Description

The blacklist algorithm is one of the three methods of Shadow Daemon to identify malicious requests. It searches for known attack patterns in the user input.

Layout

Flowchart blacklist

The blacklist algorithm uses regular expressions to identify known attack patterns. Every filter has a numerical impact that tries to specify the dangerousness and its unambiguity. The impacts of all matching filters are aggregated and compared to a threshold. If the total impact is greater than the threshold the input is classified as a threat.

Security

Be aware that a blacklist does not guarantee perfect security. It is good at detecting a majority of common attack patterns, but there will be always techniques it does not know and therefore does not detect. Once attackers are able to execute own code they have many ways to obfuscate their payloads and thus decrease the impact value even further. To compensate for this make sure to use a very low global impact threshold and only increase it via rules for specific user input if necessary.

Filters

The base impact of a filter is determined by the dangerousness of successful exploitation. A low risk of false-positives is rewarded, whereas a high risk of false-positives is penalized. If multiple filters are overlapping this is also penalized, depending on how big the chances are that the same pattern is detected more than once.

If you have suggestions for existing or new filters feel free to open an issue.

1

Regular Expression: \(\)\s*\{.*?;\s*\}\s*;

Description: Shellshock (CVE-2014-6271)

Tags:

  • rce
  • bash

Impact: 9

  • Command execution [8]
  • Low risk of false-positives [1]

Resources:

Examples:

  • env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

2

Regular Expression: \(\)\s*\{.*?\(.*?\).*?=>.*?\\'

Description: Shellshock (CVE-2014-7169)

Tags:

  • rce
  • bash

Impact: 9

  • Command execution [8]
  • Low risk of false-positives [1]

Resources:

Examples:

  • env X='() { (a)=>\' bash -c "echo date"; cat echo

3

Regular Expression: \{\{.*?\}\}

Description: Flask curly syntax

Tags:

  • rce
  • id

Impact: 4

  • Command execution [6]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • {{foo.bar}}

4

Regular Expression: \bfind_in_set\b.*?\(.+?,.+?\)

Description: Common MySQL function “find_in_set”

Tags:

  • sqli
  • mysql

Impact: 6

  • SQL injection [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT FIND_IN_SET('b','a,b,c,d')

5

Regular Expression: ["'].*?>

Description: HTML breaking

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • ">

6

Regular Expression: \bsqlite_master\b

Description: SQLite information disclosure “sqlite_master”

Tags:

  • sqli
  • sqlite

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT name FROM sqlite_master

7

Regular Expression: \bmysql.*?\..*?user\b

Description: MySQL information disclosure “mysql.user”

Tags:

  • sqli
  • mysql

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • SELECT user FROM mysql.user

8

Regular Expression: #.+?\)["\s]*>

Description: HTML breaking

Tags:

  • xss

Impact: 5

  • Cross-site scripting [6]
  • Low risk of false-positives [-1]

Examples:

  • #foo)">

9

Regular Expression: ['"][,;\s]+\w*[\[\(]

Description: HTML breaking

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • "; foo(

10

Regular Expression: >.*?<\s*\/?[\w\s]+>

Description: Unquoted HTML breaking with closing tag

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • ></foo>

11

Regular Expression: \blocation\b.*?\..*?\bhash\b

Description: JavaScript “location.hash”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • location.hash.slice(1)

12

Regular Expression: \bwith\b\s*\(.+?\)[\s\w]+\(

Description: Self-contained payload

Tags:

  • xss

Impact: 6

  • Cross-site scripting [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • with(location)with(hash)eval(substring(1))

13

Regular Expression: (\b(do|while|for)\b.*?\([^)]*\).*?\{)|(\}.*?\b(do|while|for)\b.*?\([^)]*\))

Description: C-style loops

Tags:

  • rce
  • xss
  • dos

Impact: 4

  • Common code pattern [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • while (true) {fork();}
  • {fork();} while (true);

14

Regular Expression: [=(].+?\?.+?:

Description: C-style ternary operator

Tags:

  • rce
  • xss

Impact: 2

  • Common code pattern [6]
  • High risk of false-positives [-4]

Examples:

  • 1=1 ? true : false

15

Regular Expression: \\u00[a-f0-9]{2}

Description: Octal entity

Tags:

  • rce
  • xss

Impact: 1

  • Common code pattern [5]
  • High risk of false-positives [-4]

Examples:

  • \u00ff

16

Regular Expression: \\x0*[a-f0-9]{2}

Description: Hex entity

Tags:

  • rce
  • xss

Impact: 1

  • Common code pattern [5]
  • High risk of false-positives [-4]

Examples:

  • \x0ff

17

Regular Expression: \\\d{2,3}

Description: Unicode entity

Tags:

  • rce
  • xss

Impact: 1

  • Common code pattern [5]
  • High risk of false-positives [-4]

Examples:

  • \01

18

Regular Expression: \.\.[\/\\]

Description: Directory traversal

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Examples:

  • ../../etc/passwd

19

Regular Expression: %(c0\.|af\.|5c\.)

