mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 04:53:48 +03:00
added IDS payload testing
This commit is contained in:
parent
bdb9c37a7e
commit
378653a1ec
|
@ -488,6 +488,10 @@ def cmdLineParser():
|
||||||
action="store_true", default=False,
|
action="store_true", default=False,
|
||||||
help="Replicate dumped data into a sqlite3 database")
|
help="Replicate dumped data into a sqlite3 database")
|
||||||
|
|
||||||
|
miscellaneous.add_option("--check-payload", dest="checkPayload",
|
||||||
|
action="store_true", default=False,
|
||||||
|
help="IDS detection testing of injection payload")
|
||||||
|
|
||||||
miscellaneous.add_option("--beep", dest="beep",
|
miscellaneous.add_option("--beep", dest="beep",
|
||||||
action="store_true", default=False,
|
action="store_true", default=False,
|
||||||
help="Alert with audio beep when sql injection found")
|
help="Alert with audio beep when sql injection found")
|
||||||
|
|
|
@ -30,6 +30,7 @@ from lib.request.basic import parseResponse
|
||||||
from lib.request.direct import direct
|
from lib.request.direct import direct
|
||||||
from lib.request.comparison import comparison
|
from lib.request.comparison import comparison
|
||||||
from lib.request.methodrequest import MethodRequest
|
from lib.request.methodrequest import MethodRequest
|
||||||
|
from lib.utils.detection import checkPayload
|
||||||
|
|
||||||
|
|
||||||
class Connect:
|
class Connect:
|
||||||
|
@ -309,6 +310,9 @@ class Connect:
|
||||||
for function in kb.tamperFunctions:
|
for function in kb.tamperFunctions:
|
||||||
value = function(place, value)
|
value = function(place, value)
|
||||||
|
|
||||||
|
if conf.checkPayload:
|
||||||
|
checkPayload(value)
|
||||||
|
|
||||||
if "GET" in conf.parameters:
|
if "GET" in conf.parameters:
|
||||||
get = conf.parameters["GET"] if place != "GET" or not value else value
|
get = conf.parameters["GET"] if place != "GET" or not value else value
|
||||||
|
|
||||||
|
|
|
@ -12,10 +12,12 @@ import sre_constants
|
||||||
|
|
||||||
from lib.core.common import getCompiledRegex
|
from lib.core.common import getCompiledRegex
|
||||||
from lib.core.common import readXmlFile
|
from lib.core.common import readXmlFile
|
||||||
|
from lib.core.convert import urldecode
|
||||||
from lib.core.data import conf
|
from lib.core.data import conf
|
||||||
from lib.core.data import paths
|
from lib.core.data import paths
|
||||||
from lib.core.data import logger
|
from lib.core.data import logger
|
||||||
|
|
||||||
|
|
||||||
rules = None
|
rules = None
|
||||||
|
|
||||||
def __adjustGrammar(string):
|
def __adjustGrammar(string):
|
||||||
|
@ -27,7 +29,7 @@ def __adjustGrammar(string):
|
||||||
|
|
||||||
return string
|
return string
|
||||||
|
|
||||||
def checkPayload(string):
|
def checkPayload(payload):
|
||||||
"""
|
"""
|
||||||
This method checks if the generated payload is detectable by the
|
This method checks if the generated payload is detectable by the
|
||||||
PHPIDS filter rules
|
PHPIDS filter rules
|
||||||
|
@ -35,20 +37,22 @@ def checkPayload(string):
|
||||||
|
|
||||||
global rules
|
global rules
|
||||||
|
|
||||||
|
payload = urldecode(payload)
|
||||||
|
|
||||||
if not rules:
|
if not rules:
|
||||||
xmlrules = readXmlFile(paths.DETECTION_RULES_XML)
|
xmlrules = readXmlFile(paths.DETECTION_RULES_XML)
|
||||||
rules = []
|
rules = []
|
||||||
|
|
||||||
for xmlrule in xmlrules.getElementsByTagName("filter"):
|
for xmlrule in xmlrules.getElementsByTagName("filter"):
|
||||||
try:
|
|
||||||
rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue
|
rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue
|
||||||
desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
|
desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
|
||||||
rules.append((rule, desc))
|
rules.append((rule, desc))
|
||||||
except sre_constants.error: # Some issues with some regex expressions in Python 2.5
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
if payload:
|
||||||
for rule, desc in rules:
|
for rule, desc in rules:
|
||||||
|
try:
|
||||||
regObj = getCompiledRegex(rule)
|
regObj = getCompiledRegex(rule)
|
||||||
|
if regObj.search(payload):
|
||||||
if regObj.search(string):
|
logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
|
||||||
logger.warn("highly probable IDS/IPS detection: '%s'" % desc)
|
except: # Some issues with some regex expressions in Python 2.5
|
||||||
|
pass
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>69</id>
|
<id>69</id>
|
||||||
<rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style)=[$"\w])]]></rule>
|
<rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>
|
||||||
<description>finds malicious attribute injection attempts</description>
|
<description>finds malicious attribute injection attempts</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -71,7 +71,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>7</id>
|
<id>7</id>
|
||||||
<rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule>
|
<rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
|
||||||
<description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
|
<description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -81,7 +81,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>8</id>
|
<id>8</id>
|
||||||
<rule><![CDATA[(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
|
<rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
|
||||||
<description>Detects self-executing JavaScript functions</description>
|
<description>Detects self-executing JavaScript functions</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -168,7 +168,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>16</id>
|
<id>16</id>
|
||||||
<rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
|
<rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
|
||||||
