Description
The blacklist algorithm is one of the three methods of Shadow Daemon to identify malicious requests. It searches for known attack patterns in the user input.
Layout
The blacklist algorithm uses regular expressions to identify known attack patterns. Every filter has a numerical impact that tries to specify the dangerousness and its unambiguity. The impacts of all matching filters are aggregated and compared to a threshold. If the total impact is greater than the threshold the input is classified as a threat.
Security
Be aware that a blacklist does not guarantee perfect security. It is good at detecting a majority of common attack patterns, but there will be always techniques it does not know and therefore does not detect. Once attackers are able to execute own code they have many ways to obfuscate their payloads and thus decrease the impact value even further. To compensate for this make sure to use a very low global impact threshold and only increase it via rules for specific user input if necessary.
Filters
The base impact of a filter is determined by the dangerousness of successful exploitation. A low risk of false-positives is rewarded, whereas a high risk of false-positives is penalized. If multiple filters are overlapping this is also penalized, depending on how big the chances are that the same pattern is detected more than once.
If you have suggestions for existing or new filters feel free to open an issue.
1
Regular Expression: \(\)\s*\{.*?;\s*\}\s*;
Description: Shellshock (CVE-2014-6271)
Tags:
- rce
- bash
Impact: 9
- Command execution [8]
- Low risk of false-positives [1]
Resources:
Examples:
- env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
2
Regular Expression: \(\)\s*\{.*?\(.*?\).*?=>.*?\\'
Description: Shellshock (CVE-2014-7169)
Tags:
- rce
- bash
Impact: 9
- Command execution [8]
- Low risk of false-positives [1]
Resources:
Examples:
- env X='() { (a)=>\' bash -c "echo date"; cat echo
3
Regular Expression: \{\{.*?\}\}
Description: Flask curly syntax
Tags:
- rce
- id
Impact: 4
- Command execution [6]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- {{foo.bar}}
4
Regular Expression: \bfind_in_set\b.*?\(.+?,.+?\)
Description: Common MySQL function “find_in_set”
Tags:
- sqli
- mysql
Impact: 6
- SQL injection [6]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT FIND_IN_SET('b','a,b,c,d')
5
Regular Expression: ["'].*?>
Description: HTML breaking
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- ">
6
Regular Expression: \bsqlite_master\b
Description: SQLite information disclosure “sqlite_master”
Tags:
- sqli
- sqlite
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT name FROM sqlite_master
7
Regular Expression: \bmysql.*?\..*?user\b
Description: MySQL information disclosure “mysql.user”
Tags:
- sqli
- mysql
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Examples:
- SELECT user FROM mysql.user
8
Regular Expression: #.+?\)["\s]*>
Description: HTML breaking
Tags:
- xss
Impact: 5
- Cross-site scripting [6]
- Low risk of false-positives [-1]
Examples:
- #foo)">
9
Regular Expression: ['"][,;\s]+\w*[\[\(]
Description: HTML breaking
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- "; foo(
10
Regular Expression: >.*?<\s*\/?[\w\s]+>
Description: Unquoted HTML breaking with closing tag
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- ></foo>
11
Regular Expression: \blocation\b.*?\..*?\bhash\b
Description: JavaScript “location.hash”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- location.hash.slice(1)
12
Regular Expression: \bwith\b\s*\(.+?\)[\s\w]+\(
Description: Self-contained payload
Tags:
- xss
Impact: 6
- Cross-site scripting [6]
- Low risk of false-positives [0]
Resources:
- https://security.stackexchange.com/questions/10006/how-bad-is-a-self-contained-xss-attack#10009
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/With
Examples:
- with(location)with(hash)eval(substring(1))
13
Regular Expression: (\b(do|while|for)\b.*?\([^)]*\).*?\{)|(\}.*?\b(do|while|for)\b.*?\([^)]*\))
Description: C-style loops
Tags:
- rce
- xss
- dos
Impact: 4
- Common code pattern [6]
- Mediocre risk of false-positives [-2]
Examples:
- while (true) {fork();}
- {fork();} while (true);
14
Regular Expression: [=(].+?\?.+?:
Description: C-style ternary operator
Tags:
- rce
- xss
Impact: 2
- Common code pattern [6]
- High risk of false-positives [-4]
Examples:
- 1=1 ? true : false
15
Regular Expression: \\u00[a-f0-9]{2}
Description: Octal entity
Tags:
- rce
- xss
Impact: 1
- Common code pattern [5]
- High risk of false-positives [-4]
Examples:
- \u00ff
16
Regular Expression: \\x0*[a-f0-9]{2}
Description: Hex entity
Tags:
- rce
- xss
Impact: 1
- Common code pattern [5]
- High risk of false-positives [-4]
Examples:
- \x0ff
17
Regular Expression: \\\d{2,3}
Description: Unicode entity
Tags:
- rce
- xss
Impact: 1
- Common code pattern [5]
- High risk of false-positives [-4]
Examples:
- \01
18
Regular Expression: \.\.[\/\\]
Description: Directory traversal
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Examples:
- ../../etc/passwd
19
Regular Expression: %(c0\.|af\.|5c\.)
Description: Directory traversal unicode + urlencoding
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- %c0.
- %af.
- %5c.
20
Regular Expression: %2e%2e[\/\\]
Description: Directory traversal urlencoding
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Examples:
- %2e%2e/%2e%2e/etc/passwd
21
Regular Expression: %c0%ae[\/\\]
Description: Directory traversal unicode + urlencoding
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- %c0%ae/%c0%ae/etc/passwd
22
Regular Expression: \.(ht(access|passwd|group))|(apache|httpd)\d?\.conf
Description: Common Apache files
Tags:
- lfi
Impact: 4
- Information disclosure [6]
- Mediocre risk of false-positives [-2]
Examples:
- ../.htaccess
- /etc/apache/httpd.conf
- /etc/apache2/apache2.conf
23
Regular Expression: \/etc\/[.\/]*(passwd|shadow|master\.passwd)
Description: Common Unix files
Tags:
- lfi
- unix
Impact: 4
- Information disclosure [6]
- Mediocre risk of false-positives [-2]
Examples:
- /etc/shadow
- /etc/./passwd
24
Regular Expression: \bdata:.*?,
Description: Data URI scheme
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- data:image/png;base64,foo
25
Regular Expression: ;base64|base64,
Description: Data URI scheme “base64”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- data:image/png;base64,foo
26
Regular Expression: php:\/\/filter
Description: PHP input/output stream filter
Tags:
- lfi
- rce
- php
Impact: 6
- Obfuscation / file disclosure [6]
- Low risk of false-positives [0]
Resources:
Examples:
- php://filter/convert.base64-encode/resource=config.php
27
Regular Expression: php:\/\/input
Description: PHP input stream
Tags:
- rce
- php
Impact: 6
- Obfuscation [6]
- Low risk of false-positives [0]
Resources:
Examples:
- include('php://input');
28
Regular Expression: php:\/\/output
Description: PHP output stream
Tags:
- xss
- php
Impact: 6
- Cross-site scripting [6]
- Low risk of false-positives [0]
Resources:
Examples:
- file_put_contents('php://output', 'foo');
29
Regular Expression: convert\.base64-(de|en)code
Description: PHP input/output stream filter “base64”
Tags:
- lfi
- rce
- php
Impact: 6
- Obfuscation / file disclosure [6]
- Low risk of false-positives [0]
Resources:
Examples:
- php://filter/convert.base64-encode/resource=config.php
30
Regular Expression: zlib\.(de|in)flate
Description: PHP input/output stream filter “zlib”
Tags:
- lfi
- rce
- php
Impact: 6
- Obfuscation / file disclosure [6]
- Low risk of false-positives [0]
Resources:
Examples:
- php://filter/zlib.deflate/resource=config.php
31
Regular Expression: @import\b
Description: CSS “import”
Tags:
- xss
- css
Impact: 3
- Obfuscation [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- @import url(http://foo/bar);
32
Regular Expression: \burl\s*\(.+?\)
Description: CSS pointer to resource
Tags:
- xss
- rfi
- css
Impact: 2
- Obfuscation [6]
- High risk of false-positives [-4]
Resources:
Examples:
- @import url(http://foo/bar);
33
Regular Expression: \/\/.+?\/
Description: URL
Tags:
- rfi
Impact: 1
- Obfuscation [6]
- Very high risk of false-positives [-5]
Examples:
- http://foobar.org/
34
Regular Expression: \)\s*\[
Description: JavaScript language construct
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- ) [
35
Regular Expression: <\?(?!xml\s)
Description: PHP opening tag
Tags:
- rce
- php
Impact: 3
- Command execution [8]
- High risk of false-positives [-5]
Examples:
- <?php
- <?
36
Regular Expression: %(HOME(DRIVE|PATH)|SYSTEM(DRIVE|ROOT)|WINDIR|USER(DOMAIN|PROFILE|NAME)|((LOCAL)?APP|PROGRAM)DATA)%
Description: Common Windows environment variable
Tags:
- lfi
- win
Impact: 2
- File disclosure [5]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- %WINDIR%\\cmd.exe
37
Regular Expression: %\w+%
Description: Windows environment variable pattern
Tags:
- lfi
- win
Impact: 1
- File disclosure [5]
- High risk of false-positives [-3]
- Overlaps with 36 [-1]
Examples:
- %FOO%
38
Regular Expression: \bunion\b.+?\bselect\b
Description: Common SQL command “union select”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- ' UNION SELECT user()-- -
39
Regular Expression: \bupdate\b.+?\bset\b
Description: Common SQL command “update”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- UPDATE users SET permissions='admin'
40
Regular Expression: \bdrop\b.+?\b(database|table)\b
Description: Common SQL command “drop”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- DROP TABLE users
- DROP DATABASE blog
41
Regular Expression: \bdelete\b.+?\bfrom\b
Description: Common SQL command “delete”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- DELETE FROM users
42
Regular Expression: --.+?
Description: Common SQL comment syntax
Tags:
- sqli
Impact: 1
- SQL injection [6]
- Very high risk of false-positives [-5]
Examples:
- ' OR 1-- -
43
Regular Expression: \[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\]
Description: MongoDB SQL commands
Tags:
- sqli
- mongo
Impact: 5
- SQL injection [6]
- Low risk of false-positives [-1]
Examples:
- [$ne]
44
Regular Expression: \$\(.+?\)
Description: jQuery selector
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- $('#login')
45
Regular Expression: \/\*.*?\*\/
Description: C-style comment syntax
Tags:
- sqli
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Examples:
- /**/
46
Regular Expression: <!-.+?-->
Description: XML comment syntax
Tags:
- xss
- xxe
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- <!- -->
47
Regular Expression: <base\b.+?\bhref\b.+?>
Description: Base URL
Tags:
- xss
Impact: 6
- Cross-site scripting [6]
- Low risk of false-positives [0]
Resources:
Examples:
- <base href="http://foo/">
48
Regular Expression: <!(element|entity|\[CDATA)
Description: XML entity injections
Tags:
- xss
- xxe
Impact: 6
- File disclosure [6]
- Low risk of false-positives [0]
Examples:
- <![CDATA[<]]>script<![CDATA[>]]>
- <!ENTITY xxe SYSTEM "file:///dev/random" >]>
49
Regular Expression: <(applet|object|embed|audio|video|img|svg)
Description: Common JavaScript injection points (media)
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- <img onerror="" />
50
Regular Expression: <a\b.+?\bhref\b
Description: Common JavaScript injection points (links)
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- <a href=""></a>
51
Regular Expression: <(form|button|input|keygen|textarea|select|option)
Description: Common JavaScript injection points (forms)
Tags:
- xss
Impact: 4
- Cross-site scripting [6]
- Mediocre risk of false-positives [-2]
Examples:
- <form></form>
52
Regular Expression: <(html|body|meta|link|i?frame|script|map)
Description: Common JavaScript injection points
Tags:
- xss
Impact: 4
- Cross-site scripting [6]
- Mediocre risk of false-positives [-2]
Examples:
- <script></script>
53
Regular Expression: (?<!\w)(boot\.ini|global\.asa|sam)\b
Description: Common Windows files
Tags:
- lfi
- win
Impact: 4
- Information disclosure [6]
- Mediocre risk of false-positives [-2]
Examples:
- C:\boot.ini
54
Regular Expression: \bon\w+\s*=
Description: HTML event handler
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- <img onerror="" />
55
Regular Expression: \b(chrome|file):\/\/
Description: Local file inclusion
Tags:
- xss
- lfi
Impact: 3
- Information disclosure [6]
- Mediocre risk of false-positives [-3]
Examples:
- file:///etc/passwd
56
Regular Expression: &#?(\w+);
Description: HTML escaped character
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- &
57
Regular Expression: ^(\s*)\||\|(\s*)$
Description: Perl command injection
Tags:
- rce
- perl
Impact: 5
- Command injection [8]
- Mediocre risk of false-positives [-3]
Examples:
- |id
- id|
58
Regular Expression: <!--\W*?#\W*?(cmd|echo|exec|include|printenv)\b
Description: Apache server-side include
Tags:
- rce
- xss
- lfi
Impact: 6
- Command injection / file disclosure [8]
- Low risk of false-positives [-2]
Examples:
- <!--#include
59
Regular Expression: \{\s*\w+\s*:\s*[+-]?\s*\d+\s*:.*?\}
Description: Serialized PHP objects
Tags:
- php
Impact: 5
- Everything is possible [8]
- Mediocre risk of false-positives [-3]
Examples:
- O:3:"foo":1:{s:8:"foobar";s:3:"quz";}
60
Regular Expression: [\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@
Description: Email injection
Tags:
- spam
Impact: 5
- Spam [4]
- Low risk of false-positives [1]
Examples:
- \nto: foo@bar.de
61
Regular Expression: \bcall_user_func\b.*?\(.+?\)
Description: Critical PHP function “call_user_func”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- call_user_func('foo', $a);
62
Regular Expression: \bcreate_function\b.*?\(.+?\)
Description: Critical PHP function “create_function”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- create_function('$a', 'return $a;');
63
Regular Expression: \beval\b.*?(\(.+?\)|\{.+?\})
Description: Critical function “eval”
Tags:
- rce
- php
- perl
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- eval('foo');
- eval { foo(); }
64
Regular Expression: \bexec\b.*?\(.+?\)
Description: Critical PHP function “exec”
Tags:
- rce
- php
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- exec('cat /etc/passwd');
65
Regular Expression: \bf(get|open|read|write)\b.*?\(.+?\)
Description: Critical PHP function “fopen/fget/fread/fwrite”
Tags:
- rce
- lfi
- php
Impact: 5
- Command execution / file disclosure [8]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- fopen('/etc/passwd', 'r');
66
Regular Expression: \bfile_(get|put)_contents\b.*?\(.+?\)
Description: Critical PHP function “file_get_contents/file_put_contents”
Tags:
- rce
- lfi
- php
Impact: 7
- Command execution / file disclosure [8]
- Low risk of false-positives [-1]
Resources:
- https://secure.php.net/manual/function.file-get-contents.php
- https://secure.php.net/manual/function.file-put-contents.php
Examples:
- file_get_contents('/etc/passwd');
- file_put_contents('/etc/passwd', 'foo');
67
Regular Expression: \bmove_uploaded_file\b.*?\(.+?\)
Description: Critical PHP function “move_uploaded_file”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- move_uploaded_file($tmp_name, $name);
68
Regular Expression: \bpassthru\b.*?\(.+?\)
Description: Critical PHP function “passthru”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- passthru('cat /etc/passwd');
69
Regular Expression: \bp(roc_)?open\b.*?\(.+?\)
Description: Critical PHP function “popen/proc_open”
Tags:
- rce
- php
Impact: 6
- Command execution [8]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- proc_open('cat', $descriptorspec, $pipes, $cwd, $env);
70
Regular Expression: \breadfile\b.*?\(.+?\)
Description: Critical PHP function “readfile”
Tags:
- lfi
- php
Impact: 5
- File disclosure [7]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- readfile('/etc/passwd');
71
Regular Expression: \bshell_exec\b.*?\(.+?\)
Description: Critical PHP function “shell_exec”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- shell_exec('cat /etc/passwd');
72
Regular Expression: \bsystem\b.*?\(.+?\)
Description: Critical PHP function “system”
Tags:
- rce
- php
Impact: 5
- Command execution [8]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- system('cat /etc/passwd');
73
Regular Expression: \bpreg_(replace|match)\b.*?\(.+?\)
Description: Critical PHP function “preg_match/preg_replace”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
- https://secure.php.net/manual/function.preg-replace.php
- https://secure.php.net/manual/function.preg-match.php
Examples:
- preg_replace('//e', 'phpinfo()', $x);
74
Regular Expression: \binclude(_once)?\b.*?;
Description: Critical PHP function “include”
Tags:
- rce
- lfi
- php
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Examples:
- include('/etc/passwd');
- include_once '/etc/passwd';
75
Regular Expression: \brequire(_once)?\b.*?;
Description: Critical PHP function “require”
Tags:
- rce
- lfi
- php
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Examples:
- require('/etc/passwd');
- require_once '/etc/passwd';
76
Regular Expression: \{\s*\$\s*\{.+?\}\s*\}
Description: PHP complex curly syntax
Tags:
- rce
- php
Impact: 8
- Command execution / information disclosure [8]
- Low risk of false-positives [0]
Resources:
Examples:
- {${phpinfo()}}
77
Regular Expression: @(cc_on|set)\b
Description: Conditional compilation token
Tags:
- xss
Impact: 3
- Command execution [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- @cc_on
78
Regular Expression: \bfirefoxurl\s*:
Description: Firefox “firefoxurl” URI handler
Tags:
- xss
Impact: 3
- Cache poisoning [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- firefoxurl://
79
Regular Expression: \bwyciwyg\s*:
Description: Firefox “wyciwyg” URI handler
Tags:
- xss
Impact: 3
- Cache poisoning [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- wyciwyg://
80
Regular Expression: \bdocument\b.*?\.
Description: JavaScript attribute “document”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- document.cookie
81
Regular Expression: \bwindow\b.*?\.
Description: JavaScript attribute “window”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- window.content
82
Regular Expression: =\s*\w+\s*\+\s*['"]
Description: Common concatenation pattern
Tags:
- xss
Impact: 1
- Cross-site scripting [6]
- High risk of false-positives [-5]
Examples:
- = foo + '
83
Regular Expression: \+=\s*\(\s*['"]
Description: Common concatenation pattern
Tags:
- xss
Impact: 1
- Cross-site scripting [6]
- High risk of false-positives [-5]
Examples:
- += ('
84
Regular Expression: ['"]\s*\+\s*['"]
Description: Common concatenation pattern
Tags:
- xss
Impact: 1
- Cross-site scripting [6]
- High risk of false-positives [-5]
Examples:
- ' + '
85
Regular Expression: \|\(\w+=
Description: LDAP
Tags:
- ldap
Impact: 3
- Information disclosure [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- |(foo=
86
Regular Expression: \bfunction\b[^(]*\([^)]*\)
Description: Common function declaration
Tags:
- xss
- rce
Impact: 3
- Common code pattern [6]
- Mediocre risk of false-positives [-3]
Examples:
- function foo() {}
87
Regular Expression: \bbenchmark\b.*?\(.+?,.+?\)
Description: Blind MySQL “benchmark”
Tags:
- sqli
- mysql
Impact: 6
- SQL injection [6]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT BENCHMARK(1000000,ENCODE('hello','goodbye'))
88
Regular Expression: \bsleep\b.*?\(.+?\)
Description: Blind SQL “sleep”
Tags:
- sqli
- dos
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT SLEEP(1000)
89
Regular Expression: \bload_file\b.*?\(.+?\)
Description: MySQL file disclosure “load_file”
Tags:
- sqli
- mysql
Impact: 7
- SQL injection / file disclosure [7]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT LOAD_FILE('/etc/passwd')
90
Regular Expression: \bload\b.*?\bdata\b.*?\binfile\b.*?\binto\b.*?\btable\b
Description: MySQL file disclosure “load data”
Tags:
- sqli
- mysql
Impact: 7
- SQL injection / file disclosure [7]
- Low risk of false-positives [0]
Resources:
Examples:
- LOAD DATA INFILE 'foo' INTO TABLE bar
91
Regular Expression: \bselect\b.*?\binto\b.*?\b(out|dump)file\b
Description: MySQL file write “into outfile”
Tags:
- sqli
- mysql
Impact: 8
- SQL injection / file write [8]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT 'foo' INTO OUTFILE 'bar'
- SELECT 'foo' INTO DUMPFILE 'bar'
92
Regular Expression: \b(group_)?concat(_ws)?\b.*?\(.+?\)
Description: MySQL function “concat”
Tags:
- sqli
- mysql
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- SELECT CONCAT(foo, ':', bar)
- SELECT GROUP_CONCAT(foo)
93
Regular Expression: \binformation_schema\b
Description: MySQL information disclosure
Tags:
- sqli
- mysql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Resources:
Examples:
- SELECT schema_name FROM information_schema.schemata
94
Regular Expression: \bpg_sleep\b.*?\(.+?\)
Description: Blind PgSQL “pg_sleep”
Tags:
- sqli
- dos
- pgsql
Impact: 6
- SQL injection [6]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT pg_sleep(1.5)
95
Regular Expression: \bwaitfor\b.*?\b(delay|time(out)?)\b
Description: Blind TSQL “waitfor”
Tags:
- sqli
- dos
- tsql
Impact: 4
- SQL injection [6]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- WAITFOR { DELAY '1000' }
- WAITFOR { TIME '1000' }
96
Regular Expression: \b(char_|bit_)?length\b.*?\(.+?\)
Description: Common SQL function “length”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_length
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_bit-length
Examples:
- SELECT LENGTH('foo')
- SELECT CHAR_LENGTH('foo')
- SELECT BIT_LENGTH('foo')
97
Regular Expression: \b(un)?hex\b.*?\(.+?\)
Description: Common SQL function “hex/unhex”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_hex
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_unhex
Examples:
- SELECT HEX('foo')
- SELECT UNHEX('00')
98
Regular Expression: \b(from|to)_base64\b.*?\(.+?\)
Description: Common MySQL function “from_base64/to_base64”
Tags:
- sqli
Impact: 4
- SQL injection [6]
- Low risk of false-positives [-2]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_from-base64
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_to-base64
Examples:
- SELECT TO_BASE64('foo')
- SELECT FROM_BASE64('foo')
99
Regular Expression: \bsubstr(ing(_index)?)?\b.*?\(.+?,.+?\)
Description: Common SQL function “substr”
Tags:
- sqli
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- SELECT SUBSTR('foo',1)
- SELECT SUBSTRING('foo',1)
- SELECT SUBSTRING_INDEX('foo',1)
100
Regular Expression: \b(current_)?user\b.*?\(.*?\)
Description: Common SQL function “user”
Tags:
- sqli
Impact: 2
- SQL injection / information disclosure [6]
- High risk of false-positives [-4]
Examples:
- SELECT user()
- SELECT current_user()
101
Regular Expression: \bversion\b.*?\(.*?\)
Description: Common SQL function “version”
Tags:
- sqli
Impact: 2
- SQL injection / information disclosure [6]
- High risk of false-positives [-4]
Examples:
- SELECT version()
102
Regular Expression: @@.+?