Description: Directory traversal unicode + urlencoding

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • %c0.
  • %af.
  • %5c.

20

Regular Expression: %2e%2e[\/\\]

Description: Directory traversal urlencoding

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Examples:

  • %2e%2e/%2e%2e/etc/passwd

21

Regular Expression: %c0%ae[\/\\]

Description: Directory traversal unicode + urlencoding

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • %c0%ae/%c0%ae/etc/passwd

22

Regular Expression: \.(ht(access|passwd|group))|(apache|httpd)\d?\.conf

Description: Common Apache files

Tags:

  • lfi

Impact: 4

  • Information disclosure [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • ../.htaccess
  • /etc/apache/httpd.conf
  • /etc/apache2/apache2.conf

23

Regular Expression: \/etc\/[.\/]*(passwd|shadow|master\.passwd)

Description: Common Unix files

Tags:

  • lfi
  • unix

Impact: 4

  • Information disclosure [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • /etc/shadow
  • /etc/./passwd

24

Regular Expression: \bdata:.*?,

Description: Data URI scheme

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • data:image/png;base64,foo

25

Regular Expression: ;base64|base64,

Description: Data URI scheme “base64”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • data:image/png;base64,foo

26

Regular Expression: php:\/\/filter

Description: PHP input/output stream filter

Tags:

  • lfi
  • rce
  • php

Impact: 6

  • Obfuscation / file disclosure [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • php://filter/convert.base64-encode/resource=config.php

27

Regular Expression: php:\/\/input

Description: PHP input stream

Tags:

  • rce
  • php

Impact: 6

  • Obfuscation [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • include('php://input');

28

Regular Expression: php:\/\/output

Description: PHP output stream

Tags:

  • xss
  • php

Impact: 6

  • Cross-site scripting [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • file_put_contents('php://output', 'foo');

29

Regular Expression: convert\.base64-(de|en)code

Description: PHP input/output stream filter “base64”

Tags:

  • lfi
  • rce
  • php

Impact: 6

  • Obfuscation / file disclosure [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • php://filter/convert.base64-encode/resource=config.php

30

Regular Expression: zlib\.(de|in)flate

Description: PHP input/output stream filter “zlib”

Tags:

  • lfi
  • rce
  • php

Impact: 6

  • Obfuscation / file disclosure [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • php://filter/zlib.deflate/resource=config.php

31

Regular Expression: @import\b

Description: CSS “import”

Tags:

  • xss
  • css

Impact: 3

  • Obfuscation [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • @import url(http://foo/bar);

32

Regular Expression: \burl\s*\(.+?\)

Description: CSS pointer to resource

Tags:

  • xss
  • rfi
  • css

Impact: 2

  • Obfuscation [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • @import url(http://foo/bar);

33

Regular Expression: \/\/.+?\/

Description: URL

Tags:

  • rfi

Impact: 1

  • Obfuscation [6]
  • Very high risk of false-positives [-5]

Examples:

  • http://foobar.org/

34

Regular Expression: \)\s*\[

Description: JavaScript language construct

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • ) [

35

Regular Expression: <\?(?!xml\s)

Description: PHP opening tag

Tags:

  • rce
  • php

Impact: 3

  • Command execution [8]
  • High risk of false-positives [-5]

Examples:

  • <?php
  • <?

