From 13f7ac794a260da1259729d202878405f569ab13 Mon Sep 17 00:00:00 2001 From: Riccardo Tempesta Date: Sat, 9 Sep 2017 17:05:13 +0200 Subject: [PATCH] Bugfix for false positives --- Api/ProcessorInterface.php | 6 +- Model/Detector/Language.php | 5 + Model/Detector/SqlInjection.php | 6 +- Model/Detector/Xss.php | 6 +- Model/Ips.php | 41 +-- Model/Processor/Basic.php | 9 +- Model/Processor/Charset.php | 22 +- Model/Processor/Unpack.php | 27 +- Test/Integration/Model/IpsTest.php | 407 ++++++++++++++++++++++------- etc/di.xml | 2 +- etc/module.xml | 2 +- 11 files changed, 387 insertions(+), 146 deletions(-) diff --git a/Api/ProcessorInterface.php b/Api/ProcessorInterface.php index 6cc5d77..001821d 100644 --- a/Api/ProcessorInterface.php +++ b/Api/ProcessorInterface.php @@ -22,11 +22,15 @@ interface ProcessorInterface { + const RES_NO_MATCH = 'no-match'; + const RES_REPLACE = 'replace'; + const RES_SPAWN = 'spawn'; + /** * Dig field and return true if matched * @param string $fieldName * @param string &$fieldValue - * @return boolean + * @return string */ public function processValue($fieldName, &$fieldValue); } diff --git a/Model/Detector/Language.php b/Model/Detector/Language.php index 47f4918..bcb8cd2 100644 --- a/Model/Detector/Language.php +++ b/Model/Detector/Language.php @@ -78,6 +78,11 @@ public function encodeQuery($fieldName, $fieldValue, &$threats) 'id' => static::RESCODE_SCRIPT_INJECTION, 'reason' => __('Code execution attempt'), 'regex' => [ + '\\`.+?\\`' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'exec\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'system\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'passthru\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'popen\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, 'eval\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, '(?:preg|ereg|eregi)_(?:replace|match|split|filter)' . '(?:[\\w\\_]+)*\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, diff --git a/Model/Detector/SqlInjection.php b/Model/Detector/SqlInjection.php index f1f4c81..e92eeeb 100644 --- a/Model/Detector/SqlInjection.php +++ b/Model/Detector/SqlInjection.php @@ -265,7 +265,7 @@ protected function encodeQuery($query, array &$threats) $tokens = preg_split('/(\b)/', $query, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY); foreach ($tokens as $token) { $token = mb_strtolower(trim($token)); - if (!$token || in_array($token, ['.'])) { + if (!strlen($token) || in_array($token, ['.'])) { continue; } @@ -466,7 +466,7 @@ protected function evaluateEncodedQuery($encodedQuery, array &$threats) 'id' => static::RESCODE_SQLI_INJECTION, 'reason' => __('SQL operations injection'), 'regex' => [ - 'f' => DetectorInterface::SCORE_SUSPICIOUS_MATCH, // MySQL functions without opening parenthesis +// 'f' => DetectorInterface::SCORE_LOW_PROBABILITY_MATCH, // MySQL functions without opening parenthesis 'f\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, // MySQL functions with opening parenthesis 's(?:o|k){0,8}y' => DetectorInterface::SCORE_CRITICAL_MATCH, // insert into tablename @@ -500,7 +500,7 @@ protected function evaluateEncodedQuery($encodedQuery, array &$threats) 'id' => static::RESCODE_SQLI_INJECTION, 'reason' => __('Arguments injection'), 'regex' => [ - 'x\,' => DetectorInterface::SCORE_SUSPICIOUS_MATCH, + 'x\,' => DetectorInterface::SCORE_LOW_PROBABILITY_MATCH, ] ] ]; diff --git a/Model/Detector/Xss.php b/Model/Detector/Xss.php index 93fe466..7dc30be 100644 --- a/Model/Detector/Xss.php +++ b/Model/Detector/Xss.php @@ -260,9 +260,11 @@ protected function evaluateQuery($value, array &$threats) 'id' => static::RESCODE_SCRIPT_INJECTION, 'reason' => __('JS injection'), 'regex' => [ - 'location\\.href' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'location\\s*\\.