mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-26 05:31:04 +03:00 
			
		
		
		
	refactoring regarding --check-payload
This commit is contained in:
		
							parent
							
								
									7c343c2d67
								
							
						
					
					
						commit
						228ac0cde5
					
				|  | @ -642,8 +642,7 @@ def setPaths(): | |||
|     paths.COMMON_OUTPUTS         = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt') | ||||
|     paths.COMMON_TABLES          = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt") | ||||
|     paths.SQL_KEYWORDS            = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt") | ||||
|     paths.FUZZ_VECTORS           = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt") | ||||
|     paths.DETECTION_RULES_XML    = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml") | ||||
|     paths.PHPIDS_RULES_XML    = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml") | ||||
|     paths.ERRORS_XML             = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml") | ||||
|     paths.INJECTIONS_XML         = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml") | ||||
|     paths.LIVE_TESTS_XML         = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml") | ||||
|  |  | |||
|  | @ -30,7 +30,7 @@ from lib.request.basic import parseResponse | |||
| from lib.request.direct import direct | ||||
| from lib.request.comparison import comparison | ||||
| from lib.request.methodrequest import MethodRequest | ||||
| from lib.utils.detection import checkPayload | ||||
| from lib.utils.checkpayload import checkPayload | ||||
| 
 | ||||
| 
 | ||||
| class Connect: | ||||
|  |  | |||
|  | @ -40,7 +40,7 @@ def checkPayload(payload): | |||
|     payload = urldecode(payload) | ||||
| 
 | ||||
|     if not rules: | ||||
|         xmlrules = readXmlFile(paths.DETECTION_RULES_XML) | ||||
|         xmlrules = readXmlFile(paths.PHPIDS_RULES_XML) | ||||
|         rules = [] | ||||
| 
 | ||||
|         for xmlrule in xmlrules.getElementsByTagName("filter"): | ||||
|  | @ -1,740 +0,0 @@ | |||
| <filters> | ||||
|     <filter> | ||||
|         <id>1</id> | ||||
|         <rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule> | ||||
|         <description>finds html breaking injections including whitespace attacks</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>2</id> | ||||
|         <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule> | ||||
|         <description>finds attribute breaking injections including whitespace attacks</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>69</id> | ||||
|         <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule> | ||||
|         <description>finds malicious attribute injection attempts</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>	 | ||||
|     <filter> | ||||
|         <id>3</id> | ||||
|         <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule> | ||||
|         <description>finds unquoted attribute breaking injections</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>2</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>4</id> | ||||
|         <rule><![CDATA[(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]></rule> | ||||
|         <description>Detects url-, name-, JSON, and referrer-contained payload attacks</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>5</id> | ||||
|         <rule><![CDATA[(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?"[^\s"]":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)]]></rule> | ||||
|         <description>Detects hash-contained xss payload attacks, setter usage and property overloading</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>6</id> | ||||
|         <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule> | ||||
|         <description>Detects self contained xss via with(), common loops and regex to string conversion</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>7</id> | ||||
|         <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule> | ||||
|         <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>8</id> | ||||
|         <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule> | ||||
|         <description>Detects self-executing JavaScript functions</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>9</id> | ||||
|         <rule><![CDATA[(?:\\u00[a-f0-9]{2})|(?:\\x0*[a-f0-9]{2})|(?:\\\d{2,3})]]></rule> | ||||
|         <description>Detects the IE octal, hex and unicode entities</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>2</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>10</id> | ||||
|         <rule><![CDATA[(?:(?:\/|\\)?\.+(\/|\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})]]></rule> | ||||
|         <description>Detects basic directory traversal</description> | ||||
|         <tags> | ||||
|             <tag>dt</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>11</id> | ||||
|         <rule><![CDATA[(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)]]></rule> | ||||
|         <description>Detects specific directory and path traversal</description> | ||||
|         <tags> | ||||
|             <tag>dt</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>12</id> | ||||
|         <rule><![CDATA[(?:etc\/\W*passwd)]]></rule> | ||||
|         <description>Detects etc/passwd inclusion attempts</description> | ||||
|         <tags> | ||||
|             <tag>dt</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>13</id> | ||||
|         <rule><![CDATA[(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)]]></rule> | ||||
|         <description>Detects halfwidth/fullwidth encoded unicode HTML breaking attempts</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>3</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>14</id> | ||||
|         <rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule> | ||||
|         <description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>15</id> | ||||
|         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule> | ||||
|         <description>Detects JavaScript DOM/miscellaneous properties and methods</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>16</id> | ||||
|         <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule> | ||||
|         <description>Detects possible includes and typical script methods</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>17</id> | ||||
|         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule> | ||||
|         <description>Detects JavaScript object properties and methods</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>18</id> | ||||
|         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule> | ||||
|         <description>Detects JavaScript array properties and methods</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>19</id> | ||||
|         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule> | ||||
|         <description>Detects JavaScript string properties and methods</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>20</id> | ||||
|         <rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule> | ||||
|         <description>Detects JavaScript language constructs</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>21</id> | ||||
|         <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule> | ||||
|         <description>Detects very basic XSS probings</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>3</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>22</id> | ||||
|         <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule> | ||||
|         <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>	 | ||||
|     <filter> | ||||
|         <id>23</id> | ||||
|         <rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule> | ||||
|         <description>Detects JavaScript location/document property access and window access obfuscation</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>     | ||||
|     <filter> | ||||
|         <id>24</id> | ||||
|         <rule><![CDATA[(?:[".]script\s*\()|(?:\$\$?\s*\(\s*[\w"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])]]></rule> | ||||
|         <description>Detects basic obfuscated JavaScript script injections</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>25</id> | ||||
|         <rule><![CDATA[(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[("\w+"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*")]]></rule> | ||||
|         <description>Detects obfuscated JavaScript script injections</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>26</id> | ||||
|         <rule><![CDATA[(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])]]></rule> | ||||
|         <description>Detects JavaScript cookie stealing and redirection attempts</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>27</id> | ||||
|         <rule><![CDATA[(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule> | ||||
|         <description>Detects data: URL injections, VBS injections and common URI schemes</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>28</id> | ||||
|         <rule><![CDATA[(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)]]></rule> | ||||
|         <description>Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>29</id>     | ||||
|         <rule><![CDATA[(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\])]]></rule> | ||||
