sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-10 16:40:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

refactoring regarding --check-payload

Browse Source
This commit is contained in:
Miroslav Stampar 2010-10-25 18:38:54 +00:00
parent 7c343c2d67
commit 228ac0cde5
5 changed files with 202 additions and 744 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/core/common.py
View File

@ -642,8 +642,7 @@ def setPaths():
paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt') paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt") paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
paths.SQL_KEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt") paths.SQL_KEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
paths.FUZZ_VECTORS = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt") paths.PHPIDS_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml")
paths.DETECTION_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml") paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml") paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
paths.LIVE_TESTS_XML = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml") paths.LIVE_TESTS_XML = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml")

2
lib/request/connect.py
View File

@ -30,7 +30,7 @@ from lib.request.basic import parseResponse
from lib.request.direct import direct from lib.request.direct import direct
from lib.request.comparison import comparison from lib.request.comparison import comparison
from lib.request.methodrequest import MethodRequest from lib.request.methodrequest import MethodRequest
from lib.utils.detection import checkPayload from lib.utils.checkpayload import checkPayload
class Connect: class Connect:

2
lib/utils/detection.py → lib/utils/checkpayload.py
View File

@ -40,7 +40,7 @@ def checkPayload(payload):
payload = urldecode(payload) payload = urldecode(payload)
if not rules: if not rules:
xmlrules = readXmlFile(paths.DETECTION_RULES_XML) xmlrules = readXmlFile(paths.PHPIDS_RULES_XML)
rules = [] rules = []
for xmlrule in xmlrules.getElementsByTagName("filter"): for xmlrule in xmlrules.getElementsByTagName("filter"):

740
xml/detection.xml
View File

@ -1,740 +0,0 @@
<filters>
<filter>
<id>1</id>
<rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
<description>finds html breaking injections including whitespace attacks</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>2</id>
<rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule>
<description>finds attribute breaking injections including whitespace attacks</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>69</id>
<rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>
<description>finds malicious attribute injection attempts</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>3</id>
<rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule>
<description>finds unquoted attribute breaking injections</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>2</impact>
</filter>
<filter>
<id>4</id>
<rule><![CDATA[(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]></rule>
<description>Detects url-, name-, JSON, and referrer-contained payload attacks</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>5</id>
<rule><![CDATA[(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?"[^\s"]":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)]]></rule>
<description>Detects hash-contained xss payload attacks, setter usage and property overloading</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>6</id>
<rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule>
<description>Detects self contained xss via with(), common loops and regex to string conversion</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>7</id>
<rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
<description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>8</id>
<rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
<description>Detects self-executing JavaScript functions</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>9</id>
<rule><![CDATA[(?:\\u00[a-f0-9]{2})|(?:\\x0*[a-f0-9]{2})|(?:\\\d{2,3})]]></rule>
<description>Detects the IE octal, hex and unicode entities</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>2</impact>
</filter>
<filter>
<id>10</id>
<rule><![CDATA[(?:(?:\/|\\)?\.+(\/|\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})]]></rule>
<description>Detects basic directory traversal</description>
<tags>
<tag>dt</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>11</id>
<rule><![CDATA[(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)]]></rule>
<description>Detects specific directory and path traversal</description>
<tags>
<tag>dt</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>12</id>
<rule><![CDATA[(?:etc\/\W*passwd)]]></rule>
<description>Detects etc/passwd inclusion attempts</description>
<tags>
<tag>dt</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>13</id>
<rule><![CDATA[(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)]]></rule>
<description>Detects halfwidth/fullwidth encoded unicode HTML breaking attempts</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>3</impact>
</filter>
<filter>
<id>14</id>
<rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule>
<description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>15</id>
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
<description>Detects JavaScript DOM/miscellaneous properties and methods</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>16</id>
<rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
<description>Detects possible includes and typical script methods</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>17</id>
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
<description>Detects JavaScript object properties and methods</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>18</id>
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
<description>Detects JavaScript array properties and methods</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>19</id>
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
<description>Detects JavaScript string properties and methods</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>20</id>
<rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>
<description>Detects JavaScript language constructs</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>21</id>
<rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>
<description>Detects very basic XSS probings</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>3</impact>
</filter>
<filter>
<id>22</id>
<rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
<description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>23</id>
<rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule>
<description>Detects JavaScript location/document property access and window access obfuscation</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>24</id>
<rule><![CDATA[(?:[".]script\s*\()|(?:\$\$?\s*\(\s*[\w"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])]]></rule>
<description>Detects basic obfuscated JavaScript script injections</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>25</id>
<rule><![CDATA[(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[("\w+"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*")]]></rule>
<description>Detects obfuscated JavaScript script injections</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>26</id>
<rule><![CDATA[(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])]]></rule>
<description>Detects JavaScript cookie stealing and redirection attempts</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>27</id>
<rule><![CDATA[(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule>
<description>Detects data: URL injections, VBS injections and common URI schemes</description>
<tags>
<tag>xss</tag>
<tag>rfe</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>28</id>
<rule><![CDATA[(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)]]></rule>
<description>Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution</description>
<tags>
<tag>xss</tag>
<tag>rfe</tag>
<tag>lfi</tag>
<tag>csrf</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>29</id>
<rule><![CDATA[(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\])]]></rule>
<description>Detects bindings and behavior injections</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>30</id>
<rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule>
<description>Detects common XSS concatenation patterns 1/2</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>31</id>
<rule><![CDATA[(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*")|(?:!\d+\.\d*\?")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)]]></rule>
<description>Detects common XSS concatenation patterns 2/2</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>32</id>
<rule><![CDATA[(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)]]></rule>
<description>Detects possible event handlers</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>33</id>
<rule><![CDATA[(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)]]></rule>
<description>Detects obfuscated script tags and XML wrapped HTML</description>
<tags>
<tag>xss</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>34</id>
<rule><![CDATA[(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,"=])]]></rule>
<description>Detects attributes in closing tags and conditional compilation tokens</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>35</id>
<rule><![CDATA[(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)]]></rule>
<description>Detects common comment types</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
</tags>
<impact>3</impact>
</filter>
<filter>
<id>37</id>
<rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule>
<description>Detects base href injections and XML entity injections</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>38</id>
<rule><![CDATA[(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))]]></rule>
<description>Detects possibly malicious html elements including some attributes</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>39</id>
<rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule>
<description>Detects nullbytes and other dangerous characters</description>
<tags>
<tag>id</tag>
<tag>rfe</tag>
<tag>xss</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>40</id>
<rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
<description>Detects MySQL comments, conditions and ch(a)r injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>41</id>
<rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
<description>Detects conditional SQL injection attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>42</id>
<rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
<description>Detects classic SQL injection probings 1/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>43</id>
<rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
<description>Detects classic SQL injection probings 2/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>44</id>
<rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
<description>Detects basic SQL authentication bypass attempts 1/3</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>45</id>
<rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
<description>Detects basic SQL authentication bypass attempts 2/3</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>46</id>
<rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
<description>Detects basic SQL authentication bypass attempts 3/3</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>47</id>
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
<description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>48</id>
<rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
<description>Detects chained SQL injection attempts 1/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>49</id>
<rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
<description>Detects chained SQL injection attempts 2/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>50</id>
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
<description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>51</id>
<rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
<description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>52</id>
<rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
<description>Detects MySQL charset switch and MSSQL DoS attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>53</id>
<rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
<description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>54</id>
<rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
<description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>55</id>
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
<description>Detects MSSQL code execution and information gathering attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>56</id>
<rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
<description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>57</id>
<rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
<description>Detects MySQL comment-/space-obfuscated injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>58</id>
<rule><![CDATA[(?:@[\w-]+\s*\()|(?:]\s*\(\s*["!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]></rule>
<description>Detects code injection attempts 1/3</description>
<tags>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>59</id>
<rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*["(@])]]></rule>
<description>Detects code injection attempts 2/3</description>
<tags>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>60</id>
<rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)]]></rule>
<description>Detects code injection attempts 3/3</description>
<tags>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>61</id>
<rule><![CDATA[(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)]]></rule>
<description>Detects url injections and RFE attempts</description>
<tags>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>62</id>
<rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule>
<description>Detects common function declarations and special JS operators</description>
<tags>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>63</id>
<rule><![CDATA[(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)]]></rule>
<description>Detects common mail header injections</description>
<tags>
<tag>id</tag>
<tag>spam</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>64</id>
<rule><![CDATA[(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)]]></rule>
<description>Detects perl echo shellcode injection and LDAP vectors</description>
<tags>
<tag>lfi</tag>
<tag>rfe</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>65</id>
<rule><![CDATA[(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})]]></rule>
<description>Detects basic XSS DoS attempts</description>
<tags>
<tag>rfe</tag>
<tag>dos</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>67</id>
<rule><![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]></rule>
<description>Detects unknown attack vectors based on PHPIDS Centrifuge detection</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>68</id>
<rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule>
<description>finds attribute breaking injections including obfuscated attributes</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>69</id>
<rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule>
<description>finds basic VBScript injection attempts</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>70</id>
<rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
<description>finds basic MongoDB SQL injection attempts</description>
<tags>
<tag>sqli</tag>
</tags>
<impact>4</impact>
</filter>
</filters>