\\s*href' => DetectorInterface::SCORE_CRITICAL_MATCH, '\\.to(\\w{3,5})string\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, - '(?:this|window|top|parent|frames|self|content)\\.(?:location|document)' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'alert\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, + '(?:this|window|top|parent|frames|self|content)\\s*\\.\\s*(?:location|document)' => DetectorInterface::SCORE_CRITICAL_MATCH, + 'document\\s*\\.\\s*\\w+' => DetectorInterface::SCORE_CRITICAL_MATCH, 'getelementby(?:names|id|classname|tag|tagname)\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, 'queryselector(?:all)?\\s*\\(' => DetectorInterface::SCORE_CRITICAL_MATCH, ] diff --git a/Model/Ips.php b/Model/Ips.php index 9496e0b..cebc098 100644 --- a/Model/Ips.php +++ b/Model/Ips.php @@ -1,4 +1,5 @@ detectors = $detectors; $this->filters = $filters; $this->processors = $processors; @@ -53,17 +52,30 @@ protected function runProcessors($fieldName, $fieldValue, array &$values = []) { if ($fieldValue) { if (is_string($fieldValue)) { - $preFieldValue = $fieldValue; - foreach ($this->processors as $processor) { - if ($processor->processValue($fieldName, $fieldValue)) { - $this->runProcessors($fieldName, $fieldValue, $values); + $preFieldValue = $fieldValue; + $values[] = $preFieldValue; + $res = $processor->processValue($fieldName, $fieldValue); + + // Remove old value, so the new one can replace it + if ($res === ProcessorInterface::RES_REPLACE) { + while (($n = array_search($preFieldValue, $values)) !== false) { + unset($values[$n]); + } + } + + if (is_array($fieldValue)) { break; } - } - if (!is_array($fieldValue)) { - $values[] = $preFieldValue; + if ($res === ProcessorInterface::RES_SPAWN) { + $values[] = $fieldValue; + } + + if ($res !== ProcessorInterface::RES_NO_MATCH) { + $this->runProcessors($fieldName, $fieldValue, $values); + break; + } } } @@ -102,7 +114,6 @@ protected function runDetectors($fieldName, $fieldValue, &$threats) ]; $scanThreat->setAdditional($additional); } - $threats = array_merge($threats, $scanThreats); } } @@ -123,12 +134,10 @@ protected function shouldScan($fieldName, $fieldValue) if ($res == FilterInterface::MUST_SCAN) { return true; } - if ($res == FilterInterface::NO_SCAN) { return false; } } - return true; } @@ -143,7 +152,6 @@ public function scanRequest(array $request) foreach ($request as $area => $params) { foreach ($params as $k => $v) { $fieldKey = $area . '.' . $k; - $possibleValues = []; $this->runProcessors($fieldKey, $v, $possibleValues); $possibleValues = array_unique($possibleValues); @@ -159,7 +167,6 @@ public function scanRequest(array $request) $scanResult = $this->scanResultInterfaceFactory->create([ 'threats' => $threats, ]); - return $scanResult; } -} +} \ No newline at end of file diff --git a/Model/Processor/Basic.php b/Model/Processor/Basic.php index e874b16..7e8cb2a 100644 --- a/Model/Processor/Basic.php +++ b/Model/Processor/Basic.php @@ -25,16 +25,17 @@ class Basic implements ProcessorInterface { /** - * Return scanning results + * Dig field and return true if matched * @param string $fieldName * @param string &$fieldValue - * @return boolean + * @return string */ public function processValue($fieldName, &$fieldValue) { $originalValue = $fieldValue; - $fieldValue = preg_replace("/[\r\n\s]+/", ' ', trim($originalValue)); + $res = preg_replace("/[\r\n\s]+/", ' ', trim($fieldValue)); + $fieldValue = $res; - return ($originalValue !== $fieldValue); + return ($originalValue !== $fieldValue) ? ProcessorInterface::RES_REPLACE : ProcessorInterface::RES_NO_MATCH; } } diff --git a/Model/Processor/Charset.php b/Model/Processor/Charset.php index 67c82fb..1c58c35 100644 --- a/Model/Processor/Charset.php +++ b/Model/Processor/Charset.php @@ -32,17 +32,17 @@ class Charset implements ProcessorInterface */ public function processValue($fieldName, &$fieldValue) { - $utf8 = utf8_decode($fieldValue); - if ($utf8 !