Linux-Server-Management-Toolkit/lib/attack-patterns.sh

#!/bin/bash

################################################################################
# Attack Pattern Detection Library
################################################################################
# Purpose: Shared attack vector detection for bot-analyzer and live-monitor
# Features: SQL injection, XSS, Path traversal, RCE, Info disclosure, Bruteforce
################################################################################

# SQL Injection Detection
# Returns: 0 (true) if SQL injection detected, 1 (false) if not
detect_sql_injection() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    # Enhanced SQL injection patterns
    if [[ "$url_lower" =~ (union.*select|concat\(|benchmark\(|sleep\(|waitfor|cast\(|exec\() ]] ||
       [[ "$url_lower" =~ (information_schema|drop table|insert into|update.*set|delete from) ]] ||
       [[ "$url_lower" =~ (%27|0x[0-9a-f]+|hex\(|unhex\(|load_file\() ]]; then
        return 0
    fi

    return 1
}

# XSS (Cross-Site Scripting) Detection
detect_xss() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    if [[ "$url_lower" =~ (<script|javascript:|onerror=|onload=|<iframe|eval\(|alert\() ]] ||
       [[ "$url_lower" =~ (document\.cookie|document\.write|\.innerhtml) ]]; then
        return 0
    fi

    return 1
}

# Path Traversal / LFI Detection
detect_path_traversal() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    if [[ "$url_lower" =~ (\.\.\/|\.\.\\|etc\/passwd|etc\/shadow|boot\.ini|win\.ini) ]] ||
       [[ "$url_lower" =~ (proc\/self|\/etc\/|c:\\|windows\/system32) ]]; then
        return 0
    fi

    return 1
}

# RCE (Remote Code Execution) / Shell Upload Detection
detect_rce() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    # Command execution patterns
    if [[ "$url_lower" =~ (cmd\.exe|\/bin\/bash|\/bin\/sh|phpinfo\(|system\(|exec\(|passthru\(|shell_exec\(|popen\() ]] ||
       [[ "$url_lower" =~ (proc_open|pcntl_exec|eval\(|assert\(|base64_decode\(|gzinflate\() ]]; then
        return 0
    fi

    # Shell/backdoor files (common webshell names)
    if [[ "$url_lower" =~ (shell\.php|c99\.php|r57\.php|backdoor|webshell|wso\.php|b374k) ]] ||
       [[ "$url_lower" =~ (shell_exec|1337|defac|index\.php\?|cmd|evil) ]]; then
        return 0
    fi

    # Suspicious POST to script files
    if [[ "$url_lower" =~ \.(php|jsp|asp|aspx)$ ]] && [[ "$method" == "POST" ]]; then
        return 0
    fi

    # PHP shell probing - random .php files (common scanner behavior)
    # Detect short/random PHP filenames that are typical webshell probes
    if [[ "$url_lower" =~ ^/[a-z0-9]{1,15}\.php$ ]] && [[ "$method" == "GET" ]]; then
        # Whitelist common legitimate PHP files
        if [[ ! "$url_lower" =~ (index\.php|wp-login\.php|xmlrpc\.php|admin\.php|contact\.php|search\.php) ]]; then
            return 0
        fi
    fi

    return 1
}

# Info Disclosure Detection
detect_info_disclosure() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    if [[ "$url_lower" =~ (phpinfo|server-status|server-info|\.git\/|\.env|\.htaccess) ]] ||
       [[ "$url_lower" =~ (\.sql|\.dump|backup\.zip|database\.sql|wp-config\.php\.bak) ]] ||
       [[ "$url_lower" =~ (\.log$|error_log|debug\.log|access\.log) ]]; then
        return 0
    fi

    return 1
}

# Login Bruteforce Detection (URL-based)
detect_login_bruteforce_url() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    if [[ "$url_lower" =~ (wp-login\.php|wp-admin|xmlrpc\.php) ]] ||
       [[ "$url_lower" =~ (\/admin|\/login|\/signin|\/auth) ]]; then
        return 0
    fi

    return 1
}

# Admin Path Probing Detection
detect_admin_probe() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')

    if [[ "$url_lower" =~ (\/admin|\/administrator|\/wp-admin|\/phpmyadmin) ]] ||
       [[ "$url_lower" =~ (\/manager|\/controlpanel|\/cpanel|\/webmin) ]] ||
       [[ "$url_lower" =~ (wp-content\/uploads.*\.php|wp-includes.*\.php|wp-admin\/includes) ]]; then
        return 0
    fi

    return 1
}

# Detect all attack vectors for a URL
# Returns: attack_type1,attack_type2,... or empty if none
detect_all_attacks() {
    local url="$1"
    local method="${2:-GET}"
    local attacks=()

    detect_sql_injection "$url" && attacks+=("SQL_INJECTION")
    detect_xss "$url" && attacks+=("XSS")
    detect_path_traversal "$url" && attacks+=("PATH_TRAVERSAL")
    detect_rce "$url" "$method" && attacks+=("RCE")
    detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE")
    detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE")
    detect_admin_probe "$url" && attacks+=("ADMIN_PROBE")

    if [ ${#attacks[@]} -gt 0 ]; then
        IFS=','; echo "${attacks[*]}"
    else
        echo ""
    fi
}

# Calculate threat score based on attack types
# Returns: score (0-100)
calculate_attack_score() {
    local attacks="$1"

    local score=0

    # Use word boundaries to avoid false matches (e.g., RCE in BRUTEFORCE)
    [[ "$attacks" =~ (^|,)SQL_INJECTION(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)XSS(,|$) ]] && score=$((score + 12))
    [[ "$attacks" =~ (^|,)PATH_TRAVERSAL(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)RCE(,|$) ]] && score=$((score + 20))
    [[ "$attacks" =~ (^|,)INFO_DISCLOSURE(,|$) ]] && score=$((score + 8))
    [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10))
    [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5))

    echo "$score"
}

# Get attack icon for display
get_attack_icon() {
    local attack_type="$1"

    case "$attack_type" in
        SQL_INJECTION) echo "💉" ;;
        XSS) echo "⚠️ " ;;
        PATH_TRAVERSAL) echo "📁" ;;
        RCE) echo "☠️ " ;;
        INFO_DISCLOSURE) echo "🔓" ;;
        BRUTEFORCE) echo "🔐" ;;
        ADMIN_PROBE) echo "🔍" ;;
        DDOS) echo "💥" ;;
        BOT) echo "🤖" ;;
        SCANNER) echo "🔎" ;;
        *) echo "❓" ;;
    esac
}

# Get attack color for display
get_attack_color() {
    local attack_type="$1"

    case "$attack_type" in
        SQL_INJECTION|RCE) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
        XSS|PATH_TRAVERSAL|BRUTEFORCE) echo '\033[1;31m' ;;  # Bold Red (HIGH)
        INFO_DISCLOSURE|ADMIN_PROBE) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
        *) echo '\033[0;36m' ;;  # Cyan (LOW)
    esac
}

export -f detect_sql_injection
export -f detect_xss
export -f detect_path_traversal
export -f detect_rce
export -f detect_info_disclosure
export -f detect_login_bruteforce_url
export -f detect_admin_probe
export -f detect_all_attacks
export -f calculate_attack_score
export -f get_attack_icon
export -f get_attack_color