mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-25 13:11:00 +03:00 
			
		
		
		
	added IDS payload testing
This commit is contained in:
		
							parent
							
								
									bdb9c37a7e
								
							
						
					
					
						commit
						378653a1ec
					
				|  | @ -488,6 +488,10 @@ def cmdLineParser(): | ||||||
|                                  action="store_true", default=False, |                                  action="store_true", default=False, | ||||||
|                                  help="Replicate dumped data into a sqlite3 database") |                                  help="Replicate dumped data into a sqlite3 database") | ||||||
| 
 | 
 | ||||||
|  |         miscellaneous.add_option("--check-payload", dest="checkPayload", | ||||||
|  |                                  action="store_true", default=False, | ||||||
|  |                                  help="IDS detection testing of injection payload") | ||||||
|  | 
 | ||||||
|         miscellaneous.add_option("--beep", dest="beep", |         miscellaneous.add_option("--beep", dest="beep", | ||||||
|                                  action="store_true", default=False, |                                  action="store_true", default=False, | ||||||
|                                  help="Alert with audio beep when sql injection found") |                                  help="Alert with audio beep when sql injection found") | ||||||
|  |  | ||||||
|  | @ -30,6 +30,7 @@ from lib.request.basic import parseResponse | ||||||
| from lib.request.direct import direct | from lib.request.direct import direct | ||||||
| from lib.request.comparison import comparison | from lib.request.comparison import comparison | ||||||
| from lib.request.methodrequest import MethodRequest | from lib.request.methodrequest import MethodRequest | ||||||
|  | from lib.utils.detection import checkPayload | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| class Connect: | class Connect: | ||||||
|  | @ -309,6 +310,9 @@ class Connect: | ||||||
|             for function in kb.tamperFunctions: |             for function in kb.tamperFunctions: | ||||||
|                 value = function(place, value) |                 value = function(place, value) | ||||||
| 
 | 
 | ||||||
|  |         if conf.checkPayload: | ||||||
|  |             checkPayload(value) | ||||||
|  | 
 | ||||||
|         if "GET" in conf.parameters: |         if "GET" in conf.parameters: | ||||||
|             get = conf.parameters["GET"] if place != "GET" or not value else value |             get = conf.parameters["GET"] if place != "GET" or not value else value | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -12,10 +12,12 @@ import sre_constants | ||||||
| 
 | 
 | ||||||
| from lib.core.common import getCompiledRegex | from lib.core.common import getCompiledRegex | ||||||
| from lib.core.common import readXmlFile | from lib.core.common import readXmlFile | ||||||
|  | from lib.core.convert import urldecode | ||||||
| from lib.core.data import conf | from lib.core.data import conf | ||||||
| from lib.core.data import paths | from lib.core.data import paths | ||||||
| from lib.core.data import logger | from lib.core.data import logger | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
| rules = None | rules = None | ||||||
| 
 | 
 | ||||||
| def __adjustGrammar(string): | def __adjustGrammar(string): | ||||||
|  | @ -27,7 +29,7 @@ def __adjustGrammar(string): | ||||||
| 
 | 
 | ||||||
|     return string |     return string | ||||||
| 
 | 
 | ||||||
| def checkPayload(string): | def checkPayload(payload): | ||||||
|     """ |     """ | ||||||
|     This method checks if the generated payload is detectable by the |     This method checks if the generated payload is detectable by the | ||||||
|     PHPIDS filter rules |     PHPIDS filter rules | ||||||
|  | @ -35,20 +37,22 @@ def checkPayload(string): | ||||||
| 
 | 
 | ||||||
|     global rules |     global rules | ||||||
| 
 | 
 | ||||||
|  |     payload = urldecode(payload) | ||||||
|  | 
 | ||||||
|     if not rules: |     if not rules: | ||||||
|         xmlrules = readXmlFile(paths.DETECTION_RULES_XML) |         xmlrules = readXmlFile(paths.DETECTION_RULES_XML) | ||||||
|         rules = [] |         rules = [] | ||||||
| 
 | 
 | ||||||
|         for xmlrule in xmlrules.getElementsByTagName("filter"): |         for xmlrule in xmlrules.getElementsByTagName("filter"): | ||||||
|             try: |  | ||||||
|             rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue |             rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue | ||||||
|             desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) |             desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) | ||||||
|             rules.append((rule, desc)) |             rules.append((rule, desc)) | ||||||
|             except sre_constants.error: # Some issues with some regex expressions in Python 2.5 |  | ||||||
|                 pass |  | ||||||
| 
 | 
 | ||||||
|  |     if payload: | ||||||
|         for rule, desc in rules: |         for rule, desc in rules: | ||||||
|  |             try: | ||||||
|                 regObj = getCompiledRegex(rule) |                 regObj = getCompiledRegex(rule) | ||||||
| 
 |                 if regObj.search(payload): | ||||||
|         if regObj.search(string): |                     logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload)) | ||||||
|             logger.warn("highly probable IDS/IPS detection: '%s'" % desc) |             except: # Some issues with some regex expressions in Python 2.5 | ||||||
|  |                 pass | ||||||
|  |  | ||||||
|  | @ -21,7 +21,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>69</id> |         <id>69</id> | ||||||
|         <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style)=[$"\w])]]></rule> |         <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule> | ||||||
|         <description>finds malicious attribute injection attempts</description> |         <description>finds malicious attribute injection attempts</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -71,7 +71,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>7</id> |         <id>7</id> | ||||||
|         <rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule> |         <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule> | ||||||
|         <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description> |         <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -81,7 +81,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>8</id> |         <id>8</id> | ||||||
|         <rule><![CDATA[(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule> |         <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule> | ||||||
|         <description>Detects self-executing JavaScript functions</description> |         <description>Detects self-executing JavaScript functions</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -168,7 +168,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>16</id> |         <id>16</id> | ||||||
|         <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule> |         <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule> | ||||||
