288 lines
12 KiB
Markdown
Vendored
288 lines
12 KiB
Markdown
Vendored
# NEXT
|
|
|
|
* [#126](/client9/libinjection/issues/126) oracle false negative
|
|
* [#117](/client9/libinjection/issues/117) [#116](/client9/libinjection/issues/116) - overread in XSS
|
|
* [#112](/client9/libinjection/issues/112) fix shared library on macOS
|
|
* [#122](/client9/libinjection/issues/122) [#115](/client9/libinjection/issues/115) - false positive issue for XSS
|
|
* [#113](/client9/libinjection/issues/113) save space in struct
|
|
* [#126](/client9/libinjection/issues/126) add usage to sqli cli tool
|
|
* [#125](/client9/libinjection/issues/125) many false positives
|
|
* [#114](/client9/libinjection/issues/114) false negative with TSQL and "IF NOT" operation
|
|
|
|
# v3.9.2 - 2016-05-21
|
|
|
|
* Release of whatever changes have been made over the last 2.5 years.
|
|
|
|
# v3.9.1 - 2013-12-26
|
|
|
|
Day-After-Christmas Edition
|
|
|
|
* No functional changes
|
|
* Code reverted to strict C90 style to allow builds on embedded systems, Windows and FreeBSD
|
|
* For gcc this means `-std=c90 -pedantic`, which seems to simulate Windows behavior on Linux
|
|
* Other minor style changes to header files.
|
|
|
|
|
|
# v3.9.0 - 2013-11-29
|
|
|
|
Black Friday Edition
|
|
|
|
* Big API Change!! everything in `libinjection.h` is now `libinjection_sqli.h`. And a new super simple API is in `libinjection.h`
|
|
* Improvements to folder to prevent bypasses using SQL types (casts). This eliminated about 400 fingerprints as well.
|
|
* Blacklisted a very degenerate MySQL ODBC case, that is highly unlike to be used in 'real inputs'. thanks to @LightOS foreporting.. not clear who found it originally.
|
|
* Over 400 unit tests now!
|
|
* Compiles clean under clang with `-Weverything -Wno-padded` `-Wno-padded` is excluded since it's architecture dependant. See `clang.sh` to see how to invoke.
|
|
* PHP documentation fixes, thanks @LightOS
|
|
|
|
# v3.8.0 - 2013-10-18
|
|
|
|
LAMP Special Edition: MySQL and PHP improvements
|
|
|
|
* [Issue #33](https://github.com/client9/libinjection/issues/54) Fixes MySQL in latin1-mode use of `%A0` as whitespace. This was tricky since `%A0` might be part of larger UTF-8 encoding as well. Or perhaps `%C2%A0` (utf-8 encoding) might be treated as whitespace. Fortunately, MySQL only seems to treat `%A0` as whitespace in latin1 mode. HT [@ru_raz0r](https://twitter.com/ru_raz0r)
|
|
* Fixes to Lua testdriver and portability fixes
|
|
* Much improved PHP build and test. It now uses `phpize` and builds and tests like a real module.
|
|
* API CHANGE: the macro `LIBINJECTION_VERSION` has been replaced by `const char* libinjection_version()`. This allows us to increment the version number without having to regenerate SWIG (or other) bindings for minor releases.
|
|
|
|
NOTE:
|
|
Pregenerated [SWIG](http://www.swig.org/) bindings are removed. You'll need to install SWIG before running `make`. SWIG is packaged on virtually every OS so this should not be a problem.
|
|
|
|
Here's why:
|
|
|
|
* Latest versions of swig appear to generate poor quality bindings for LUA and Python. Bugs are filed upstream [1341](https://sourceforge.net/p/swig/bugs/1341/), [1343](https://sourceforge.net/p/swig/bugs/1343/), [1345](https://sourceforge.net/p/swig/bugs/1345/). These are fixed or will be fixed in swig 3.0.0.