<description>Detects possible includes and typical script methods</description>
|
<description>Detects possible includes and typical script methods</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -180,7 +180,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>17</id>
|
<id>17</id>
|
||||||
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]></rule>
|
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
|
||||||
<description>Detects JavaScript object properties and methods</description>
|
<description>Detects JavaScript object properties and methods</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -216,7 +216,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>20</id>
|
<id>20</id>
|
||||||
<rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
|
<rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>
|
||||||
<description>Detects JavaScript language constructs</description>
|
<description>Detects JavaScript language constructs</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -240,7 +240,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>22</id>
|
<id>22</id>
|
||||||
<rule><![CDATA[(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
|
<rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
|
||||||
<description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
|
<description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>xss</tag>
|
<tag>xss</tag>
|
||||||
|
@ -424,7 +424,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>40</id>
|
<id>40</id>
|
||||||
<rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
|
<rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
|
||||||
<description>Detects MySQL comments, conditions and ch(a)r injections</description>
|
<description>Detects MySQL comments, conditions and ch(a)r injections</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -435,18 +435,18 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>41</id>
|
<id>41</id>
|
||||||
<rule><![CDATA[(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
|
<rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
|
||||||
<description>Detects conditional SQL injection attempts</description>
|
<description>Detects conditional SQL injection attempts</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
<tag>id</tag>
|
<tag>id</tag>
|
||||||
<tag>lfi</tag>
|
<tag>lfi</tag>
|
||||||
</tags>
|
</tags>
|
||||||
<impact>4</impact>
|
<impact>6</impact>
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>42</id>
|
<id>42</id>
|
||||||
<rule><![CDATA[(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
|
<rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
|
||||||
<description>Detects classic SQL injection probings 1/2</description>
|
<description>Detects classic SQL injection probings 1/2</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -490,7 +490,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>46</id>
|
<id>46</id>
|
||||||
<rule><![CDATA[(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
|
<rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
|
||||||
<description>Detects basic SQL authentication bypass attempts 3/3</description>
|
<description>Detects basic SQL authentication bypass attempts 3/3</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -501,7 +501,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>47</id>
|
<id>47</id>
|
||||||
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]></rule>
|
<rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
|
||||||
<description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
|
<description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -512,7 +512,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>48</id>
|
<id>48</id>
|
||||||
<rule><![CDATA[(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])]]></rule>
|
<rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
|
||||||
<description>Detects chained SQL injection attempts 1/2</description>
|
<description>Detects chained SQL injection attempts 1/2</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -522,7 +522,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>49</id>
|
<id>49</id>
|
||||||
<rule><![CDATA[(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()]]></rule>
|
<rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
|
||||||
<description>Detects chained SQL injection attempts 2/2</description>
|
<description>Detects chained SQL injection attempts 2/2</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -532,7 +532,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>50</id>
|
<id>50</id>
|
||||||
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)]]></rule>
|
<rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
|
||||||
<description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
|
<description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -582,7 +582,7 @@
|
||||||
</filter>
|
</filter>
|
||||||
<filter>
|
<filter>
|
||||||
<id>55</id>
|
<id>55</id>
|
||||||
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
|
<rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
|
||||||
<description>Detects MSSQL code execution and information gathering attempts</description>
|
<description>Detects MSSQL code execution and information gathering attempts</description>
|
||||||
<tags>
|
<tags>
|
||||||
<tag>sqli</tag>
|
<tag>sqli</tag>
|
||||||
|
@ -728,4 +728,13 @@
|
||||||
</tags>
|
</tags>
|
||||||
<impact>4</impact>
|
<impact>4</impact>
|
||||||
</filter>
|
</filter>
|
||||||
|
<filter>
|
||||||
|
<id>70</id>
|
||||||
|
<rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
|
||||||
|
<description>finds basic MongoDB SQL injection attempts</description>
|
||||||
|
<tags>
|
||||||
|
<tag>sqli</tag>
|
||||||
|
</tags>
|
||||||
|
<impact>4</impact>
|
||||||
|
</filter>
|
||||||
</filters>
|
</filters>
|
Loading…
Reference in New Issue
Block a user