← Back to Explore
sigmahighHunting
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Detection Query
selection:
cs-method: GET
keywords:
- "@@version"
- "%271%27%3D%271"
- "=select "
- =select(
- =select%20
- concat_ws(
- CONCAT(0x
- from mysql.innodb_table_stats
- from%20mysql.innodb_table_stats
- group_concat(
- information_schema.tables
- json_arrayagg(
- or 1=1#
- or%201=1#
- "order by "
- order%20by%20
- "select * "
- select database()
- select version()
- select%20*%20
- select%20database()
- select%20version()
- select%28sleep%2810%29
- SELECTCHAR(
- table_schema
- UNION ALL SELECT
- UNION SELECT
- UNION%20ALL%20SELECT
- UNION%20SELECT
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*
Author
Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
Created
2020-02-22
Data Sources
webserver
References
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
- https://brightsec.com/blog/sql-injection-payloads/
- https://github.com/payloadbox/sql-injection-payload-list
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
Tags
attack.initial-accessattack.t1190
Raw Content
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
- https://brightsec.com/blog/sql-injection-payloads/
- https://github.com/payloadbox/sql-injection-payload-list
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- '=select('
- '=select%20'
- 'concat_ws('
- 'CONCAT(0x'
- 'from mysql.innodb_table_stats'
- 'from%20mysql.innodb_table_stats'
- 'group_concat('
- 'information_schema.tables'
- 'json_arrayagg('
- 'or 1=1#'
- 'or%201=1#'
- 'order by '
- 'order%20by%20'
- 'select * '
- 'select database()'
- 'select version()'
- 'select%20*%20'
- 'select%20database()'
- 'select%20version()'
- 'select%28sleep%2810%29'
- 'SELECTCHAR('
- 'table_schema'
- 'UNION ALL SELECT'
- 'UNION SELECT'
- 'UNION%20ALL%20SELECT'
- 'UNION%20SELECT'
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*
falsepositives:
- Java scripts and CSS Files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high