wafrift-grammar 0.2.2

Grammar-aware payload mutation engine — SQL, XSS, CMD, LDAP, SSRF, path traversal, SSTI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

//! String literal and whitespace mutation helpers.
use std::fmt::Write as _;
/// Split a string value into concatenated fragments.
pub(crate) fn split_string_concat(value: &str) -> Vec<String> {
    if value.len() < 2 {
        return vec![value.to_string()];
    }

    let mut results = Vec::new();
    for split_index in 1..value.len() {
        let left = &value[..split_index];
        let right = &value[split_index..];
        results.push(format!("'{left}'||'{right}'"));
        results.push(format!("CONCAT('{left}','{right}')"));
        results.push(format!("'{left}'+'{right}'"));
    }

    let limit = value.len().min(10);
    let my_sql_chars = value[..limit]
        .chars()
        .map(|character| format!("CHAR({})", character as u32))
        .collect::<Vec<_>>()
        .join("||");
    results.push(my_sql_chars);

    let pg_chars = value[..limit]
        .chars()
        .map(|character| format!("CHR({})", character as u32))
        .collect::<Vec<_>>()
        .join("||");
    results.push(pg_chars);

    let ms_sql_chars = value[..limit]
        .chars()
        .map(|character| format!("NCHAR({})", character as u32))
        .collect::<Vec<_>>()
        .join("+");
    results.push(ms_sql_chars);

    let mut hex = String::with_capacity(value.len() * 2);
    for byte in value.bytes() {
        let _ = write!(&mut hex, "{byte:02x}");
    }
    results.push(format!("0x{hex}"));
    results.push(format!("UNHEX('{hex}')"));

    if value.len() <= 8 {
        let decimal = value.bytes().fold(0_u64, |accumulator, byte| {
            accumulator.wrapping_mul(256).wrapping_add(u64::from(byte))
        });
        results.push(format!("CONV({decimal},10,36)"));
    }

    results
}

/// Encode a string as a `MySQL` hex literal.
pub(crate) fn hex_literal(value: &str) -> String {
    let mut hex = String::with_capacity(value.len() * 2);
    for byte in value.bytes() {
        let _ = write!(&mut hex, "{byte:02x}");
    }
    format!("0x{hex}")
}

/// Generate SQL without spaces by wrapping the `SELECT` clause.
pub(crate) fn no_space_wrap(payload: &str) -> Option<String> {
    let lower = payload.to_ascii_lowercase();
    if lower.contains(" select ") {
        return Some(
            payload
                .replace(" SELECT ", "(SELECT(")
                .replace(" select ", "(SELECT("),
        );
    }

    None
}