|
|
* In addition, I've received a number of reports of generated code failing various static analysis
|
|
* I can't triangulate which SWIG for which language for which OS will work for you
|
|
* I may be switching to [libffi](http://cffi.readthedocs.org/) for python, and [luajit.ffi](http://luajit.org/ext_ffi.html) for lua(jit) in the future, anyways.
|
|
|
|
# v3.7.1 -- 2013-10-13
|
|
|
|
* Remove un-needed code
|
|
|
|
# v3.7.0 -- 2013-10-13
|
|
|
|
Major Release
|
|
|
|
* [Issue #54](https://github.com/client9/libinjection/issues/54): Add test vectors from [Arne Swinnen](http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/). Thanks [qerub@github](https://github.com/qerub)
|
|
* Minor fingerprint update for [Issue #54](https://github.com/client9/libinjection/issues/54). I don't really think it's valid SQL but it's safe enough to detect without false positives.
|
|
* [Issue #55](https://github.com/client9/libinjection/issues/55): Parse MS SQLSERVER use of \[brackets\] for column and table names. This is a big one that closes a lot of holes. Thanks [nroggle@github](https://github.com/nroggel)
|
|
* [Issue #56](https://github.com/client9/libinjection/issues/56): fix buffer over-read. Thanks [safe3@github](https://github.com/Safe3) and [flily@github](https://github.com/flily)
|
|
* Remove use of `-fstack-protector` as it breaks valgrind detecting memory problems
|
|
Read more about it http://blog.client9.com/2013/10/12/gcc-valgrind-stackprotector.html
|
|
* Fixed folding issue where `1,-sin(1))` would be folded as `1 (1)`
|
|
* Add more test cases and improved test coverage to [98.8%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
|
|
|
|
# v3.6.0 -- 2013-09-11
|
|
* New PHP API
|
|
* Big fingerprint update
|
|
** about 500 new fingerprints added based on fuzzing tests by Reto Ischi
|
|
** about 700 impossible, dead fingerprints removed
|
|
** adding folding rule for "sqltype sqltype -> sqltype" since
|
|
`select binary binary binary 1` is valid
|
|
* Other minor fingerprints added
|
|
* -maybe- API change as typedefs and structs were re-arranged for SWIG
|
|
|
|
# v3.5.3 -- 2013-08-25
|
|
* Fingerprint update -- `BETWEEN` operation bypasses
|
|
* Fingerprint update -- `ANY/SOME` quasi-function bypasses
|
|
* Fixed issue with folding where `1-(2-3)` would fold to "nothing" instead of `1`
|
|
* Improved test coverage to [98.0%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
|
|
* More adjustments to the PHP/MYSQL backtick to reduce false positives
|
|
|
|
# v3.5.2 -- 2013-08-21
|
|
* Fingerprint update. Credit: Reto Ischi
|
|
|
|
# v3.5.1 -- 2013-08-21
|
|
* found regression in handling of PHP/MySQL backticks. Tests added
|
|
* Dead code removed.
|
|
* Improved test coverage to [97.7%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
|
|
|
|
# v3.5.0 -- 2013-08-21
|
|
* Bug fix for libinjection_sqli_reset @brianrectanus
|
|
https://github.com/client9/libinjection/pull/50
|
|
* Non-critical parser fix for numbers with oracle's ending
|
|
suffix. "SELECT 1FROM .." -> (SELECT, 1, FROM) not
|
|
(SELECT, 1F, ROM)
|
|
* Yet another fix for disambiguating Oracle's "f" suffix for numbers HT @LightOS
|
|
* Better parsing of generated number forms of "10.e" and "10.10e"
|
|
(these are actually table specifiers!) HT @LightOS
|
|
* Change sizing of some static arrays to have a length >= 8
|
|
For GCC based applications, this allows -fstack-protector to work
|
|
and -Wstack-protector will now not emit errors.
|
|
* Added '-fstack-protector-all -D_FORTIFY_SOURCE=2' to default CFLAGS.
