Currently, the character * is treated as operator. But if * follows key words of 'select', it should be treated as a bare word.
For example, the SQLI "1 or select * from table" has fingerprint of ' 1&Eok' which is not in the SQLI blacklist. That is not good.
If '*' is treated as bareword in this case, its fingerprint is 1&Enk which is SQLI.
I made a temp patch in code parse_operator2 to return bareword when its previous token is Expression. Not sure if that would be the right fix. But it works pretty good for my problem. Please suggest.
static size_t parse_operator2(struct libinjection_sqli_state * sf)
{
...
/*
Special processing for the case when * is following the 'select'
*/
if 1
if (cs[pos]=='*' && sf->stats_tokens>=1) {
struct libinjection_sqli_token* prevToken = sf->current-1;
if ((int)prevToken->type == TYPE_EXPRESSION)
{
/* such as 'select *', then treat * as word */
ch = (char)TYPE_BAREWORD;
st_assign(sf->current, ch , pos, 1, cs+pos);
return pos + 1;
}
}
endif
}
Currently, the character * is treated as operator. But if * follows key words of 'select', it should be treated as a bare word.
For example, the SQLI "1 or select * from table" has fingerprint of ' 1&Eok' which is not in the SQLI blacklist. That is not good.
If '*' is treated as bareword in this case, its fingerprint is 1&Enk which is SQLI.
I made a temp patch in code parse_operator2 to return bareword when its previous token is Expression. Not sure if that would be the right fix. But it works pretty good for my problem. Please suggest.
static size_t parse_operator2(struct libinjection_sqli_state * sf)
{
...
/*
Special processing for the case when * is following the 'select'
*/
if 1
endif
}