36

Regular Expression: %(HOME(DRIVE|PATH)|SYSTEM(DRIVE|ROOT)|WINDIR|USER(DOMAIN|PROFILE|NAME)|((LOCAL)?APP|PROGRAM)DATA)%

Description: Common Windows environment variable

Tags:

  • lfi
  • win

Impact: 2

  • File disclosure [5]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • %WINDIR%\\cmd.exe

37

Regular Expression: %\w+%

Description: Windows environment variable pattern

Tags:

  • lfi
  • win

Impact: 1

  • File disclosure [5]
  • High risk of false-positives [-3]
  • Overlaps with 36 [-1]

Examples:

  • %FOO%

38

Regular Expression: \bunion\b.+?\bselect\b

Description: Common SQL command “union select”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • ' UNION SELECT user()-- -

39

Regular Expression: \bupdate\b.+?\bset\b

Description: Common SQL command “update”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • UPDATE users SET permissions='admin'

40

Regular Expression: \bdrop\b.+?\b(database|table)\b

Description: Common SQL command “drop”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • DROP TABLE users
  • DROP DATABASE blog

41

Regular Expression: \bdelete\b.+?\bfrom\b

Description: Common SQL command “delete”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • DELETE FROM users

42

Regular Expression: --.+?

Description: Common SQL comment syntax

Tags:

  • sqli

Impact: 1

  • SQL injection [6]
  • Very high risk of false-positives [-5]

Examples:

  • ' OR 1-- -

43

Regular Expression: \[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\]

Description: MongoDB SQL commands

Tags:

  • sqli
  • mongo

Impact: 5

  • SQL injection [6]
  • Low risk of false-positives [-1]

Examples:

  • [$ne]

44

Regular Expression: \$\(.+?\)

Description: jQuery selector

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • $('#login')

45

Regular Expression: \/\*.*?\*\/

Description: C-style comment syntax

Tags:

  • sqli

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • /**/

46

Regular Expression: <!-.+?-->

Description: XML comment syntax

Tags:

  • xss
  • xxe

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • <!- -->

47

Regular Expression: <base\b.+?\bhref\b.+?>

Description: Base URL

Tags:

  • xss

Impact: 6

  • Cross-site scripting [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • <base href="http://foo/">

48

Regular Expression: <!(element|entity|\[CDATA)

Description: XML entity injections

Tags:

  • xss
  • xxe

Impact: 6

  • File disclosure [6]
  • Low risk of false-positives [0]

Examples:

  • <![CDATA[<]]>script<![CDATA[>]]>
  • <!ENTITY xxe SYSTEM "file:///dev/random" >]>

49

Regular Expression: <(applet|object|embed|audio|video|img|svg)

Description: Common JavaScript injection points (media)

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • <img onerror="" />

50

Regular Expression: <a\b.+?\bhref\b

Description: Common JavaScript injection points (links)

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • <a href=""></a>

51

Regular Expression: <(form|button|input|keygen|textarea|select|option)

Description: Common JavaScript injection points (forms)

Tags:

  • xss

Impact: 4

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • <form></form>

52

Regular Expression: <(html|body|meta|link|i?frame|script|map)

Description: Common JavaScript injection points

Tags:

  • xss

Impact: 4

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • <script></script>

53

Regular Expression: (?<!\w)(boot\.ini|global\.asa|sam)\b

Description: Common Windows files

Tags:

  • lfi
  • win

Impact: 4

  • Information disclosure [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • C:\boot.ini

54

Regular Expression: \bon\w+\s*=

Description: HTML event handler

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • <img onerror="" />

55

Regular Expression: \b(chrome|file):\/\/

Description: Local file inclusion

Tags:

  • xss
  • lfi

Impact: 3

  • Information disclosure [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • file:///etc/passwd

56

Regular Expression: &#?(\w+);

Description: HTML escaped character

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • &amp;

57

Regular Expression: ^(\s*)\||\|(\s*)$

Description: Perl command injection

Tags:

  • rce
  • perl

Impact: 5

  • Command injection [8]
  • Mediocre risk of false-positives [-3]

Examples:

  • |id
  • id|

58

Regular Expression: <!--\W*?#\W*?(cmd|echo|exec|include|printenv)\b

Description: Apache server-side include

Tags:

  • rce
  • xss
  • lfi

Impact: 6

  • Command injection / file disclosure [8]
  • Low risk of false-positives [-2]

Examples:

  • <!--#include

59

Regular Expression: \{\s*\w+\s*:\s*[+-]?\s*\d+\s*:.*?\}

Description: Serialized PHP objects

Tags:

  • php

Impact: 5

  • Everything is possible [8]
  • Mediocre risk of false-positives [-3]

Examples:

  • O:3:"foo":1:{s:8:"foobar";s:3:"quz";}

60

Regular Expression: [\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@

Description: Email injection

Tags:

  • spam

Impact: 5

  • Spam [4]
  • Low risk of false-positives [1]

Examples:

  • \nto: foo@bar.de

61

Regular Expression: \bcall_user_func\b.*?\(.+?\)