199
xml/phpids_rules.xml Normal file
View File

@ -0,0 +1,199 @@
<filters>
<filter>
<id>40</id>
<rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
<description>Detects MySQL comments, conditions and ch(a)r injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>41</id>
<rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
<description>Detects conditional SQL injection attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>42</id>
<rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
<description>Detects classic SQL injection probings 1/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>43</id>
<rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
<description>Detects classic SQL injection probings 2/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>44</id>
<rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
<description>Detects basic SQL authentication bypass attempts 1/3</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>45</id>
<rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
<description>Detects basic SQL authentication bypass attempts 2/3</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>46</id>
<rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
<description>Detects basic SQL authentication bypass attempts 3/3</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>47</id>
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
<description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
<tag>lfi</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>48</id>
<rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
<description>Detects chained SQL injection attempts 1/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>49</id>
<rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
<description>Detects chained SQL injection attempts 2/2</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>50</id>
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
<description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>4</impact>
</filter>
<filter>
<id>51</id>
<rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
<description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>52</id>
<rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
<description>Detects MySQL charset switch and MSSQL DoS attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>6</impact>
</filter>
<filter>
<id>53</id>
<rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
<description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>7</impact>
</filter>
<filter>
<id>54</id>
<rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
<description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>55</id>
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
<description>Detects MSSQL code execution and information gathering attempts</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>56</id>
<rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
<description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>57</id>
<rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
<description>Detects MySQL comment-/space-obfuscated injections</description>
<tags>
<tag>sqli</tag>
<tag>id</tag>
</tags>
<impact>5</impact>
</filter>
<filter>
<id>70</id>
<rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
<description>finds basic MongoDB SQL injection attempts</description>
<tags>
<tag>sqli</tag>
</tags>
<impact>4</impact>
</filter>
</filters>