|
|
About 10% performance loss with -fstack-protector-all
|
|
* Improvements in reducing false positives, HT modsecurity team
|
|
* Add fingerprint, HT @FluxReiners
|
|
* Support for parsing of old ODBC-style typing, e.g. 'select {foo 1};' (valid in MySQL)
|
|
* Fix tokenization of "IF EXISTS(....", "IF NOT EXISTS(..."
|
|
* Fi possible stack over-read, and improve detection of "sp_password" flag
|
|
in short sqli HT modsecurity team
|
|
|
|
# v3.4.1 2013-07-18
|
|
* Fingerprint update only HT @LightOS
|
|
|
|
# v3.4.0 2013-07-18
|
|
|
|
* Fix regression with COLLATE
|
|
* Handle "procedure analyze" under MySQL
|
|
* Make API most robust when setting flags
|
|
* Add folding API
|
|
* Add new all-C test driver to improve testing speed
|
|
* Makefile cleanups
|
|
* Fired Jenkins! Using in-house system.
|
|
* Fixed bypass reported by @FluxReiners
|
|
|
|
# v3.3.0 2013-07-13
|
|
|
|
* change how backslash is handled to catch old MSSQL servers sqli
|
|
See http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR
|
|
for details
|
|
* Reworking of COLLATE to handle MySQL, TSQL types automatically
|
|
* Handle bizarro world TSQL '\%1' which is parsed as "0 % 1"
|
|
* Better stacked query detection, fixing some regressions
|
|
* Folding improvements
|
|
* False positive improvements
|
|
|
|
|
|
# v3.2.0 2013-07-12
|
|
|
|
* Parse binary litterals "0b010101" used by at least mysql and pgsql
|
|
* Add fingerprints '1&EUE', '1&EkU' to work around ambiguous parsing rules
|
|
"-1.for" == '-1.f OR' vs. '-1. FOR' CREDIT @LightOS
|
|
* Add parsing rules for COLLATION in MySQL, CREDIT @LightOS
|
|
* Reduce false positives by removing all fingerprints that contained "sn"
|
|
* Improvement in handling MySQL 'binary' quasi-operator/type
|
|
* Improvements in folding
|
|
* Removed dependency on SWIG for installing python module
|
|
|
|
# v3.1.0 2013-07-02
|
|
|
|
* Fix for parsing Oracle numeric literals
|
|
* Fix for oracle whitespace with null char.
|
|
* Add unusual SQL join types to keywords lists
|
|
* Minor fixes to python API examples
|
|
|
|
# v3.0.0 2013-06-23
|
|
|
|
Big Release and Big Engine change. Highly recommend
|
|
|
|
* Numerous evasions and false positives fixed!
|
|
* Tokenizer is now really dumb, and publically exposed. See `libinjection_sqli_tokenize`.
|
|
* Folding engine completely rewritten to be simpler and easier to extend, debug, port.
|
|
* MySQL `backticks` now handled correctly
|
|
* @"var" and @'var' parsed correctly (mysql)
|
|
* ":=" operator parsed correctly
|
|
* non-ascii SQL variables and barewords handled correctly
|
|
* less false positives and those that are false positives
|
|
are more "indeterminate cases" and are only in a few
|
|
fingerprints
|
|
* autogeneration of fingerprints with trivial SQL variations
|
|
* support for pgsql $ strings
|
|
* support for oracle's q and nq strings
|
|
* support for mysql's n strings
|
|
* parsing stats exposed
|
|
* new swig bindings for python and lua, with callbacks into original scripting
|
|
language for accept/reject of fingerprints (i.e. manage fingerprints in
|
|
script, not C code)
|
|
* Improved parsing of various special cases in MySQL
|
|
* Ban MySQL conditional comments. If we find them, it's marked as SQLi immediately.