|         <description>Detects bindings and behavior injections</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>30</id> | ||||
|         <rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule> | ||||
|         <description>Detects common XSS concatenation patterns 1/2</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>31</id> | ||||
|         <rule><![CDATA[(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*")|(?:!\d+\.\d*\?")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)]]></rule> | ||||
|         <description>Detects common XSS concatenation patterns 2/2</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>32</id> | ||||
|         <rule><![CDATA[(?:[^\w\s=]on(?!g\>)\w+[^=_+-]*=[^$]+(?:\W|\>)?)]]></rule> | ||||
|         <description>Detects possible event handlers</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>33</id> | ||||
|         <rule><![CDATA[(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)]]></rule> | ||||
|         <description>Detects obfuscated script tags and XML wrapped HTML</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>34</id> | ||||
|         <rule><![CDATA[(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,"=])]]></rule> | ||||
|         <description>Detects attributes in closing tags and conditional compilation tokens</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>35</id> | ||||
|         <rule><![CDATA[(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)]]></rule> | ||||
|         <description>Detects common comment types</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>3</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>37</id> | ||||
|         <rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule> | ||||
|         <description>Detects base href injections and XML entity injections</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>38</id> | ||||
|         <rule><![CDATA[(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))]]></rule> | ||||
|         <description>Detects possibly malicious html elements including some attributes</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>39</id> | ||||
|         <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule> | ||||
|         <description>Detects nullbytes and other dangerous characters</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>xss</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>40</id> | ||||
|         <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> | ||||
|         <description>Detects MySQL comments, conditions and ch(a)r injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>41</id> | ||||
|         <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule> | ||||
|         <description>Detects conditional SQL injection attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>42</id> | ||||
|         <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule> | ||||
|         <description>Detects classic SQL injection probings 1/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>   | ||||
|     <filter> | ||||
|         <id>43</id> | ||||
|         <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule> | ||||
|         <description>Detects classic SQL injection probings 2/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>44</id> | ||||
|         <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule> | ||||
|         <description>Detects basic SQL authentication bypass attempts 1/3</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>45</id> | ||||
|         <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule> | ||||
|         <description>Detects basic SQL authentication bypass attempts 2/3</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|      <filter> | ||||
|         <id>46</id> | ||||
|         <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> | ||||
|         <description>Detects basic SQL authentication bypass attempts 3/3</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>47</id> | ||||
|         <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule> | ||||
|         <description>Detects concatenated basic SQL injection and SQLLFI attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>48</id> | ||||
|         <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule> | ||||
|         <description>Detects chained SQL injection attempts 1/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>49</id> | ||||
|         <rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule> | ||||
|         <description>Detects chained SQL injection attempts 2/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>50</id> | ||||
|         <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule> | ||||
|         <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>51</id> | ||||
|         <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule> | ||||
|         <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>52</id> | ||||
|         <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule> | ||||
|         <description>Detects MySQL charset switch and MSSQL DoS attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>53</id> | ||||
|         <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule> | ||||
|         <description>Detects MySQL and PostgreSQL stored procedure/function injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>54</id> | ||||
|         <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule> | ||||
|         <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>55</id> | ||||
|         <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> | ||||
|         <description>Detects MSSQL code execution and information gathering attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>56</id> | ||||
|         <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule> | ||||
|         <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>57</id> | ||||
|         <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule> | ||||
|         <description>Detects MySQL comment-/space-obfuscated injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>58</id> | ||||
|         <rule><![CDATA[(?:@[\w-]+\s*\()|(?:]\s*\(\s*["!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]></rule> | ||||
|         <description>Detects code injection attempts 1/3</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>59</id> | ||||
|         <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*["(@])]]></rule> | ||||
|         <description>Detects code injection attempts 2/3</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>60</id> | ||||
|         <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)]]></rule> | ||||
|         <description>Detects code injection attempts 3/3</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>61</id> | ||||
|         <rule><![CDATA[(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)]]></rule> | ||||
|         <description>Detects url injections and RFE attempts</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>62</id> | ||||
|         <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule> | ||||
|         <description>Detects common function declarations and special JS operators</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>   | ||||
|     <filter> | ||||
|         <id>63</id> | ||||
|         <rule><![CDATA[(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)]]></rule> | ||||
|         <description>Detects common mail header injections</description> | ||||
|         <tags> | ||||
|             <tag>id</tag> | ||||
|             <tag>spam</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>64</id> | ||||
|         <rule><![CDATA[(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)]]></rule> | ||||
|         <description>Detects perl echo shellcode injection and LDAP vectors</description> | ||||
|         <tags> | ||||
|             <tag>lfi</tag> | ||||
|             <tag>rfe</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>65</id> | ||||
|         <rule><![CDATA[(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})]]></rule> | ||||
|         <description>Detects basic XSS DoS attempts</description> | ||||
|         <tags> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>dos</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>67</id> | ||||
|         <rule><![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]></rule> | ||||
|         <description>Detects unknown attack vectors based on PHPIDS Centrifuge detection</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>rfe</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>68</id> | ||||
|         <rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule> | ||||
|         <description>finds attribute breaking injections including obfuscated attributes</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>69</id> | ||||
|         <rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule> | ||||
|         <description>finds basic VBScript injection attempts</description> | ||||
|         <tags> | ||||
|             <tag>xss</tag> | ||||
|             <tag>csrf</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>70</id> | ||||
|         <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule> | ||||
|         <description>finds basic MongoDB SQL injection attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
| </filters> | ||||
							
