``` #include <boost/regex.hpp> #include <cstdlib> #include <string> #include <iostream> #include <random> #include <fstream> using namespace std; int to_int(int c) { if (not isxdigit(c)) return -1; // error: non-hexadecimal digit found if (isdigit(c)) return c - '0'; if (isupper(c)) c = tolower(c); return c - 'a' + 10; } template<class InputIterator, class OutputIterator> int unhexlify(InputIterator first, InputIterator last, OutputIterator ascii) { while (first != last) { int top = to_int(*first++); int bot = to_int(*first++); if (top == -1 or bot == -1) return -1; // error *ascii++ = (top << 4) + bot; } return 0; } int main(int argc, char* argv[]){ if (argc < 2){ //usage: regex_validator 1C......... return 1; } char* arg = argv[1]; char data[4096*400]; size_t size = sizeof(data); //Declare size of data ifstream urandom("/home/nik/data", ios::in|ios::binary); //Open stream if(urandom) //Check if stream is open { urandom.read(reinterpret_cast<char*>(&data), size); }else { return 1; } size_t expr_len = (strlen(arg)-2)/2; char expr[expr_len]; unhexlify(arg+2, arg+strlen(arg)-1, expr); try{ boost::regex regex(reinterpret_cast<char*>(expr), reinterpret_cast<char*>(expr) + expr_len); std::cout << "Going to test: " << expr << std::endl; boost::cmatch what; if (boost::regex_match(reinterpret_cast<const char*>(data), reinterpret_cast<const char*>(data) + size , what, regex)) { std::cout << "WTF IT MATCHED" << std::endl; } else { std::cout << "DID NOT MATCH" << std::endl; } } catch(...){ std::cerr << "Crashed :(" << std::endl; return 1; } return 0; } ``` Payload data: ``` GET /post?id=-1%20UNION%20SELECT%201%2C%22Benvenuto%20Hacker!%22%2C1%2C%22Hai%20scoperto%20una%20sql-injection%22%2C%22Qui%20sotto%20trovi%20la%20tua%20password%22%2C%20password%20FROM%20users%20WHERE%20username%20%3D%20%27admin%27 HTTP/1.1 Host: localhost:4600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: http://localhost:4500/post?id=1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ``` Output: ``` ./regex_validator 1C2e2a474554205c2f706f73742e2a5c3f2e2a5b265d3f69643d2e2a285b5e302d395d2b292e2a5b26205d2e2a5b205d3f485454502e2a5b5c6e5d3f2e2a Going to test: .*GET \/post.*\?.*[&]?id=.*([^0-9]+).*[& ].*[ ]?HTTP.*[\n]?.*V Crashed :( ```