SQL Injection Strings

 1title: SQL Injection Strings
 2id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
 3status: test
 4description: Detects SQL Injection attempts via GET requests in access logs
 5references:
 6    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
 7    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
 8    - https://brightsec.com/blog/sql-injection-payloads/
 9    - https://github.com/payloadbox/sql-injection-payload-list
10author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)
11date: 2020/02/22
12modified: 2022/07/25
13logsource:
14    category: webserver
15detection:
16    select_method:
17        cs-method: 'GET'
18    keywords:
19        - '=select '
20        - '=select%20'
21        - '=select('
22        - 'UNION SELECT'
23        - 'UNION%20SELECT'
24        - 'UNION ALL SELECT'
25        - 'UNION%20ALL%20SELECT'
26        - 'CONCAT(0x'
27        - 'order by '
28        - 'order%20by%20'
29        - 'information_schema.tables'
30        - 'group_concat('
31        - 'table_schema'
32        - 'select%28sleep%2810%29'
33        - '@@version'
34        - "'1'='1"
35        - '%271%27%3D%271'
36        - 'SELECTCHAR('
37        - 'select * '
38        - 'select%20*%20'
39        - 'or 1=1#'
40        - 'or%201=1#'
41    filter:
42        sc-status: 404
43    condition: select_method and keywords and not 1 of filter*
44fields:
45    - client_ip
46    - vhost
47    - url
48    - response
49falsepositives:
50    - Java scripts and CSS Files
51    - User searches in search boxes of the respective website
52    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
53level: high