								
								
									
										199
									
								
								xml/phpids_rules.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										199
									
								
								xml/phpids_rules.xml
									
									
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,199 @@ | |||
| <filters> | ||||
|     <filter> | ||||
|         <id>40</id> | ||||
|         <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> | ||||
|         <description>Detects MySQL comments, conditions and ch(a)r injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>41</id> | ||||
|         <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule> | ||||
|         <description>Detects conditional SQL injection attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>42</id> | ||||
|         <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule> | ||||
|         <description>Detects classic SQL injection probings 1/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>   | ||||
|     <filter> | ||||
|         <id>43</id> | ||||
|         <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule> | ||||
|         <description>Detects classic SQL injection probings 2/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>44</id> | ||||
|         <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule> | ||||
|         <description>Detects basic SQL authentication bypass attempts 1/3</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>45</id> | ||||
|         <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule> | ||||
|         <description>Detects basic SQL authentication bypass attempts 2/3</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|      <filter> | ||||
|         <id>46</id> | ||||
|         <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> | ||||
|         <description>Detects basic SQL authentication bypass attempts 3/3</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter>  | ||||
|     <filter> | ||||
|         <id>47</id> | ||||
|         <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule> | ||||
|         <description>Detects concatenated basic SQL injection and SQLLFI attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|             <tag>lfi</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>48</id> | ||||
|         <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule> | ||||
|         <description>Detects chained SQL injection attempts 1/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>49</id> | ||||
|         <rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule> | ||||
|         <description>Detects chained SQL injection attempts 2/2</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>50</id> | ||||
|         <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule> | ||||
|         <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>51</id> | ||||
|         <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule> | ||||
|         <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>52</id> | ||||
|         <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule> | ||||
|         <description>Detects MySQL charset switch and MSSQL DoS attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>6</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>53</id> | ||||
|         <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule> | ||||
|         <description>Detects MySQL and PostgreSQL stored procedure/function injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>7</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>54</id> | ||||
|         <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule> | ||||
|         <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>55</id> | ||||
|         <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> | ||||
|         <description>Detects MSSQL code execution and information gathering attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>56</id> | ||||
|         <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule> | ||||
|         <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter> | ||||
|     <filter> | ||||
|         <id>57</id> | ||||
|         <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule> | ||||
|         <description>Detects MySQL comment-/space-obfuscated injections</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|             <tag>id</tag> | ||||
|         </tags> | ||||
|         <impact>5</impact> | ||||
|     </filter>    | ||||
|     <filter> | ||||
|         <id>70</id> | ||||
|         <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule> | ||||
|         <description>finds basic MongoDB SQL injection attempts</description> | ||||
|         <tags> | ||||
|             <tag>sqli</tag> | ||||
|         </tags> | ||||
|         <impact>4</impact> | ||||
|     </filter> | ||||
| </filters> | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user