From ba942746000bf95f3b7dd8b2d98b126a1a4fa393 Mon Sep 17 00:00:00 2001
From: abdurahman-ctis <abdurahman@ug.bilkent.edu.tr>
Date: Sat, 30 Nov 2019 16:37:19 +0300
Subject: [PATCH] Basic query checker

---
 .gitignore                      |  3 +-
 app.py                          | 83 +++++++++++++++++++++++++++++
 ids-hackathor-636a3e9f4e4c.json | 12 +++++
 payloads.json                   | 93 +++++++++++++++++++++++++++++++++
 4 files changed, 190 insertions(+), 1 deletion(-)
 create mode 100644 app.py
 create mode 100644 ids-hackathor-636a3e9f4e4c.json
 create mode 100644 payloads.json

diff --git a/.gitignore b/.gitignore
index 1810cfd..bc82ae3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 env/
-.idea/
\ No newline at end of file
+.idea/
+__pycache__/
\ No newline at end of file
diff --git a/app.py b/app.py
new file mode 100644
index 0000000..ad1b53c
--- /dev/null
+++ b/app.py
@@ -0,0 +1,83 @@
+import json
+from time import time
+from urllib.parse import urlparse
+
+import firebase_admin
+from firebase_admin import credentials
+from firebase_admin import db
+from flask import Flask, request
+from flask_restful import Resource, Api
+from flask_socketio import SocketIO
+
+cred = credentials.Certificate('ids-hackathor-636a3e9f4e4c.json')
+firebase_admin.initialize_app(cred, {
+    'databaseURL': 'https://ids-hackathor.firebaseio.com/'
+})
+ref = db.reference('')
+
+with open('payloads.json', encoding="utf8") as f:
+    loaded = json.load(f)
+    XSS = loaded['XSS']
+    TRAVERS = loaded['TRAVERS']
+
+app = Flask(__name__)
+api = Api(app)
+app.config['SECRET_KEY'] = 'secret!'
+socketio = SocketIO(app)
+DOMAIN = "bilkent.com"
+
+
+def send_ref(ip, param, val, type):
+    ref.push({
+        "ip": ip,
+        "type": type,
+        "query_key": param,
+        "query_val": val,
+        "timestamp": time()
+    })
+
+
+def not_same_domain(url):
+    url = urlparse(url).netloc
+    index = url.find("@")
+    if index != -1:
+        url = url[index + 1:]
+    return url != DOMAIN
+
+
+class AnalyzeQuery(Resource):
+    def get(self):
+        return db.reference('').get()
+
+    def post(self):
+        params = request.get_json(force=True)
+        ip = request.remote_addr
+        for param, val in params.items():
+            # XSS
+            for pload in XSS:
+                if pload in val:
+                    send_ref(ip, param, val, 'xss')
+                    break
+            # SQLi
+            if "'" in val and ('and' in val.lower() or 'or' in val.lower()) or '--' in val:
+                send_ref(ip, param, val, 'sqli')
+            # CRLF
+            if '%0d' in val.lower() or '%0a' in val.lower():
+                send_ref(ip, param, val, 'csrf')
+            # OPEN Redirect
+            if len([i for i in ['url', 'redirect', 'next'] if i in param.lower()]) > 0 \
+                    and not_same_domain(val):
+                send_ref(ip, param, val, 'open_redirect')
+            # Path Traversal
+            for pload in TRAVERS:
+                if pload in val:
+                    send_ref(ip, param, val, 'path_traversal')
+                    break
+
+        return params
+
+
+api.add_resource(AnalyzeQuery, '/api/query')
+
+if __name__ == '__main__':
+    socketio.run(app)
diff --git a/ids-hackathor-636a3e9f4e4c.json b/ids-hackathor-636a3e9f4e4c.json
new file mode 100644
index 0000000..3ef0290
--- /dev/null
+++ b/ids-hackathor-636a3e9f4e4c.json
@@ -0,0 +1,12 @@
+{
+  "type": "service_account",
+  "project_id": "ids-hackathor",