== $fieldValue) { - $fieldValue = $utf8; - return true; - } - - $utf7 = mb_convert_encoding($fieldValue, 'UTF-8', 'UTF-7'); - if ($utf7 !== $fieldValue) { - $fieldValue = $utf7; - return true; - } +// $utf8 = utf8_decode($fieldValue); +// if ($utf8 !== $fieldValue) { +// $fieldValue = $utf8; +// return true; +// } +// +// $utf7 = mb_convert_encoding($fieldValue, 'UTF-8', 'UTF-7'); +// if ($utf7 !== $fieldValue) { +// $fieldValue = $utf7; +// return true; +// } return false; } diff --git a/Model/Processor/Unpack.php b/Model/Processor/Unpack.php index af1a044..bb37e2d 100644 --- a/Model/Processor/Unpack.php +++ b/Model/Processor/Unpack.php @@ -29,7 +29,6 @@ class Unpack implements ProcessorInterface * @var DecoderInterface */ private $decoder; - /** * @var array */ @@ -38,7 +37,8 @@ class Unpack implements ProcessorInterface public function __construct( DecoderInterface $decoder, array $skip = [] - ) { + ) + { $this->decoder = $decoder; $this->skip = $skip; } @@ -47,12 +47,19 @@ public function __construct( * Return scanning results * @param string $fieldName * @param string &$fieldValue - * @return boolean + * @return string */ public function processValue($fieldName, &$fieldValue) { if (in_array($fieldName, $this->skip)) { - return false; + return ProcessorInterface::RES_NO_MATCH; + } + + // Check if it is an html encoded string + $res = html_entity_decode($fieldValue, ENT_QUOTES | ENT_HTML5, 'UTF-8'); + if ($res !== $fieldValue) { + $fieldValue = $res; + return ProcessorInterface::RES_REPLACE; } // Check if it is a base64 string @@ -61,7 +68,7 @@ public function processValue($fieldName, &$fieldValue) ) { if ($res = base64_decode($fieldValue)) { $fieldValue = $res; - return true; + return ProcessorInterface::RES_SPAWN; } } @@ -74,7 +81,7 @@ public function processValue($fieldName, &$fieldValue) ) { try { $fieldValue = $this->decoder->decode($fieldValue); - return true; + return ProcessorInterface::RES_REPLACE; } catch (\Exception $e) { } } @@ -83,7 +90,7 @@ public function processValue($fieldName, &$fieldValue) $urlDecoded = urldecode($fieldValue); if ($urlDecoded !== $fieldValue) { $fieldValue = $urlDecoded; - return true; + return ProcessorInterface::RES_SPAWN; } // Check PHP serialized variable @@ -91,12 +98,12 @@ public function processValue($fieldName, &$fieldValue) try { if ($res = unserialize($fieldValue)) { $fieldValue = $res; - return true; + return ProcessorInterface::RES_REPLACE; } } catch (\Exception $e) { } } - return false; + return ProcessorInterface::RES_NO_MATCH; } -} +} \ No newline at end of file diff --git a/Test/Integration/Model/IpsTest.php b/Test/Integration/Model/IpsTest.php index b784f95..ab2ff1b 100644 --- a/Test/Integration/Model/IpsTest.php +++ b/Test/Integration/Model/IpsTest.php @@ -12,100 +12,320 @@ public function testMySQLInjectionAttackPatterns() ->create('MSP\Shield\Model\Ips'); $fieldName = 'somefield'; - $tests = [ // A set of attack patterns found in fuzzdb, OWASP db and surfing the web - "' or 1=1 --", - "' or 1 or '", - "' or 1 or 1 or 1 or 1 or '", - " or 1 or 1 or 1 or 1", - "1 and 1=1", - "1' and 1=(select count(*) from admin_user); --", - "1 or 1=1", - "1' or '1'='1", - "1'or'1'='1", - "fake@ema'or'il.nl'='il.nl", - "'; desc admin_user; --", - "1' and 1 = '1", - "' or username is not NULL or username = '", - "1 and ascii(lower(substring((select top 1 name from admin_user where xtype='u'), 1, 1))) > 116", - "1 union all select 1,2,3,4,5,6,name from admin_user where xtype = 'u' --", - "1 uni/**/on select all from admin_user where", - "username' OR 1=1 --", - "'OR '' = ' Allows authentication without a valid username.", - "username' --", - "' union select 1, 'somefield', 'someother' 1 --", - "'OR 1=1--", - "create table myfile (input TEXT);", - "load data infile 'filepath' into table