, {"0ST(F(", 'F'}, @@ -9648,5 +9661,5 @@ static const keyword_t sql_keywords[] = { {"||", '&'}, {"~*", 'o'}, }; -static const size_t sql_keywords_sz = 9352; +static const size_t sql_keywords_sz = 9366; #endif