rules/web/web_sql_injection_in_access_logs.yml

title: SQL Injection Strings
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects SQL Injection attempts via GET requests in access logs
author: Saw Win Naung, Nasreddine Bencherchali
date: 2020/02/22
modified: 2022/06/27
references:
    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
    - https://brightsec.com/blog/sql-injection-payloads/
    - https://github.com/payloadbox/sql-injection-payload-list
logsource:
    category: webserver
detection:
    select_method:
        cs-method: 'GET'
    keywords:
        - '=select'
        - 'UNION SELECT'
        - 'UNION%20SELECT'
        - 'UNION ALL SELECT'
        - 'UNION%20ALL%20SELECT'
        - 'CONCAT(0x'
        - 'order by '
        - 'order%20by%20'
        - 'information_schema.tables'
        - 'group_concat('
        - 'table_schema'
        - 'select%28sleep%2810%29'
        - '@@version'
        - "'1'='1"
        - '%271%27%3D%271'
        - 'SELECTCHAR('
        - 'select * '
        - 'select%20*%20'
        - 'or 1=1#'
        - 'or%201=1#'
    filter:
        sc-status: 404
    filter_fps:
        - '=select2'
    condition: select_method and keywords and not 1 of filter*
fields:
    - client_ip
    - vhost
    - url
    - response
falsepositives:
    - Java scripts and CSS Files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
Rename+Update 2022-06-14 21:58:34 +01:00			`title: SQL Injection Strings`
			`id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453`
			`status: test`
			`description: Detects SQL Injection attempts via GET requests in access logs`
			`author: Saw Win Naung, Nasreddine Bencherchali`
			`date: 2020/02/22`
fix: FP found in webserver logs 2022-06-27 16:46:18 +02:00			`modified: 2022/06/27`
Rename+Update 2022-06-14 21:58:34 +01:00			`references:`
			`- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/`
			`- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/`
			`- https://brightsec.com/blog/sql-injection-payloads/`
			`- https://github.com/payloadbox/sql-injection-payload-list`
			`logsource:`
			`category: webserver`
			`detection:`
Added "GET" method selection 2022-06-15 11:29:31 +01:00			`select_method:`
Quick typo fix 2022-06-15 11:38:34 +01:00			`cs-method: 'GET'`
Rename+Update 2022-06-14 21:58:34 +01:00			`keywords:`
			`- '=select'`
			`- 'UNION SELECT'`
			`- 'UNION%20SELECT'`
			`- 'UNION ALL SELECT'`
			`- 'UNION%20ALL%20SELECT'`
			`- 'CONCAT(0x'`
			`- 'order by '`
			`- 'order%20by%20'`
			`- 'information_schema.tables'`
			`- 'group_concat('`
			`- 'table_schema'`
			`- 'select%28sleep%2810%29'`
			`- '@@version'`
			`- "'1'='1"`
			`- '%271%27%3D%271'`
			`- 'SELECTCHAR('`
			`- 'select * '`
			`- 'select%20*%20'`
			`- 'or 1=1#'`
			`- 'or%201=1#'`
Add FP filter + FP remark 2022-06-15 11:48:15 +01:00			`filter:`
			`sc-status: 404`
fix: FP found in webserver logs 2022-06-27 16:46:18 +02:00			`filter_fps:`
			`- '=select2'`
			`condition: select_method and keywords and not 1 of filter*`
Rename+Update 2022-06-14 21:58:34 +01:00			`fields:`
			`- client_ip`
			`- vhost`
			`- url`
			`- response`
			`falsepositives:`
			`- Java scripts and CSS Files`
			`- User searches in search boxes of the respective website`
Add FP filter + FP remark 2022-06-15 11:48:15 +01:00			`- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes`
Rename+Update 2022-06-14 21:58:34 +01:00			`level: high`