Description: Critical PHP function “call_user_func”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • call_user_func('foo', $a);

62

Regular Expression: \bcreate_function\b.*?\(.+?\)

Description: Critical PHP function “create_function”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • create_function('$a', 'return $a;');

63

Regular Expression: \beval\b.*?(\(.+?\)|\{.+?\})

Description: Critical function “eval”

Tags:

  • rce
  • php
  • perl

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • eval('foo');
  • eval { foo(); }

64

Regular Expression: \bexec\b.*?\(.+?\)

Description: Critical PHP function “exec”

Tags:

  • rce
  • php

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • exec('cat /etc/passwd');

65

Regular Expression: \bf(get|open|read|write)\b.*?\(.+?\)

Description: Critical PHP function “fopen/fget/fread/fwrite”

Tags:

  • rce
  • lfi
  • php

Impact: 5

  • Command execution / file disclosure [8]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • fopen('/etc/passwd', 'r');

66

Regular Expression: \bfile_(get|put)_contents\b.*?\(.+?\)

Description: Critical PHP function “file_get_contents/file_put_contents”

Tags:

  • rce
  • lfi
  • php

Impact: 7

  • Command execution / file disclosure [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • file_get_contents('/etc/passwd');
  • file_put_contents('/etc/passwd', 'foo');

67

Regular Expression: \bmove_uploaded_file\b.*?\(.+?\)

Description: Critical PHP function “move_uploaded_file”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • move_uploaded_file($tmp_name, $name);

68

Regular Expression: \bpassthru\b.*?\(.+?\)

Description: Critical PHP function “passthru”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • passthru('cat /etc/passwd');

69

Regular Expression: \bp(roc_)?open\b.*?\(.+?\)

Description: Critical PHP function “popen/proc_open”

Tags:

  • rce
  • php

Impact: 6

  • Command execution [8]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • proc_open('cat', $descriptorspec, $pipes, $cwd, $env);

70

Regular Expression: \breadfile\b.*?\(.+?\)

Description: Critical PHP function “readfile”

Tags:

  • lfi
  • php

Impact: 5

  • File disclosure [7]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • readfile('/etc/passwd');

71

Regular Expression: \bshell_exec\b.*?\(.+?\)

Description: Critical PHP function “shell_exec”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • shell_exec('cat /etc/passwd');

72

Regular Expression: \bsystem\b.*?\(.+?\)

Description: Critical PHP function “system”

Tags:

  • rce
  • php

Impact: 5

  • Command execution [8]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • system('cat /etc/passwd');

73

Regular Expression: \bpreg_(replace|match)\b.*?\(.+?\)

Description: Critical PHP function “preg_match/preg_replace”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • preg_replace('//e', 'phpinfo()', $x);

74

Regular Expression: \binclude(_once)?\b.*?;

Description: Critical PHP function “include”

Tags:

  • rce
  • lfi
  • php

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Examples:

  • include('/etc/passwd');
  • include_once '/etc/passwd';

75

Regular Expression: \brequire(_once)?\b.*?;

Description: Critical PHP function “require”

Tags:

  • rce
  • lfi
  • php

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Examples:

  • require('/etc/passwd');
  • require_once '/etc/passwd';

76

Regular Expression: \{\s*\$\s*\{.+?\}\s*\}

Description: PHP complex curly syntax

Tags:

  • rce
  • php

Impact: 8

  • Command execution / information disclosure [8]
  • Low risk of false-positives [0]

Resources:

Examples:

  • {${phpinfo()}}

77

Regular Expression: @(cc_on|set)\b

Description: Conditional compilation token

Tags:

  • xss

Impact: 3

  • Command execution [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • @cc_on

78

Regular Expression: \bfirefoxurl\s*:

Description: Firefox “firefoxurl” URI handler

Tags:

  • xss

Impact: 3

  • Cache poisoning [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • firefoxurl://

79

Regular Expression: \bwyciwyg\s*:

Description: Firefox “wyciwyg” URI handler

Tags:

  • xss

Impact: 3

  • Cache poisoning [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • wyciwyg://

80

Regular Expression: \bdocument\b.*?\.

Description: JavaScript attribute “document”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • document.cookie

81

Regular Expression: \bwindow\b.*?\.

Description: JavaScript attribute “window”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • window.content

82

Regular Expression: =\s*\w+\s*\+\s*['"]

Description: Common concatenation pattern

Tags:

  • xss

Impact: 1

  • Cross-site scripting [6]
  • High risk of false-positives [-5]

Examples:

  • = foo + '

83

Regular Expression: \+=\s*\(\s*['"]

Description: Common concatenation pattern

Tags:

  • xss

Impact: 1

  • Cross-site scripting [6]
  • High risk of false-positives [-5]

Examples:

  • += ('

84

Regular Expression: ['"]\s*\+\s*['"]

Description: Common concatenation pattern

Tags:

  • xss

Impact: 1

  • Cross-site scripting [6]
  • High risk of false-positives [-5]

Examples:

  • ' + '

85

Regular Expression: \|\(\w+=

Description: LDAP

Tags:

  • ldap

Impact: 3

  • Information disclosure [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • |(foo=

86

Regular Expression: \bfunction\b[^(]*\([^)]*\)

Description: Common function declaration

Tags:

  • xss
  • rce

Impact: 3

  • Common code pattern [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • function foo() {}

87

Regular Expression: \bbenchmark\b.*?\(.+?,.+?\)

Description: Blind MySQL “benchmark”

Tags:

  • sqli
  • mysql

Impact: 6

  • SQL injection [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT BENCHMARK(1000000,ENCODE('hello','goodbye'))

88

Regular Expression: \bsleep\b.*?\(.+?\)

Description: Blind SQL “sleep”

Tags:

  • sqli
  • dos

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT SLEEP(1000)

89

Regular Expression: \bload_file\b.*?\(.+?\)

Description: MySQL file disclosure “load_file”

Tags:

  • sqli
  • mysql

Impact: 7

  • SQL injection / file disclosure [7]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT LOAD_FILE('/etc/passwd')

90

Regular Expression: \bload\b.*?\bdata\b.*?\binfile\b.*?\binto\b.*?\btable\b

Description: MySQL file disclosure “load data”

Tags:

  • sqli
  • mysql

Impact: 7

  • SQL injection / file disclosure [7]
  • Low risk of false-positives [0]

Resources:

Examples:

  • LOAD DATA INFILE 'foo' INTO TABLE bar

91

Regular Expression: \bselect\b.*?\binto\b.*?\b(out|dump)file\b

Description: MySQL file write “into outfile”

Tags:

  • sqli
  • mysql

Impact: 8

  • SQL injection / file write [8]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT 'foo' INTO OUTFILE 'bar'
  • SELECT 'foo' INTO DUMPFILE 'bar'

92

Regular Expression: \b(group_)?concat(_ws)?\b.*?\(.+?\)

Description: MySQL function “concat”

Tags:

  • sqli
  • mysql

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • SELECT CONCAT(foo, ':', bar)
  • SELECT GROUP_CONCAT(foo)

93

Regular Expression: \binformation_schema\b

Description: MySQL information disclosure

Tags:

  • sqli
  • mysql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Resources:

Examples:

  • SELECT schema_name FROM information_schema.schemata

94

Regular Expression: \bpg_sleep\b.*?\(.+?\)

Description: Blind PgSQL “pg_sleep”

Tags:

  • sqli
  • dos
  • pgsql

Impact: 6

  • SQL injection [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT pg_sleep(1.5)

95

Regular Expression: \bwaitfor\b.*?\b(delay|time(out)?)\b

Description: Blind TSQL “waitfor”

Tags:

  • sqli
  • dos
  • tsql

Impact: 4

  • SQL injection [6]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • WAITFOR { DELAY '1000' }
  • WAITFOR { TIME '1000' }

96

Regular Expression: \b(char_|bit_)?length\b.*?\(.+?\)

Description: Common SQL function “length”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT LENGTH('foo')
  • SELECT CHAR_LENGTH('foo')
  • SELECT BIT_LENGTH('foo')

97

Regular Expression: \b(un)?hex\b.*?\(.+?\)

Description: Common SQL function “hex/unhex”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT HEX('foo')
  • SELECT UNHEX('00')

98

Regular Expression: \b(from|to)_base64\b.*?\(.+?\)

Description: Common MySQL function “from_base64/to_base64”

Tags:

  • sqli

Impact: 4

  • SQL injection [6]
  • Low risk of false-positives [-2]

Resources:

Examples:

  • SELECT TO_BASE64('foo')
  • SELECT FROM_BASE64('foo')

99

Regular Expression: \bsubstr(ing(_index)?)?\b.*?\(.+?,.+?\)

Description: Common SQL function “substr”

Tags:

  • sqli

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • SELECT SUBSTR('foo',1)
  • SELECT SUBSTRING('foo',1)
  • SELECT SUBSTRING_INDEX('foo',1)

100

Regular Expression: \b(current_)?user\b.*?\(.*?\)

Description: Common SQL function “user”

Tags:

  • sqli

Impact: 2

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-4]

Examples:

  • SELECT user()
  • SELECT current_user()

101

Regular Expression: \bversion\b.*?\(.*?\)

Description: Common SQL function “version”

Tags:

  • sqli

Impact: 2

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-4]

Examples:

  • SELECT version()

102

Regular Expression: @@.+?

Description: SQL system variable

Tags:

  • sqli

Impact: 1

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-5]

Examples:

  • SELECT @@user

103

Regular Expression: \boct\b.*?\(.+?\)

Description: Common SQL function “oct”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT OCT(12)

104

Regular Expression: \bord\b.*?\(.+?\)

Description: Common SQL function “ord”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT ORD('2')

105

Regular Expression: \bascii\b.*?\(.+?\)

Description: Common SQL function “ascii”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT ASCII('2')

106

Regular Expression: \bbin\b.*?\(.+?\)

Description: Common SQL function “bin”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT BIN(12)

107

Regular Expression: \bcha?r\b.*?\(.+?\)

Description: Common SQL function “char”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT CHAR(77,121,83,81,76)

108

Regular Expression: \bwhere\b.+?(\b(not_)?(like|regexp)\b|[=<>])

Description: Common SQL comparison “where”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT foo FROM bar WHERE name LIKE '%admin%'

109

Regular Expression: \bif\b.*?\(.+?,.+?,.+?\)

Description: Common SQL comparison “if”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT IF(1>2,2,3)

110

Regular Expression: \b(ifnull|nullif)\b.*?\(.+?,.+?\)

Description: Common SQL comparison “ifnull”

Tags:

  • sqli

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • SELECT IFNULL(1,0)
  • SELECT NULLIF(1,1)

111

Regular Expression: \bwhere\b.+?(\b(n?and|x?or|not)\b|(\&\&|\|\|))

Description: Common SQL comparison “where”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • SELECT foo FROM bar WHERE id = 1 OR id = 2

112

Regular Expression: \bcase\b.+?\bwhen\b.+?\bend\b

Description: Common SQL comparison “case”

Tags:

  • sqli

Impact: 4

  • SQL injection [6]
  • Low risk of false-positives [-2]

Resources:

Examples:

  • CASE case_value WHEN when_value THEN statement_list END CASE

113

Regular Expression: \bexec\b.+?\bxp_cmdshell\b

Description: MSSQL code execution “xp_cmdshell”

Tags:

  • sqli
  • rce
  • mssql

Impact: 9

  • SQL injection / code execution [8]
  • Low risk of false-positives [1]

Examples:

  • exec master..xp_cmdshell 'echo foo'

114

Regular Expression: \bcreate\b.+?\b(procedure|function)\b.*?\(.*?\)

Description: Common SQL command “create”

Tags:

  • sqli

Impact: 4

  • SQL injection [7]
  • Mediocre risk of false-positives [-3]

Examples:

  • CREATE PROCEDURE foo()

115

Regular Expression: \binsert\b.+?\binto\b.*?\bvalues\b.*?\(.+?\)

Description: Common SQL command “insert”

Tags:

  • sqli

Impact: 5

  • SQL injection [7]
  • Mediocre risk of false-positives [-2]

Examples:

  • INSERT INTO table (col1,col2) VALUES('foo','bar')

116

Regular Expression: \bselect\b.+?\bfrom\b

Description: Common SQL command “select”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • SELECT foo FROM bar

117

Regular Expression: \bpg_user\b

Description: PgSQL information disclosure “pg_user”

Tags:

  • sqli
  • pgsql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT * FROM pg_user

118

Regular Expression: \bpg_database\b

Description: PgSQL information disclosure “pg_database”

Tags:

  • sqli
  • pgsql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT * FROM pg_database

119

Regular Expression: \bpg_shadow\b

Description: PgSQL information disclosure “pg_shadow”

Tags:

  • sqli
  • pgsql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT * FROM pg_shadow

120

Regular Expression: \b(current_)?database\b.*?\(.*?\)

Description: Common SQL function “database”

Tags:

  • sqli

Impact: 2

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-4]

Examples:

  • SELECT database()
  • SELECT current_database()