Added strip comments;Fix regex to match everything;Rework exploit sta…

…tement composition
doyensec · bandronic · May 17, 2023 · May 22, 2023 · May 24, 2023 · Jul 25, 2023
commit f2aba622b3296d72ed3b3317659ec874732cb702
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 default_language_version:
- python: python3.10
+ python: python3
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v3.2.0

diff --git a/python/inql/attacker/request.py b/python/inql/attacker/request.py
@@ -30,6 +30,10 @@ class InitiateAttack(ActionListener):
  def __init__(self, editor):
  self.editor = editor
 
+ def stripComments(self, code):
+ code = str(code)
+ return re.sub(r'(?m)^ *#.*\n?', '', code)
+
  def generate_attack_request(self):
  info = helpers.analyzeRequest(self.editor.request)
  headers = info.getHeaders()
@@ -40,22 +44,25 @@ def generate_attack_request(self):
  parsed = parsed[0]
  query = parsed['query']
 
- prefix, suffix = "", ""
+ actionMatch = re.search('([^{]*?){(.+)}([^}]*?)', query, re.DOTALL)
+ action, query, tmp = actionMatch.groups()
+ query = self.stripComments(query)
+ prefix, suffix, exploit = "", "", ""
  while True:
  # FIXME: whitespace inbetween will break the regex!
 
  # look until first {
- match = re.match('([^{]*?){(.+)}([^}]*?)', query)
+ match = re.search('([^{]*?){(.+)}([^}]*?)', query, re.DOTALL)
  if not match:
  break
  pfx, query, sfx = match.groups()
 
  # look for a placeholder
  match = (
  # $[INT:first:last]
- re.match(r'(.*?)\$\[(INT):(\d+:\d+)\](.*)', pfx) or
+ re.search(r'(.*?)\$\[(INT):(\d+:\d+)\](.*)', pfx, re.DOTALL) or
  # $[FILE:path] and $[FILE:path:first:last]
- re.match(r'(.*?)\$\[(FILE):([^:]+(?::\d+:\d+)?)\](.*)', pfx)
+ re.search(r'(.*?)\$\[(FILE):([^:]+(?::\d+:\d+)?)\](.*)', pfx, re.DOTALL)
  )
  if not match:
  prefix = prefix + pfx + '{'
@@ -72,7 +79,7 @@ def generate_attack_request(self):
  # $[INT:first:last]
  start, end = args
  for n, item in enumerate(range(int(start), int(end)+1)):
- exploit += 'op%s: %s%s%s{%s}%s' % (n+1, lead, item, rest, query, sfx)
+ exploit +='op%s: %s%s%s%s{%s}%s\n' % (n+1, prefix, lead, item, rest, query, suffix)
  if verb == 'FILE':
  # $[FILE:path] and $[FILE:path:first:last]
  path = args[0]
@@ -84,10 +91,11 @@ def generate_attack_request(self):
  start, end = 1, len(items)
 
  for n, item in enumerate(items[start-1: end]):
- exploit += 'op%s: %s%s%s{%s}%s' % (n+1, lead, item, rest, query, sfx)
+ exploit +='op%s: %s%s%s%s{%s}%s\n' % (n+1, prefix, lead, item, rest, query, suffix)
 
  #build the query
- attack = prefix + exploit + suffix
+ # attack = prefix + exploit + suffix\
+ attack = action + "{\n" + exploit + "}"
 
  log.debug("attack query: %s" % attack)
  body = json.dumps({'query': attack})