|
|
* Probably a bunch of other stuff too
|
|
|
|
# v2.0.4 2013-05-21 IMPORTANT
|
|
|
|
All users are advised to upgrade due to risk of DOS
|
|
|
|
## security
|
|
* more fingerprints, more tests
|
|
* Issue 34: fix infinite loop
|
|
|
|
# v2.0.3 2013-05-21
|
|
|
|
## security
|
|
* Add variations on '1U(((', thanks @LightOS
|
|
* Add automatically all variations on other cases of
|
|
'parens padding'
|
|
|
|
# v2.0.2 2013-05-21
|
|
|
|
## security
|
|
* Added fingerprint 'nU(kn' and variations, thanks to
|
|
discussion with @ModSecurity .
|
|
|
|
# v2.0.1 2013-05-21
|
|
|
|
## security
|
|
* Added fingerprint knknk, thanks @d0znpp
|
|
|
|
# v2.0.0 2013-05-17
|
|
|
|
Version 2 is more a software engineering release than SQLi.
|
|
The API, the code, and filenames are improved for embedded
|
|
use. Please see the README.md file for details on use.
|
|
|
|
## security
|
|
|
|
* Fix Issue30: detection of more small sqli forms with fingerprint "1c".
|
|
* Fix Issue32: false positive of '*/*' of type 'oc' Thanks to @brianrectanus
|
|
|
|
## API Changes
|
|
|
|
BIG CHANGES
|
|
|
|
* File name changes. These are the only relevant files:
|
|
* `c/libinjection.h`
|
|
* `c/libinjection_sqli.c`
|
|
* `c/libinjection_sqli_data.h`
|
|
* `COPYING`
|
|
* Just need to include `libinjection.h` and link with `libinjection_sqli_.c`
|
|
* `sqlparse_private.h` and `sqli_fingerprints.h` are deprecated.
|
|
Only use `#include "libinjection.h"`
|
|
* API name changes `is_sqli` and `is_string_sqli` are now
|
|
`libinjection_is_sqli` and `libinjection_is_string_sqli`
|
|
* API change, `libinjection_is_sqli` now takes a 5th arg for callback data
|
|
* API change, `libinjection_is_sqli` accepts `NULL` for arg4 and arg5
|
|
in which case, a default lookup of fingerprints is used.
|
|
* `sqlmap_data.json` now includes fingerprint information, so people making
|
|
ports only need to parse one file.
|
|
|
|
## other
|
|
|
|
* Allow `clang` compiler (also in Jenkins, a build with clang and
|
|
make-scan is done)
|
|
* Optimizations should result in > 10% performance improvement
|
|
for normal workloads
|
|
* Add `sqlite3` special functions and keywords (since why not)
|
|
|
|
# v1.2.0 2013-05-06
|
|
|
|
## security
|
|
* fix regression in detecting SQLi of type '1c'
|
|
|
|
##
|
|
* improved documentation, comments, edits.
|
|
|
|
# v1.1.0 2013-05-04
|
|
|
|
## security
|
|
|
|
* Fix for nested c-style comments used by postgresql and transact-sql.
|
|
Thanks to @Kanatoko for the report.
|
|
* Numerous additions to SQL functions lists (in particular pgsql, transact-sql
|
|
and ms-access functions)
|
|
Thanks to Christoffer Sawicki (GitHub "qerub") for report on cut-n-paste error.
|
|
Thanks to @ryancbarnett for reminder that MS-ACCESS exists ;-)
|
|
* Adding of fingerprints to detect HPP attacks.
|
|
* Algorihmically added new fingerprints to detect new _future_ sqli attacks. All of these
|
|
new fingerprints have no been seen 'in the wild' yet.
|
|
|
|
## other
|
|
|
|
* Replaced BSD memmem with optimzed version. This eliminates all 3rd party code.
|
|
* Added alpha python module (python setup.py install)
|
|
* Added sqlparse_fingerprints.h and sqlparse_data.json to aid porting and embeddeding.
|
|
* Added version number in sqlparse.h, based on
|
|
http://www.python.org/dev/peps/pep-0386/#normalizedversion
|
|
|
|
# v1.0.0 2013-04-24
|
|
|
|
* retroactive initial release
|
|
* all memory issues fixed
|
|
|