Example #1
0
    /**
     * @param string $param
     * @return bool
     */
    public static function testForSQLi($param)
    {
        static $instance;
        static $tests;
        if (!$instance) {
            $instance = new self(new wfWAFSQLiLexer());
        }
        if (!$tests) {
            // SQL statement and token count for lexer
            $tests = array(array('%s', 1), array('SELECT * FROM t WHERE i = %s ', 8), array("SELECT * FROM t WHERE i = '%s' ", 8), array('SELECT * FROM t WHERE i = "%s" ', 8), array('SELECT * FROM t WHERE i = (%s) ', 10), array("SELECT * FROM t WHERE i = ('%s') ", 10), array('SELECT * FROM t WHERE i = ("%s") ', 10), array('SELECT * FROM t WHERE i = ((%s)) ', 12), array("SELECT * FROM t WHERE i = (('%s')) ", 12), array('SELECT * FROM t WHERE i = (("%s")) ', 12), array('SELECT * FROM t WHERE i = (((%s))) ', 14), array("SELECT * FROM t WHERE i = ((('%s'))) ", 14), array('SELECT * FROM t WHERE i = ((("%s"))) ', 14), array('SELECT * FROM t WHERE i = %s and j = (1
) ', 14), array("SELECT * FROM t WHERE i = '%s' and j = (1\n) ", 14), array('SELECT * FROM t WHERE i = "%s" and j = (1
) ', 14), array('SELECT MATCH(t) AGAINST (%s) from t ', 11), array("SELECT MATCH(t) AGAINST ('%s') from t ", 11), array('SELECT MATCH(t) AGAINST ("%s") from t ', 11), array('SELECT * FROM (select %s) ', 7), array("SELECT * FROM (select '%s') ", 7), array('SELECT * FROM (select "%s") ', 7), array('SELECT * FROM (select (%s)) ', 9), array("SELECT * FROM (select ('%s')) ", 9), array('SELECT * FROM (select ("%s")) ', 9), array('SELECT * FROM (select ((%s))) ', 11), array("SELECT * FROM (select (('%s'))) ", 11), array('SELECT * FROM (select (("%s"))) ', 11), array('SELECT * FROM %s ', 4), array('INSERT INTO t (col) VALUES (%s) ', 10), array("INSERT INTO t (col) VALUES ('%s') ", 10), array('INSERT INTO t (col) VALUES ("%s") ', 10), array('UPDATE t1 SET col1 = %s ', 6), array('UPDATE t1 SET col1 = \'%s\' ', 6));
        }
        $lexerFlags = array(0, wfWAFSQLiLexer::FLAG_TOKENIZE_MYSQL_PORTABLE_COMMENTS);
        foreach ($lexerFlags as $flags) {
            foreach ($tests as $test) {
                //				$startTime = microtime(true);
                list($sql, $expectedTokenCount) = $test;
                try {
                    $instance->setFlags($flags);
                    $instance->setSubject(sprintf($sql, $param));
                    if ($instance->hasMoreThanNumTokens($expectedTokenCount) && $instance->evaluate() || $instance->hasMultiplePortableCommentVersions()) {
                        //						printf("%s took %f seconds\n", $sql, microtime(true) - $startTime);
                        return true;
                    }
                    //					printf("%s took %f seconds\n", $sql, microtime(true) - $startTime);
                } catch (wfWAFParserSyntaxError $e) {
                }
            }
        }
        return false;
    }