+  "private_key_id": "636a3e9f4e4c784b20b6386626af59e828ffbd1b",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCguN9j9FBhhif6\n/JUNN/idi3dC35jQiTt/4uU7S1fDm1IwbuKGgDlDeoPAS0ayN4JBHmflxgBJbMg0\neSsZJURRoRVNZM8E2wpiMsvfItBTEoYX7eAHMvG6qR6XXKWhV8tUi5VB/6fBUZPd\nPMOQMWTj00CZD7XNKzFcx+syYbDyO2QnsHgmKh32kq1Cl2zZGtQOpuxRLKLmYaXv\n2mKuzMz3bcVyCWnElUsrlpI8tgNd7UcGMV2ciwC7tQ76EyiHpIicjuWPpctjNpGV\nijcm0o5IqCTV1J1AUU4NKn3p8tpkp6ucHxEU6wY+qIKgEYArPbOc0L4qV/2dx/Oh\ndyg5II3xAgMBAAECggEABnxXXwfGC51xW3tAXFnYt92fwl+jOzBI6dXJftPndrUI\nnMkIup+ngx3WF1cvHLRJPRP7SNlgrxXYJ85UJMEtSXPMGB6vWcIpRqh6miZ9piO+\nX6GH7Uc+XBQ38A87MgoIyKb5iIHtOz7UJ8G5OZMiTJN8jQCsvmeip9x7oc5ktW2l\nCaoULYwNRGU+nTlE+cWJ23KCKIQcpLvHABHrJUDHE4XWotA02F9iniNiELQNVdrR\n+sVnot5/rk3FLvEApU6VIrDGXzT15AOswg6nIiWCeEVqhUBIbVNLFHLti8xlVtXa\nZPQLSpxev1QZgFs0z67VDZwhGKetswLSzfzpGU7RHQKBgQDTVSn7TJNCF4Zoa7g/\ni8XcfRw+4thr591ZkV2MhZZb95OwqyD0qGAG9jbcJDWw6EQ+ZKQ5uMw/xN823EbW\nCLxrzX7EMujdzoTTuLdMZxUMocm/+RH5zgnlHlNtPkhCePmWvocako2HKsvn1Ohp\nvDc7KIFQ1vfVDY3Rc3fEyexO/QKBgQDCsUN29QxgZjoUBFNP1gfFkXourgLeYnl2\nlV73uVlpgJVuKUQ1L59/6Xa/yp1tBoZLQ3z707O+K9ol7qEWj8Qw6qjR9ugtnHEL\nMnw79W95nBO0+zt8FQt55dUJo/FNNnt6EskvkmdaxyxAw9KHMPfK0lBMMptP4R/z\n4SgtELn/BQKBgDadltjsJE57V/AajqZVkA/4gVk7NOVGKe1g5QVQ7Nfdttx8jWrN\nLOv/q5PfA8UxcZmSVuLYAGkmju1VpjTgUxmlJPK9mXLhUXCKF0z2gvkdws8LJnsh\npWsCGFtuMiyDqTUtDitu3oalJ8dFPb89tiRixnDG7YuxEgqkRbqk2J5dAoGAY3jG\nC2UwKaCRU+DR4BxuZBbr4iWt+Yk+ncO7fb4JXMoBjwMugi4Ow/+4WE1hGW8X9iRJ\nGzESyLsG/hJp42kYyBVco8oO3h7r8ticeNXxWqTPvMwPnFn0PxeaPQ6yHs0TUU9/\n0vpuLAdPKNfkHIZ8U/gYZpYEnE9dT/Fd4YiGPzECgYEAukgf0UxBKpswolBeLJtv\nfnTziH+z/08+GXWLW6ICGCvgos7ITkuK+Mdb6c8cdP+2ce4DWUDfGW5ZDQoueoxF\n0OZ6agC51nVItSZ7aKKx59Fc/M9gtux9+CNpeA9ICcG9LYL0V33L0IMQWgX9hKGd\nrxmwR+X1+0hCrbBaKJ7f2Rs=\n-----END PRIVATE KEY-----\n",
+  "client_email": "firebase-adminsdk-hvuk3@ids-hackathor.iam.gserviceaccount.com",
+  "client_id": "112181956225570280698",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-hvuk3%40ids-hackathor.iam.gserviceaccount.com"
+}
diff --git a/payloads.json b/payloads.json
new file mode 100644
index 0000000..6507093
--- /dev/null
+++ b/payloads.json
@@ -0,0 +1,93 @@
+{
+  "XSS": [
+    "<",
+    "%3C",
+    "&lt",
+    "&lt;",
+    "&LT",
+    "&LT;",
+    "&#60",
+    "&#060",
+    "&#0060",
+    "&#00060",
+    "&#000060",
+    "&#0000060",
+    "&#60;",
+    "&#060;",
+    "&#0060;",
+    "&#00060;",
+    "&#000060;",
+    "&#0000060;",
+    "&#x3c",
+    "&#x03c",
+    "&#x003c",
+    "&#x0003c",
+    "&#x00003c",
+    "&#x000003c",
+    "&#x3c;",
+    "&#x03c;",
+    "&#x003c;",
+    "&#x0003c;",
+    "&#x00003c;",
+    "&#x000003c;",
+    "&#X3c",
+    "&#X03c",
+    "&#X003c",
+    "&#X0003c",
+    "&#X00003c",
+    "&#X000003c",
+    "&#X3c;",
+    "&#X03c;",
+    "&#X003c;",
+    "&#X0003c;",
+    "&#X00003c;",
+    "&#X000003c;",
+    "&#x3C",
+    "&#x03C",
+    "&#x003C",
+    "&#x0003C",
+    "&#x00003C",
+    "&#x000003C",
+    "&#x3C;",
+    "&#x03C;",
+    "&#x003C;",
+    "&#x0003C;",
+    "&#x00003C;",
+    "&#x000003C;",
+    "&#X3C",
+    "&#X03C",
+    "&#X003C",
+    "&#X0003C",
+    "&#X00003C",
+    "&#X000003C",
+    "&#X3C;",
+    "&#X03C;",
+    "&#X003C;",
+    "&#X0003C;",
+    "&#X00003C;",
+    "&#X000003C;",
+    "\\x3c",
+    "\\x3C",
+    "\u003c",
+    "\u003C",
+    "(alert)(1)",
+    "a=alert,a(1)",
+    "[1].find(alert)",
+    "top[“al”+”ert”](1)",
+    "top[/al/.source+/ert/.source](1)",
+    "al\\u0065rt(1)",
+    "top[‘al\\145rt’](1)",
+    "top[‘al\\x65rt’](1)",
+    "top[8680439..toString(30)](1)"
+  ],
+  "TRAVERS": [
+    "../",
+    "..\\",
+    "..\\/",
+    "%2e%2e%2f",
+    "%252e%252e%252f",
+    "%c0%ae%c0%ae%c0%af",
+    "%uff0e%uff0e%u2215",
+    "%uff0e%uff0e%u2216"
+  ]
+}