From 16e7cd800c5933ae247d5dd8dd9c376b79f557fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Sun, 10 Dec 2023 16:52:54 +0800
Subject: [PATCH] =?UTF-8?q?WAF=20SQL=E6=B3=A8=E5=85=A5=E6=A3=80=E6=B5=8B?=
 =?UTF-8?q?=E5=92=8CXSS=E6=B3=A8=E5=85=A5=E6=A3=80=E6=B5=8B=E8=87=AA?=
 =?UTF-8?q?=E5=8A=A8=E8=BF=9B=E8=A1=8CURL=E8=A7=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/waf/injectionutils/utils_sqli.go      | 5 +++++
 internal/waf/injectionutils/utils_sqli_test.go | 4 +++-
 internal/waf/injectionutils/utils_xss.go       | 5 +++++
 internal/waf/injectionutils/utils_xss_test.go  | 1 +
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/internal/waf/injectionutils/utils_sqli.go b/internal/waf/injectionutils/utils_sqli.go
index 7a44a5d..3b97797 100644
--- a/internal/waf/injectionutils/utils_sqli.go
+++ b/internal/waf/injectionutils/utils_sqli.go
@@ -69,6 +69,11 @@ func DetectSQLInjection(input string) bool {
 				return detectSQLInjectionOne(args)
 			}
 		}
+	} else {
+		unescapedInput, err := url.QueryUnescape(input)
+		if err == nil && input != unescapedInput {
+			return detectSQLInjectionOne(unescapedInput)
+		}
 	}
 
 	return false
diff --git a/internal/waf/injectionutils/utils_sqli_test.go b/internal/waf/injectionutils/utils_sqli_test.go
index 6e22b20..08bab8c 100644
--- a/internal/waf/injectionutils/utils_sqli_test.go
+++ b/internal/waf/injectionutils/utils_sqli_test.go
@@ -16,6 +16,7 @@ import (
 func TestDetectSQLInjection(t *testing.T) {
 	var a = assert.NewAssertion(t)
 	a.IsTrue(injectionutils.DetectSQLInjection("' UNION SELECT * FROM myTable"))
+	a.IsTrue(injectionutils.DetectSQLInjection("id=1 ' UNION  select * from a"))
 	a.IsTrue(injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--"))
 	a.IsFalse(injectionutils.DetectSQLInjection("' UNION SELECT1 * FROM myTable"))
 	a.IsFalse(injectionutils.DetectSQLInjection("1234"))
@@ -27,6 +28,7 @@ func TestDetectSQLInjection(t *testing.T) {
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1"))
+	a.IsTrue(injectionutils.DetectSQLInjection("id=123%20or%201=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1"))
 }
 
@@ -98,7 +100,7 @@ func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {
 
 	b.RunParallel(func(pb *testing.PB) {
 		for pb.Next() {
-			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s)
+			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s + "&v=%20")
 		}
 	})
 }
diff --git a/internal/waf/injectionutils/utils_xss.go b/internal/waf/injectionutils/utils_xss.go
index 0808129..7a9c55c 100644
--- a/internal/waf/injectionutils/utils_xss.go
+++ b/internal/waf/injectionutils/utils_xss.go
@@ -68,6 +68,11 @@ func DetectXSS(input string) bool {
 				return detectXSSOne(args)
 			}
 		}
+	} else {
+		unescapedInput, err := url.QueryUnescape(input)
+		if err == nil && input != unescapedInput {
+			return detectXSSOne(unescapedInput)
+		}
 	}
 
 	return false
diff --git a/internal/waf/injectionutils/utils_xss_test.go b/internal/waf/injectionutils/utils_xss_test.go
index 7abc1c7..4cab416 100644
--- a/internal/waf/injectionutils/utils_xss_test.go
+++ b/internal/waf/injectionutils/utils_xss_test.go
@@ -23,6 +23,7 @@ func TestDetectXSS(t *testing.T) {
 	a.IsTrue(injectionutils.DetectXSS("onkeyup=a"))
 	a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>"))
 	a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
+	a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E"))
 }
 
 func BenchmarkDetectXSS_MISS(b *testing.B) {