admin_user; select * from admin_user;", - "' or 1 --", - "' or 1 -- adasd ", - "' or 1=1 --", - "or 1=1 --", - "' OR ''='", - "' or 'a'='a", - '" or "a"="a', - "') or ('a'='a", - "' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='", - "' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '__w%') AND ''='", - "'OR''='", - "' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE '%j%') AND ''='", - "' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='test' AND TABLE_NAME='one') AND ''='", - "' OR (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA LIKE '%j%')>1 AND ''='", - "' OR (SELECT COUNT(*) FROM users)>10 AND ''='", - "' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='", - "' OR EXISTS(SELECT * FROM users WHERE name!='jake' AND name LIKE '%a%') AND ''='", - "' or '1'='1' -- '", - "' or '1'='1' ({ '", - "' or '1'='1' /* '", + $tests = explode("\n", <<< __EOF__ +sleep(__TIME__)# +1 or sleep(__TIME__)# +" or sleep(__TIME__)# +' or sleep(__TIME__)# +" or sleep(__TIME__)=" +' or sleep(__TIME__)=' +1) or sleep(__TIME__)# +") or sleep(__TIME__)=" +') or sleep(__TIME__)=' +1)) or sleep(__TIME__)# +")) or sleep(__TIME__)=" +')) or sleep(__TIME__)=' +;waitfor delay '0:0:__TIME__'-- +);waitfor delay '0:0:__TIME__'-- +';waitfor delay '0:0:__TIME__'-- +";waitfor delay '0:0:__TIME__'-- +');waitfor delay '0:0:__TIME__'-- +");waitfor delay '0:0:__TIME__'-- +));waitfor delay '0:0:__TIME__'-- +'));waitfor delay '0:0:__TIME__'-- +"));waitfor delay '0:0:__TIME__'-- +benchmark(10000000,MD5(1))# +1 or benchmark(10000000,MD5(1))# +" or benchmark(10000000,MD5(1))# +' or benchmark(10000000,MD5(1))# +1) or benchmark(10000000,MD5(1))# +") or benchmark(10000000,MD5(1))# +') or benchmark(10000000,MD5(1))# +1)) or benchmark(10000000,MD5(1))# +")) or benchmark(10000000,MD5(1))# +')) or benchmark(10000000,MD5(1))# +1 and 1=1 +1' and 1=(select count(*) from admin_user); -- +1 or 1=1 +1' or '1'='1 +1'or'1'='1 +fake@ema'or'il.nl'='il.nl +1 and user_name() = 'dbo' +'; desc admin_user; -- +1' and entity_id = '1 +' or username is not NULL or username = ' +1 and ascii(lower(substring((select top 1 name from admin_user where entity_id='u'), 1, 1))) > 116 +1 union all select 1,2,3,4,5,6,name from admin_user where entity_id=id = 'u' -- +1 uni/**/on select all from admin_user where +0 or 1=1 +1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; +1 or 1=1 +1;SELECT%20* +1 waitfor delay '0:0:10'-- +'%20or%20''=' +'%20or%201=1 +')%20or%20('x'='x +'%20or%20'x'='x +%20or%20x=x +23 OR 1=1 +%27%20or%201=1 +%2A%28%7C%28mail%3D%2A%29%29 +%2A%28%7C%28objectclass%3D%2A%29%29 +'||'6 +admin' or ' +' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); +' and 1 in (select entity_id from admin_user)-- +anything' OR 'x'='x +"a"" or 1=1--" +a' or 1=1-- +"a"" or 3=3--" +a' or 3=3-- +a' or 'a' = 'a +'%20OR%20' +a' waitfor delay '0:0:10'-- +'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > +'||(elt(-3+5,bin(15),ord(10),hex(char(45)))) +' group by userid having 1=1-- +' having 1=1-- +hi or 1=1 --" +hi' or 1=1 -- +"hi"") or (""a""=""a" +hi or a=a +hi' or 'a'='a +hi') or ('a'='a +'hi' or 'x'='x'; +' or ''=' +1 or 0=0 # +' or 0=0 -- +' or 0=0 # +" or 0=0 -- +or 0=0 -- +' or 1 --' +' or 1/* +; or '1'='1' +' or '1'='1 +' or '1'='1'-- +' or 1=1 +' or 1=1 /* +' or 1=1-- +' or 1=1-- +'/**/or/**/1/**/=/**/1 +‘ or 1=1 -- +" or 1=1-- +or 1=1 +or 1=1-- + or 1=1 or ""= +' or 1=1 or ''=' +' or 1 in (select @@version)-- +or%201=1 +or%201=1 -- +' or 2 > 1 +' or 2 between 1 and 3 +' or 3=3 +‘ or 3=3 -- +' or '7659'='7659 +' or 'a'='a +') or ('a'='a +" or "a"="a + or isNULL(1/0) /* +" or isNULL(1/0) /* +' or 'something' like 'some%' +' or 'something' = 'some'+'thing' +' or 'text' = n'text' +' or 'text' > 't' +' or entity_id like '% +' or 'unusual' = 'unusual' +' or entity_id like char(37); +' or 'whatever' in ('whatever') +' select * from admin_user-- +' select entity_id from admin_user where id = (select id from admin_user where entity_id = 'some')-- +' union select 1,load_file('/etc/passwd'),1,1,1; +) union select * from information_schema.tables; +' union select * from users where login = char(114,111,111,116); +x' AND 1=(SELECT COUNT(*) FROM admin_user); -- +x' AND entity_id IS NULL; -- +x' AND admin_user.entity_id IS NULL; -- +x' AND entity_id IS NULL; -- +x' or 1=1 or 'x'='y +x' OR entity_id LIKE '%Bob% +ý or 1=1 -- +__EOF__ +); - "1;DROP TABLE `admin_user`", - "10;DROP table admin_user --", - "x' AND email IS NULL; --", - "x' AND 1=(SELECT COUNT(*) FROM admin_user); --", - "x' AND members.email IS NULL; --", - "x'; INSERT INTO admin_user ('email','passwd','login_id','full_name')VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--", - "x'; UPDATE admin_user SET email = 'me@somewhere.com' WHERE email = 'bob@example.com", - "23 OR 1=1", - "'; DROP TABLE admin_user; --", - "111 /*This is my comment...*/UN/*Can You*/IO/*Find It*/N/**/ S/**/E/**/LE/*Another comment to*/CT/*Find. Can you dig*//*it*/*", - "71985 OR 1 = 1", - "71985 OR 1 =1", - "71985 OR 1=1", - "71985 OR 1= 1", - "71985 OR '1'= 1", - "71985 OR 1= '1'", - "71985 OR user_id=123", - "71985 OR user_id =123", - "71985 OR 'asd' = user_id", - "71985 OR user_id = user_id", - "71985 OR 'a' = 'a'; --", - "71985 OR 'a' = 'a';", + foreach ($tests as $test) { + /** @var ScanResultInterface $scanResult */ + $scanResult = $detector->scanRequest(['POST' => [$fieldName => $test]]); + $this->assertGreaterThanOrEqual(DetectorInterface::SCORE_CRITICAL_MATCH, $scanResult->getScore(), "Failed to detect attack: " . $test); + } + } - '1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>78-- ', - '; SELECT(xxxx) ', - ";DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);", - '; SELECT LOAD_FILE(0x633A5C626F6F742E696E69)', - 'SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))', - 'SELECT CHAR(75)+CHAR(76)+CHAR(77)', - 'SELECT login || \'-\' || password FROM members', - 'DROP/*comment*/sampletable', - ';DR/**/OP/*bypass blacklisting*/sampletable', - ';DR/**/OP/*bypass blacklisting*/ sampletable', + public function testXssInjections() + { + $detector = \Magento\TestFramework\Helper\Bootstrap::getObjectManager() + ->create('MSP\Shield\Model\Ips'); - '1;SELECT/*avoid-spaces*/password/**/FROM/**/Members ', - 'SELECT /*!32302 1/0, */ 1 FROM admin_user', - "' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--", - "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055", - "-1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL-- ", - "11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –- ", - "11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –- ", - ",0 UNION ALL SELECT 1,'x'/*,10 ;", - "';shutdown --", - "(SELECT id FROM admin_user WHERE name = 'tablenameforcolumnnames')", - "BENCHMARK(howmanytimes, do this)", - "BENCHMARK (howmanytimes, do this)", - "1 union select benchmark(500000,sha1 (0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1", - "my@email.com' ORDER BY 19-- mmbG" - ]; + $fieldName = 'somefield'; + $tests = explode("\n", <<< __EOF__ + +' onmouseover=alert(/Black.Spook/) +";eval(unescape(location))//# %0Aalert(0) +"> +"> +"> +'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E +%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E +%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E +alert(1) +&alert&A7&(1)&R&UA;&&<&A9&11/script&X&> +<IMG """>"> +<img src=x:x onerror=alert(1)> +<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40; +<SCRIPT SRC=//xss.rocks/.j> +'); alert('XSS +\";alert('XSS');// +<% +<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); +<--` --!> +<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> +<alert("XSS");//< +Click Me +ClickMe +X? +
DIV
+
style="x:"> +? + ? +