SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Sigma rule (View on GitHub)
1title: SQL Injection Strings In URI
2id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
3status: test
4description: Detects potential SQL injection attempts via GET requests in access logs.
5references:
6 - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
7 - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
8 - https://brightsec.com/blog/sql-injection-payloads/
9 - https://github.com/payloadbox/sql-injection-payload-list
10 - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
11author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
12date: 2020-02-22
13modified: 2023-09-04
14tags:
15 - attack.initial-access
16 - attack.t1190
17logsource:
18 category: webserver
19detection:
20 selection:
21 cs-method: 'GET'
22 keywords:
23 - '@@version'
24 - '%271%27%3D%271'
25 - '=select '
26 - '=select('
27 - '=select%20'
28 - 'concat_ws('
29 - 'CONCAT(0x'
30 - 'from mysql.innodb_table_stats'
31 - 'from%20mysql.innodb_table_stats'
32 - 'group_concat('
33 - 'information_schema.tables'
34 - 'json_arrayagg('
35 - 'or 1=1#'
36 - 'or%201=1#'
37 - 'order by '
38 - 'order%20by%20'
39 - 'select * '
40 - 'select database()'
41 - 'select version()'
42 - 'select%20*%20'
43 - 'select%20database()'
44 - 'select%20version()'
45 - 'select%28sleep%2810%29'
46 - 'SELECTCHAR('
47 - 'table_schema'
48 - 'UNION ALL SELECT'
49 - 'UNION SELECT'
50 - 'UNION%20ALL%20SELECT'
51 - 'UNION%20SELECT'
52 - "'1'='1"
53 filter_main_status:
54 sc-status: 404
55 condition: selection and keywords and not 1 of filter_main_*
56falsepositives:
57 - Java scripts and CSS Files
58 - User searches in search boxes of the respective website
59 - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
60level: high
References
-
In this series we will be showing step by step examples of common attacks. We will start off with an example of exploiting SQL Injection - a basic SQL injection exploitation of a web application and then privilege escalation to O.S root.
Read More -
Post-attack log investigation can help forensic investigators unfold the chain of events that may have led to a malicious activity. Let's see how it's done on a basis of an SQL Injection log example.
Read More -
SQL Injection represents a web security vulnerability which allows attackers to view data that they should not be able to, by allowing the attacker to interfere with the queries that an application makes to its database by injecting malicious SQL injection payloads.
Read More -
🎯 SQL Injection Payload List. Contribute to payloadbox/sql-injection-payload-list development by creating an account on GitHub.
Read More -
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point fo...
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations