100+條WAF 黑名單正規式表達規則範例

WAF 黑名單規則範例 – Shadow Daemon

Flowchart blacklist

 

1

Regular Expression: \(\)\s*\{.*?;\s*\}\s*;

Description: Shellshock (CVE-2014-6271)

Tags:

  • rce
  • bash

Impact: 9

  • Command execution [8]
  • Low risk of false-positives [1]

Resources:

Examples:

  • env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

2

Regular Expression: \(\)\s*\{.*?\(.*?\).*?=>.*?\\’

Description: Shellshock (CVE-2014-7169)

Tags:

  • rce
  • bash

Impact: 9

  • Command execution [8]
  • Low risk of false-positives [1]

Resources:

Examples:

  • env X='() { (a)=>\’ bash -c “echo date”; cat echo

3

Regular Expression: \{\{.*?\}\}

Description: Flask curly syntax

Tags:

  • rce
  • id

Impact: 4

  • Command execution [6]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • {{foo.bar}}

4

Regular Expression: \bfind_in_set\b.*?\(.+?,.+?\)

Description: Common MySQL function “find_in_set”

Tags:

  • sqli
  • mysql

Impact: 6

  • SQL injection [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT FIND_IN_SET(‘b’,’a,b,c,d’)

5

Regular Expression: [“‘].*?>

Description: HTML breaking

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • “>

6

Regular Expression: \bsqlite_master\b

Description: SQLite information disclosure “sqlite_master”

Tags:

  • sqli
  • sqlite

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT name FROM sqlite_master

7

Regular Expression: \bmysql.*?\..*?user\b

Description: MySQL information disclosure “mysql.user”

Tags:

  • sqli
  • mysql

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • SELECT user FROM mysql.user

8

Regular Expression: #.+?\)[“\s]*>

Description: HTML breaking

Tags:

  • xss

Impact: 5

  • Cross-site scripting [6]
  • Low risk of false-positives [-1]

Examples:

  • #foo)”>

9

Regular Expression: [‘”][,;\s]+\w*[\[\(]

Description: HTML breaking

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • “; foo(

10

Regular Expression: >.*?<\s*\/?[\w\s]+>

Description: Unquoted HTML breaking with closing tag

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • ></foo>

11

Regular Expression: \blocation\b.*?\..*?\bhash\b

Description: JavaScript “location.hash”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • location.hash.slice(1)

12

Regular Expression: \bwith\b\s*\(.+?\)[\s\w]+\(

Description: Self-contained payload

Tags:

  • xss

Impact: 6

  • Cross-site scripting [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • with(location)with(hash)eval(substring(1))

13

Regular Expression: (\b(do|while|for)\b.*?\([^)]*\).*?\{)|(\}.*?\b(do|while|for)\b.*?\([^)]*\))

Description: C-style loops

Tags:

  • rce
  • xss
  • dos

Impact: 4

  • Common code pattern [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • while (true) {fork();}
  • {fork();} while (true);

14

Regular Expression: [=(].+?\?.+?:

Description: C-style ternary operator

Tags:

  • rce
  • xss

Impact: 2

  • Common code pattern [6]
  • High risk of false-positives [-4]

Examples:

  • 1=1 ? true : false

15

Regular Expression: \\u00[a-f0-9]{2}

Description: Octal entity

Tags:

  • rce
  • xss

Impact: 1

  • Common code pattern [5]
  • High risk of false-positives [-4]

Examples:

  • \u00ff

16

Regular Expression: \\x0*[a-f0-9]{2}

Description: Hex entity

Tags:

  • rce
  • xss

Impact: 1

  • Common code pattern [5]
  • High risk of false-positives [-4]

Examples:

  • \x0ff

17

Regular Expression: \\\d{2,3}

Description: Unicode entity

Tags:

  • rce
  • xss

Impact: 1

  • Common code pattern [5]
  • High risk of false-positives [-4]

Examples:

  • \01

18

Regular Expression: \.\.[\/\\]

Description: Directory traversal

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Examples:

  • ../../etc/passwd

19

Regular Expression: %(c0\.|af\.|5c\.)

Description: Directory traversal unicode + urlencoding

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • %c0.
  • %af.
  • %5c.

20

Regular Expression: %2e%2e[\/\\]

Description: Directory traversal urlencoding

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Examples:

  • %2e%2e/%2e%2e/etc/passwd

21

Regular Expression: %c0%ae[\/\\]

Description: Directory traversal unicode + urlencoding

Tags:

  • lfi

Impact: 4

  • Information disclosure / command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • %c0%ae/%c0%ae/etc/passwd

22

Regular Expression: \.(ht(access|passwd|group))|(apache|httpd)\d?\.conf

Description: Common Apache files

Tags:

  • lfi

Impact: 4

  • Information disclosure [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • ../.htaccess
  • /etc/apache/httpd.conf
  • /etc/apache2/apache2.conf

23

Regular Expression: \/etc\/[.\/]*(passwd|shadow|master\.passwd)

Description: Common Unix files

Tags:

  • lfi
  • unix

Impact: 4

  • Information disclosure [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • /etc/shadow
  • /etc/./passwd

24

Regular Expression: \bdata:.*?,

Description: Data URI scheme

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • data:image/png;base64,foo

25

Regular Expression: ;base64|base64,

Description: Data URI scheme “base64”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • data:image/png;base64,foo

26

Regular Expression: php:\/\/filter

Description: PHP input/output stream filter

Tags:

  • lfi
  • rce
  • php

Impact: 6

  • Obfuscation / file disclosure [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • php://filter/convert.base64-encode/resource=config.php

27

Regular Expression: php:\/\/input

Description: PHP input stream

Tags:

  • rce
  • php

Impact: 6

  • Obfuscation [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • include(‘php://input’);

28

Regular Expression: php:\/\/output

Description: PHP output stream

Tags:

  • xss
  • php

Impact: 6

  • Cross-site scripting [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • file_put_contents(‘php://output’, ‘foo’);

29

Regular Expression: convert\.base64-(de|en)code

Description: PHP input/output stream filter “base64”

Tags:

  • lfi
  • rce
  • php

Impact: 6

  • Obfuscation / file disclosure [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • php://filter/convert.base64-encode/resource=config.php

30

Regular Expression: zlib\.(de|in)flate

Description: PHP input/output stream filter “zlib”

Tags:

  • lfi
  • rce
  • php

Impact: 6

  • Obfuscation / file disclosure [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • php://filter/zlib.deflate/resource=config.php

31

Regular Expression: @import\b

Description: CSS “import”

Tags:

  • xss
  • css

Impact: 3

  • Obfuscation [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • @import url(http://foo/bar);

32

Regular Expression: \burl\s*\(.+?\)

Description: CSS pointer to resource

Tags:

  • xss
  • rfi
  • css

Impact: 2

  • Obfuscation [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • @import url(http://foo/bar);

33

Regular Expression: \/\/.+?\/

Description: URL

Tags:

  • rfi

Impact: 1

  • Obfuscation [6]
  • Very high risk of false-positives [-5]

Examples:

  • http://foobar.org/

34

Regular Expression: \)\s*\[

Description: JavaScript language construct

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • ) [

35

Regular Expression: <\?(?!xml\s)

Description: PHP opening tag

Tags:

  • rce
  • php

Impact: 3

  • Command execution [8]
  • High risk of false-positives [-5]

Examples:

  • <?php
  • <?

36

Regular Expression: %(HOME(DRIVE|PATH)|SYSTEM(DRIVE|ROOT)|WINDIR|USER(DOMAIN|PROFILE|NAME)|((LOCAL)?APP|PROGRAM)DATA)%

Description: Common Windows environment variable

Tags:

  • lfi
  • win

Impact: 2

  • File disclosure [5]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • %WINDIR%\\cmd.exe

37

Regular Expression: %\w+%

Description: Windows environment variable pattern

Tags:

  • lfi
  • win

Impact: 1

  • File disclosure [5]
  • High risk of false-positives [-3]
  • Overlaps with 36 [-1]

Examples:

  • %FOO%

38

Regular Expression: \bunion\b.+?\bselect\b

Description: Common SQL command “union select”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • ‘ UNION SELECT user()– –

39

Regular Expression: \bupdate\b.+?\bset\b

Description: Common SQL command “update”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • UPDATE users SET permissions=’admin’

40

Regular Expression: \bdrop\b.+?\b(database|table)\b

Description: Common SQL command “drop”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • DROP TABLE users
  • DROP DATABASE blog

41

Regular Expression: \bdelete\b.+?\bfrom\b

Description: Common SQL command “delete”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • DELETE FROM users

42

Regular Expression: –.+?

Description: Common SQL comment syntax

Tags:

  • sqli

Impact: 1

  • SQL injection [6]
  • Very high risk of false-positives [-5]

Examples:

  • ‘ OR 1– –

43

Regular Expression: \[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\]

Description: MongoDB SQL commands

Tags:

  • sqli
  • mongo

Impact: 5

  • SQL injection [6]
  • Low risk of false-positives [-1]

Examples:

  • [$ne]

44

Regular Expression: \$\(.+?\)

Description: jQuery selector

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • $(‘#login’)

45

Regular Expression: \/\*.*?\*\/

Description: C-style comment syntax

Tags:

  • sqli

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • /**/

46

Regular Expression: <!-.+?–>

Description: XML comment syntax

Tags:

  • xss
  • xxe

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • <!- –>

47

Regular Expression: <base\b.+?\bhref\b.+?>

Description: Base URL

Tags:

  • xss

Impact: 6

  • Cross-site scripting [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • <base href=”http://foo/”>

48

Regular Expression: <!(element|entity|\[CDATA)

Description: XML entity injections

Tags:

  • xss
  • xxe

Impact: 6

  • File disclosure [6]
  • Low risk of false-positives [0]

Examples:

  • <![CDATA[<]]>script<![CDATA[>]]>
  • <!ENTITY xxe SYSTEM “file:///dev/random” >]>

49

Regular Expression: <(applet|object|embed|audio|video|img|svg)

Description: Common JavaScript injection points (media)

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • <img onerror=”” />

50

Regular Expression: <a\b.+?\bhref\b

Description: Common JavaScript injection points (links)

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • <a href=””></a>

51

Regular Expression: <(form|button|input|keygen|textarea|select|option)

Description: Common JavaScript injection points (forms)

Tags:

  • xss

Impact: 4

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • <form></form>

52

Regular Expression: <(html|body|meta|link|i?frame|script|map)

Description: Common JavaScript injection points

Tags:

  • xss

Impact: 4

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • <script></script>

53

Regular Expression: (?<!\w)(boot\.ini|global\.asa|sam)\b

Description: Common Windows files

Tags:

  • lfi
  • win

Impact: 4

  • Information disclosure [6]
  • Mediocre risk of false-positives [-2]

Examples:

  • C:\boot.ini

54

Regular Expression: \bon\w+\s*=

Description: HTML event handler

Tags:

  • xss

Impact: 3

  • Cross-site scripting [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • <img onerror=”” />

55

Regular Expression: \b(chrome|file):\/\/

Description: Local file inclusion

Tags:

  • xss
  • lfi

Impact: 3

  • Information disclosure [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • file:///etc/passwd

56

Regular Expression: &#?(\w+);

Description: HTML escaped character

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Examples:

  • &amp;

57

Regular Expression: ^(\s*)\||\|(\s*)$

Description: Perl command injection

Tags:

  • rce
  • perl

Impact: 5

  • Command injection [8]
  • Mediocre risk of false-positives [-3]

Examples:

  • |id
  • id|

58

Regular Expression: <!–\W*?#\W*?(cmd|echo|exec|include|printenv)\b

Description: Apache server-side include

Tags:

  • rce
  • xss
  • lfi

Impact: 6

  • Command injection / file disclosure [8]
  • Low risk of false-positives [-2]

Examples:

  • <!–#include

59

Regular Expression: \{\s*\w+\s*:\s*[+-]?\s*\d+\s*:.*?\}

Description: Serialized PHP objects

Tags:

  • php

Impact: 5

  • Everything is possible [8]
  • Mediocre risk of false-positives [-3]

Examples:

  • O:3:”foo”:1:{s:8:”foobar”;s:3:”quz”;}

60

Regular Expression: [\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@

Description: Email injection

Tags:

  • spam

Impact: 5

  • Spam [4]
  • Low risk of false-positives [1]

Examples:

  • \nto: foo@bar.de

61

Regular Expression: \bcall_user_func\b.*?\(.+?\)

Description: Critical PHP function “call_user_func”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • call_user_func(‘foo’, $a);

62

Regular Expression: \bcreate_function\b.*?\(.+?\)

Description: Critical PHP function “create_function”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • create_function(‘$a’, ‘return $a;’);

63

Regular Expression: \beval\b.*?(\(.+?\)|\{.+?\})

Description: Critical function “eval”

Tags:

  • rce
  • php
  • perl

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • eval(‘foo’);
  • eval { foo(); }

64

Regular Expression: \bexec\b.*?\(.+?\)

Description: Critical PHP function “exec”

Tags:

  • rce
  • php

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Resources:

Examples:

  • exec(‘cat /etc/passwd’);

65

Regular Expression: \bf(get|open|read|write)\b.*?\(.+?\)

Description: Critical PHP function “fopen/fget/fread/fwrite”

Tags:

  • rce
  • lfi
  • php

Impact: 5

  • Command execution / file disclosure [8]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • fopen(‘/etc/passwd’, ‘r’);

66

Regular Expression: \bfile_(get|put)_contents\b.*?\(.+?\)

Description: Critical PHP function “file_get_contents/file_put_contents”

Tags:

  • rce
  • lfi
  • php

Impact: 7

  • Command execution / file disclosure [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • file_get_contents(‘/etc/passwd’);
  • file_put_contents(‘/etc/passwd’, ‘foo’);

67

Regular Expression: \bmove_uploaded_file\b.*?\(.+?\)

Description: Critical PHP function “move_uploaded_file”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • move_uploaded_file($tmp_name, $name);

68

Regular Expression: \bpassthru\b.*?\(.+?\)

Description: Critical PHP function “passthru”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • passthru(‘cat /etc/passwd’);

69

Regular Expression: \bp(roc_)?open\b.*?\(.+?\)

Description: Critical PHP function “popen/proc_open”

Tags:

  • rce
  • php

Impact: 6

  • Command execution [8]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • proc_open(‘cat’, $descriptorspec, $pipes, $cwd, $env);

70

Regular Expression: \breadfile\b.*?\(.+?\)

Description: Critical PHP function “readfile”

Tags:

  • lfi
  • php

Impact: 5

  • File disclosure [7]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • readfile(‘/etc/passwd’);

71

Regular Expression: \bshell_exec\b.*?\(.+?\)

Description: Critical PHP function “shell_exec”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • shell_exec(‘cat /etc/passwd’);

72

Regular Expression: \bsystem\b.*?\(.+?\)

Description: Critical PHP function “system”

Tags:

  • rce
  • php

Impact: 5

  • Command execution [8]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • system(‘cat /etc/passwd’);

73

Regular Expression: \bpreg_(replace|match)\b.*?\(.+?\)

Description: Critical PHP function “preg_match/preg_replace”

Tags:

  • rce
  • php

Impact: 7

  • Command execution [8]
  • Low risk of false-positives [-1]

Resources:

Examples:

  • preg_replace(‘//e’, ‘phpinfo()’, $x);

74

Regular Expression: \binclude(_once)?\b.*?;

Description: Critical PHP function “include”

Tags:

  • rce
  • lfi
  • php

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Examples:

  • include(‘/etc/passwd’);
  • include_once ‘/etc/passwd’;

75

Regular Expression: \brequire(_once)?\b.*?;

Description: Critical PHP function “require”

Tags:

  • rce
  • lfi
  • php

Impact: 4

  • Command execution [8]
  • High risk of false-positives [-4]

Examples:

  • require(‘/etc/passwd’);
  • require_once ‘/etc/passwd’;

76

Regular Expression: \{\s*\$\s*\{.+?\}\s*\}

Description: PHP complex curly syntax

Tags:

  • rce
  • php

Impact: 8

  • Command execution / information disclosure [8]
  • Low risk of false-positives [0]

Resources:

Examples:

  • {${phpinfo()}}

77

Regular Expression: @(cc_on|set)\b

Description: Conditional compilation token

Tags:

  • xss

Impact: 3

  • Command execution [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • @cc_on

78

Regular Expression: \bfirefoxurl\s*:

Description: Firefox “firefoxurl” URI handler

Tags:

  • xss

Impact: 3

  • Cache poisoning [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • firefoxurl://

79

Regular Expression: \bwyciwyg\s*:

Description: Firefox “wyciwyg” URI handler

Tags:

  • xss

Impact: 3

  • Cache poisoning [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • wyciwyg://

80

Regular Expression: \bdocument\b.*?\.

Description: JavaScript attribute “document”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • document.cookie

81

Regular Expression: \bwindow\b.*?\.

Description: JavaScript attribute “window”

Tags:

  • xss

Impact: 2

  • Cross-site scripting [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • window.content

82

Regular Expression: =\s*\w+\s*\+\s*[‘”]

Description: Common concatenation pattern

Tags:

  • xss

Impact: 1

  • Cross-site scripting [6]
  • High risk of false-positives [-5]

Examples:

  • = foo + ‘

83

Regular Expression: \+=\s*\(\s*[‘”]

Description: Common concatenation pattern

Tags:

  • xss

Impact: 1

  • Cross-site scripting [6]
  • High risk of false-positives [-5]

Examples:

  • += (‘

84

Regular Expression: [‘”]\s*\+\s*[‘”]

Description: Common concatenation pattern

Tags:

  • xss

Impact: 1

  • Cross-site scripting [6]
  • High risk of false-positives [-5]

Examples:

  • ‘ + ‘

85

Regular Expression: \|\(\w+=

Description: LDAP

Tags:

  • ldap

Impact: 3

  • Information disclosure [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • |(foo=

86

Regular Expression: \bfunction\b[^(]*\([^)]*\)

Description: Common function declaration

Tags:

  • xss
  • rce

Impact: 3

  • Common code pattern [6]
  • Mediocre risk of false-positives [-3]

Examples:

  • function foo() {}

87

Regular Expression: \bbenchmark\b.*?\(.+?,.+?\)

Description: Blind MySQL “benchmark”

Tags:

  • sqli
  • mysql

Impact: 6

  • SQL injection [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT BENCHMARK(1000000,ENCODE(‘hello’,’goodbye’))

88

Regular Expression: \bsleep\b.*?\(.+?\)

Description: Blind SQL “sleep”

Tags:

  • sqli
  • dos

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT SLEEP(1000)

89

Regular Expression: \bload_file\b.*?\(.+?\)

Description: MySQL file disclosure “load_file”

Tags:

  • sqli
  • mysql

Impact: 7

  • SQL injection / file disclosure [7]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT LOAD_FILE(‘/etc/passwd’)

90

Regular Expression: \bload\b.*?\bdata\b.*?\binfile\b.*?\binto\b.*?\btable\b

Description: MySQL file disclosure “load data”

Tags:

  • sqli
  • mysql

Impact: 7

  • SQL injection / file disclosure [7]
  • Low risk of false-positives [0]

Resources:

Examples:

  • LOAD DATA INFILE ‘foo’ INTO TABLE bar

91

Regular Expression: \bselect\b.*?\binto\b.*?\b(out|dump)file\b

Description: MySQL file write “into outfile”

Tags:

  • sqli
  • mysql

Impact: 8

  • SQL injection / file write [8]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT ‘foo’ INTO OUTFILE ‘bar’
  • SELECT ‘foo’ INTO DUMPFILE ‘bar’

92

Regular Expression: \b(group_)?concat(_ws)?\b.*?\(.+?\)

Description: MySQL function “concat”

Tags:

  • sqli
  • mysql

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • SELECT CONCAT(foo, ‘:’, bar)
  • SELECT GROUP_CONCAT(foo)

93

Regular Expression: \binformation_schema\b

Description: MySQL information disclosure

Tags:

  • sqli
  • mysql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Resources:

Examples:

  • SELECT schema_name FROM information_schema.schemata

94

Regular Expression: \bpg_sleep\b.*?\(.+?\)

Description: Blind PgSQL “pg_sleep”

Tags:

  • sqli
  • dos
  • pgsql

Impact: 6

  • SQL injection [6]
  • Low risk of false-positives [0]

Resources:

Examples:

  • SELECT pg_sleep(1.5)

95

Regular Expression: \bwaitfor\b.*?\b(delay|time(out)?)\b

Description: Blind TSQL “waitfor”

Tags:

  • sqli
  • dos
  • tsql

Impact: 4

  • SQL injection [6]
  • Mediocre risk of false-positives [-2]

Resources:

Examples:

  • WAITFOR { DELAY ‘1000’ }
  • WAITFOR { TIME ‘1000’ }

96

Regular Expression: \b(char_|bit_)?length\b.*?\(.+?\)

Description: Common SQL function “length”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT LENGTH(‘foo’)
  • SELECT CHAR_LENGTH(‘foo’)
  • SELECT BIT_LENGTH(‘foo’)

97

Regular Expression: \b(un)?hex\b.*?\(.+?\)

Description: Common SQL function “hex/unhex”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT HEX(‘foo’)
  • SELECT UNHEX(’00’)

98

Regular Expression: \b(from|to)_base64\b.*?\(.+?\)

Description: Common MySQL function “from_base64/to_base64”

Tags:

  • sqli

Impact: 4

  • SQL injection [6]
  • Low risk of false-positives [-2]

Resources:

Examples:

  • SELECT TO_BASE64(‘foo’)
  • SELECT FROM_BASE64(‘foo’)

99

Regular Expression: \bsubstr(ing(_index)?)?\b.*?\(.+?,.+?\)

Description: Common SQL function “substr”

Tags:

  • sqli

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • SELECT SUBSTR(‘foo’,1)
  • SELECT SUBSTRING(‘foo’,1)
  • SELECT SUBSTRING_INDEX(‘foo’,1)

100

Regular Expression: \b(current_)?user\b.*?\(.*?\)

Description: Common SQL function “user”

Tags:

  • sqli

Impact: 2

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-4]

Examples:

  • SELECT user()
  • SELECT current_user()

101

Regular Expression: \bversion\b.*?\(.*?\)

Description: Common SQL function “version”

Tags:

  • sqli

Impact: 2

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-4]

Examples:

  • SELECT version()

102

Regular Expression: @@.+?

Description: SQL system variable

Tags:

  • sqli

Impact: 1

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-5]

Examples:

  • SELECT @@user

103

Regular Expression: \boct\b.*?\(.+?\)

Description: Common SQL function “oct”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT OCT(12)

104

Regular Expression: \bord\b.*?\(.+?\)

Description: Common SQL function “ord”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT ORD(‘2’)

105

Regular Expression: \bascii\b.*?\(.+?\)

Description: Common SQL function “ascii”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT ASCII(‘2’)

106

Regular Expression: \bbin\b.*?\(.+?\)

Description: Common SQL function “bin”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT BIN(12)

107

Regular Expression: \bcha?r\b.*?\(.+?\)

Description: Common SQL function “char”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT CHAR(77,121,83,81,76)

108

Regular Expression: \bwhere\b.+?(\b(not_)?(like|regexp)\b|[=<>])

Description: Common SQL comparison “where”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT foo FROM bar WHERE name LIKE ‘%admin%’

109

Regular Expression: \bif\b.*?\(.+?,.+?,.+?\)

Description: Common SQL comparison “if”

Tags:

  • sqli

Impact: 2

  • SQL injection [6]
  • High risk of false-positives [-4]

Resources:

Examples:

  • SELECT IF(1>2,2,3)

110

Regular Expression: \b(ifnull|nullif)\b.*?\(.+?,.+?\)

Description: Common SQL comparison “ifnull”

Tags:

  • sqli

Impact: 3

  • SQL injection [6]
  • Mediocre risk of false-positives [-3]

Resources:

Examples:

  • SELECT IFNULL(1,0)
  • SELECT NULLIF(1,1)

111

Regular Expression: \bwhere\b.+?(\b(n?and|x?or|not)\b|(\&\&|\|\|))

Description: Common SQL comparison “where”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • SELECT foo FROM bar WHERE id = 1 OR id = 2

112

Regular Expression: \bcase\b.+?\bwhen\b.+?\bend\b

Description: Common SQL comparison “case”

Tags:

  • sqli

Impact: 4

  • SQL injection [6]
  • Low risk of false-positives [-2]

Resources:

Examples:

  • CASE case_value WHEN when_value THEN statement_list END CASE

113

Regular Expression: \bexec\b.+?\bxp_cmdshell\b

Description: MSSQL code execution “xp_cmdshell”

Tags:

  • sqli
  • rce
  • mssql

Impact: 9

  • SQL injection / code execution [8]
  • Low risk of false-positives [1]

Examples:

  • exec master..xp_cmdshell ‘echo foo’

114

Regular Expression: \bcreate\b.+?\b(procedure|function)\b.*?\(.*?\)

Description: Common SQL command “create”

Tags:

  • sqli

Impact: 4

  • SQL injection [7]
  • Mediocre risk of false-positives [-3]

Examples:

  • CREATE PROCEDURE foo()

115

Regular Expression: \binsert\b.+?\binto\b.*?\bvalues\b.*?\(.+?\)

Description: Common SQL command “insert”

Tags:

  • sqli

Impact: 5

  • SQL injection [7]
  • Mediocre risk of false-positives [-2]

Examples:

  • INSERT INTO table (col1,col2) VALUES(‘foo’,’bar’)

116

Regular Expression: \bselect\b.+?\bfrom\b

Description: Common SQL command “select”

Tags:

  • sqli

Impact: 3

  • SQL injection [7]
  • High risk of false-positives [-4]

Examples:

  • SELECT foo FROM bar

117

Regular Expression: \bpg_user\b

Description: PgSQL information disclosure “pg_user”

Tags:

  • sqli
  • pgsql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT * FROM pg_user

118

Regular Expression: \bpg_database\b

Description: PgSQL information disclosure “pg_database”

Tags:

  • sqli
  • pgsql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT * FROM pg_database

119

Regular Expression: \bpg_shadow\b

Description: PgSQL information disclosure “pg_shadow”

Tags:

  • sqli
  • pgsql

Impact: 7

  • SQL injection [6]
  • Low risk of false-positives [1]

Examples:

  • SELECT * FROM pg_shadow

120

Regular Expression: \b(current_)?database\b.*?\(.*?\)

Description: Common SQL function “database”

Tags:

  • sqli

Impact: 2

  • SQL injection / information disclosure [6]
  • High risk of false-positives [-4]

Examples:

  • SELECT database()
  • SELECT current_database()

 

 

 

 

 

 

 

 

 

 

 

https://shadowd.zecure.org/documentation/blacklist/

https://github.com/zecure/shadowd

 

Leave a Reply

Your email address will not be published. Required fields are marked *