Description: SQL system variable
Tags:
- sqli
Impact: 1
- SQL injection / information disclosure [6]
- High risk of false-positives [-5]
Examples:
- SELECT @@user
103
Regular Expression: \boct\b.*?\(.+?\)
Description: Common SQL function “oct”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT OCT(12)
104
Regular Expression: \bord\b.*?\(.+?\)
Description: Common SQL function “ord”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT ORD('2')
105
Regular Expression: \bascii\b.*?\(.+?\)
Description: Common SQL function “ascii”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT ASCII('2')
106
Regular Expression: \bbin\b.*?\(.+?\)
Description: Common SQL function “bin”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT BIN(12)
107
Regular Expression: \bcha?r\b.*?\(.+?\)
Description: Common SQL function “char”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT CHAR(77,121,83,81,76)
108
Regular Expression: \bwhere\b.+?(\b(not_)?(like|regexp)\b|[=<>])
Description: Common SQL comparison “where”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-comparison-functions.html#operator_like
- https://dev.mysql.com/doc/refman/5.7/en/regexp.html#operator_regexp
Examples:
- SELECT foo FROM bar WHERE name LIKE '%admin%'
109
Regular Expression: \bif\b.*?\(.+?,.+?,.+?\)
Description: Common SQL comparison “if”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT IF(1>2,2,3)
110
Regular Expression: \b(ifnull|nullif)\b.*?\(.+?,.+?\)
Description: Common SQL comparison “ifnull”
Tags:
- sqli
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html#function_ifnull
- https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html#function_nullif
Examples:
- SELECT IFNULL(1,0)
- SELECT NULLIF(1,1)
111
Regular Expression: \bwhere\b.+?(\b(n?and|x?or|not)\b|(\&\&|\|\|))
Description: Common SQL comparison “where”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- SELECT foo FROM bar WHERE id = 1 OR id = 2
112
Regular Expression: \bcase\b.+?\bwhen\b.+?\bend\b
Description: Common SQL comparison “case”
Tags:
- sqli
Impact: 4
- SQL injection [6]
- Low risk of false-positives [-2]
Resources:
Examples:
- CASE case_value WHEN when_value THEN statement_list END CASE
113
Regular Expression: \bexec\b.+?\bxp_cmdshell\b
Description: MSSQL code execution “xp_cmdshell”
Tags:
- sqli
- rce
- mssql
Impact: 9
- SQL injection / code execution [8]
- Low risk of false-positives [1]
Examples:
- exec master..xp_cmdshell 'echo foo'
114
Regular Expression: \bcreate\b.+?\b(procedure|function)\b.*?\(.*?\)
Description: Common SQL command “create”
Tags:
- sqli
Impact: 4
- SQL injection [7]
- Mediocre risk of false-positives [-3]
Examples:
- CREATE PROCEDURE foo()
115
Regular Expression: \binsert\b.+?\binto\b.*?\bvalues\b.*?\(.+?\)
Description: Common SQL command “insert”
Tags:
- sqli
Impact: 5
- SQL injection [7]
- Mediocre risk of false-positives [-2]
Examples:
- INSERT INTO table (col1,col2) VALUES('foo','bar')
116
Regular Expression: \bselect\b.+?\bfrom\b
Description: Common SQL command “select”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- SELECT foo FROM bar
117
Regular Expression: \bpg_user\b
Description: PgSQL information disclosure “pg_user”
Tags:
- sqli
- pgsql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT * FROM pg_user
118
Regular Expression: \bpg_database\b
Description: PgSQL information disclosure “pg_database”
Tags:
- sqli
- pgsql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT * FROM pg_database
119
Regular Expression: \bpg_shadow\b
Description: PgSQL information disclosure “pg_shadow”
Tags:
- sqli
- pgsql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT * FROM pg_shadow
120
Regular Expression: \b(current_)?database\b.*?\(.*?\)
Description: Common SQL function “database”
Tags:
- sqli
Impact: 2
- SQL injection / information disclosure [6]
- High risk of false-positives [-4]
Examples:
- SELECT database()
- SELECT current_database()
Tags
Each filter has tags associated which are typically abbreviations of attacks. These stand for:
- bash: Bash-related attacks
- css: Cascading Style Sheets
- dos: Denial of Service
- id: Information Disclosure
- ldap: LDAP protocol
- lfi: Local File Inclusions
- mongo: MongoDB injections
- mssql: MSSQL injections
- mysql: MySQL injections
- perl: Perl-related attacks
- pgsql: PostgreSQL injections
- php: PHP-related attacks
- rce: Remote Code Execution
- rfi: Remote File Inclusion
- spam: Attempts to send spam
- sqli: SQL injections
- sqlite: SQLite injections
- tsql: Transact-SQL injections
- unix: *nix-related attacks (Linux, Unix, etc.)
- win: Windows-related attacks
- xss: Cross-Site Scripting
- xxe: XML External Entity attacks