|         <description>Detects possible includes and typical script methods</description> |         <description>Detects possible includes and typical script methods</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -180,7 +180,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>17</id> |         <id>17</id> | ||||||
|         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]></rule> |         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule> | ||||||
|         <description>Detects JavaScript object properties and methods</description> |         <description>Detects JavaScript object properties and methods</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -216,7 +216,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>20</id> |         <id>20</id> | ||||||
|         <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule> |         <rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule> | ||||||
|         <description>Detects JavaScript language constructs</description> |         <description>Detects JavaScript language constructs</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -240,7 +240,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>22</id> |         <id>22</id> | ||||||
|         <rule><![CDATA[(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule> |         <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule> | ||||||
|         <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description> |         <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>xss</tag> |             <tag>xss</tag> | ||||||
|  | @ -424,7 +424,7 @@ | ||||||
|     </filter>    |     </filter>    | ||||||
|     <filter> |     <filter> | ||||||
|         <id>40</id> |         <id>40</id> | ||||||
|         <rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> |         <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> | ||||||
|         <description>Detects MySQL comments, conditions and ch(a)r injections</description> |         <description>Detects MySQL comments, conditions and ch(a)r injections</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -435,18 +435,18 @@ | ||||||
|     </filter>    |     </filter>    | ||||||
|     <filter> |     <filter> | ||||||
|         <id>41</id> |         <id>41</id> | ||||||
|         <rule><![CDATA[(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule> |         <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule> | ||||||
|         <description>Detects conditional SQL injection attempts</description> |         <description>Detects conditional SQL injection attempts</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|             <tag>id</tag> |             <tag>id</tag> | ||||||
|             <tag>lfi</tag> |             <tag>lfi</tag> | ||||||
|         </tags> |         </tags> | ||||||
|         <impact>4</impact> |         <impact>6</impact> | ||||||
|     </filter>    |     </filter>    | ||||||
|     <filter> |     <filter> | ||||||
|         <id>42</id> |         <id>42</id> | ||||||
|         <rule><![CDATA[(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule> |         <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule> | ||||||
|         <description>Detects classic SQL injection probings 1/2</description> |         <description>Detects classic SQL injection probings 1/2</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -490,7 +490,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|      <filter> |      <filter> | ||||||
|         <id>46</id> |         <id>46</id> | ||||||
|         <rule><![CDATA[(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> |         <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> | ||||||
|         <description>Detects basic SQL authentication bypass attempts 3/3</description> |         <description>Detects basic SQL authentication bypass attempts 3/3</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -501,7 +501,7 @@ | ||||||
|     </filter>  |     </filter>  | ||||||
|     <filter> |     <filter> | ||||||
|         <id>47</id> |         <id>47</id> | ||||||
|         <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]></rule> |         <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule> | ||||||
|         <description>Detects concatenated basic SQL injection and SQLLFI attempts</description> |         <description>Detects concatenated basic SQL injection and SQLLFI attempts</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -512,7 +512,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>48</id> |         <id>48</id> | ||||||
|         <rule><![CDATA[(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])]]></rule> |         <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule> | ||||||
|         <description>Detects chained SQL injection attempts 1/2</description> |         <description>Detects chained SQL injection attempts 1/2</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -522,7 +522,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>49</id> |         <id>49</id> | ||||||
|         <rule><![CDATA[(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()]]></rule> |         <rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule> | ||||||
|         <description>Detects chained SQL injection attempts 2/2</description> |         <description>Detects chained SQL injection attempts 2/2</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -532,7 +532,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>50</id> |         <id>50</id> | ||||||
|         <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)]]></rule> |         <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule> | ||||||
|         <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description> |         <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -582,7 +582,7 @@ | ||||||
|     </filter> |     </filter> | ||||||
|     <filter> |     <filter> | ||||||
|         <id>55</id> |         <id>55</id> | ||||||
|         <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> |         <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> | ||||||
|         <description>Detects MSSQL code execution and information gathering attempts</description> |         <description>Detects MSSQL code execution and information gathering attempts</description> | ||||||
|         <tags> |         <tags> | ||||||
|             <tag>sqli</tag> |             <tag>sqli</tag> | ||||||
|  | @ -728,4 +728,13 @@ | ||||||
|         </tags> |         </tags> | ||||||
|         <impact>4</impact> |         <impact>4</impact> | ||||||
|     </filter> |     </filter> | ||||||
|  |     <filter> | ||||||
|  |         <id>70</id> | ||||||
|  |         <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule> | ||||||
|  |         <description>finds basic MongoDB SQL injection attempts</description> | ||||||
|  |         <tags> | ||||||
|  |             <tag>sqli</tag> | ||||||
|  |         </tags> | ||||||
|  |         <impact>4</impact> | ||||||
|  |     </filter> | ||||||
| </filters> | </filters> | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user