WAF 黑名單規則範例 – Shadow Daemon
1
Regular Expression: \(\)\s*\{.*?;\s*\}\s*;
Description: Shellshock (CVE-2014-6271)
Tags:
- rce
- bash
Impact: 9
- Command execution [8]
- Low risk of false-positives [1]
Resources:
Examples:
- env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
2
Regular Expression: \(\)\s*\{.*?\(.*?\).*?=>.*?\\’
Description: Shellshock (CVE-2014-7169)
Tags:
- rce
- bash
Impact: 9
- Command execution [8]
- Low risk of false-positives [1]
Resources:
Examples:
- env X='() { (a)=>\’ bash -c “echo date”; cat echo
3
Regular Expression: \{\{.*?\}\}
Description: Flask curly syntax
Tags:
- rce
- id
Impact: 4
- Command execution [6]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- {{foo.bar}}
4
Regular Expression: \bfind_in_set\b.*?\(.+?,.+?\)
Description: Common MySQL function “find_in_set”
Tags:
- sqli
- mysql
Impact: 6
- SQL injection [6]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT FIND_IN_SET(‘b’,’a,b,c,d’)
5
Regular Expression: [“‘].*?>
Description: HTML breaking
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- “>
6
Regular Expression: \bsqlite_master\b
Description: SQLite information disclosure “sqlite_master”
Tags:
- sqli
- sqlite
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT name FROM sqlite_master
7
Regular Expression: \bmysql.*?\..*?user\b
Description: MySQL information disclosure “mysql.user”
Tags:
- sqli
- mysql
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Examples:
- SELECT user FROM mysql.user
8
Regular Expression: #.+?\)[“\s]*>
Description: HTML breaking
Tags:
- xss
Impact: 5
- Cross-site scripting [6]
- Low risk of false-positives [-1]
Examples:
- #foo)”>
9
Regular Expression: [‘”][,;\s]+\w*[\[\(]
Description: HTML breaking
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- “; foo(
10
Regular Expression: >.*?<\s*\/?[\w\s]+>
Description: Unquoted HTML breaking with closing tag
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- ></foo>
11
Regular Expression: \blocation\b.*?\..*?\bhash\b
Description: JavaScript “location.hash”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- location.hash.slice(1)
12
Regular Expression: \bwith\b\s*\(.+?\)[\s\w]+\(
Description: Self-contained payload
Tags:
- xss
Impact: 6
- Cross-site scripting [6]
- Low risk of false-positives [0]
Resources:
- https://security.stackexchange.com/questions/10006/how-bad-is-a-self-contained-xss-attack#10009
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/With
Examples:
- with(location)with(hash)eval(substring(1))
13
Regular Expression: (\b(do|while|for)\b.*?\([^)]*\).*?\{)|(\}.*?\b(do|while|for)\b.*?\([^)]*\))
Description: C-style loops
Tags:
- rce
- xss
- dos
Impact: 4
- Common code pattern [6]
- Mediocre risk of false-positives [-2]
Examples:
- while (true) {fork();}
- {fork();} while (true);
14
Regular Expression: [=(].+?\?.+?:
Description: C-style ternary operator
Tags:
- rce
- xss
Impact: 2
- Common code pattern [6]
- High risk of false-positives [-4]
Examples:
- 1=1 ? true : false
15
Regular Expression: \\u00[a-f0-9]{2}
Description: Octal entity
Tags:
- rce
- xss
Impact: 1
- Common code pattern [5]
- High risk of false-positives [-4]
Examples:
- \u00ff
16
Regular Expression: \\x0*[a-f0-9]{2}
Description: Hex entity
Tags:
- rce
- xss
Impact: 1
- Common code pattern [5]
- High risk of false-positives [-4]
Examples:
- \x0ff
17
Regular Expression: \\\d{2,3}
Description: Unicode entity
Tags:
- rce
- xss
Impact: 1
- Common code pattern [5]
- High risk of false-positives [-4]
Examples:
- \01
18
Regular Expression: \.\.[\/\\]
Description: Directory traversal
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Examples:
- ../../etc/passwd
19
Regular Expression: %(c0\.|af\.|5c\.)
Description: Directory traversal unicode + urlencoding
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- %c0.
- %af.
- %5c.
20
Regular Expression: %2e%2e[\/\\]
Description: Directory traversal urlencoding
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Examples:
- %2e%2e/%2e%2e/etc/passwd
21
Regular Expression: %c0%ae[\/\\]
Description: Directory traversal unicode + urlencoding
Tags:
- lfi
Impact: 4
- Information disclosure / command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- %c0%ae/%c0%ae/etc/passwd
22
Regular Expression: \.(ht(access|passwd|group))|(apache|httpd)\d?\.conf
Description: Common Apache files
Tags:
- lfi
Impact: 4
- Information disclosure [6]
- Mediocre risk of false-positives [-2]
Examples:
- ../.htaccess
- /etc/apache/httpd.conf
- /etc/apache2/apache2.conf
23
Regular Expression: \/etc\/[.\/]*(passwd|shadow|master\.passwd)
Description: Common Unix files
Tags:
- lfi
- unix
Impact: 4
- Information disclosure [6]
- Mediocre risk of false-positives [-2]
Examples:
- /etc/shadow
- /etc/./passwd
24
Regular Expression: \bdata:.*?,
Description: Data URI scheme
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- data:image/png;base64,foo
25
Regular Expression: ;base64|base64,
Description: Data URI scheme “base64”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- data:image/png;base64,foo
26
Regular Expression: php:\/\/filter
Description: PHP input/output stream filter
Tags:
- lfi
- rce
- php
Impact: 6
- Obfuscation / file disclosure [6]
- Low risk of false-positives [0]
Resources:
Examples:
- php://filter/convert.base64-encode/resource=config.php
27
Regular Expression: php:\/\/input
Description: PHP input stream
Tags:
- rce
- php
Impact: 6
- Obfuscation [6]
- Low risk of false-positives [0]
Resources:
Examples:
- include(‘php://input’);
28
Regular Expression: php:\/\/output
Description: PHP output stream
Tags:
- xss
- php
Impact: 6
- Cross-site scripting [6]
- Low risk of false-positives [0]
Resources:
Examples:
- file_put_contents(‘php://output’, ‘foo’);
29
Regular Expression: convert\.base64-(de|en)code
Description: PHP input/output stream filter “base64”
Tags:
- lfi
- rce
- php
Impact: 6
- Obfuscation / file disclosure [6]
- Low risk of false-positives [0]
Resources:
Examples:
- php://filter/convert.base64-encode/resource=config.php
30
Regular Expression: zlib\.(de|in)flate
Description: PHP input/output stream filter “zlib”
Tags:
- lfi
- rce
- php
Impact: 6
- Obfuscation / file disclosure [6]
- Low risk of false-positives [0]
Resources:
Examples:
- php://filter/zlib.deflate/resource=config.php
31
Regular Expression: @import\b
Description: CSS “import”
Tags:
- xss
- css
Impact: 3
- Obfuscation [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- @import url(http://foo/bar);
32
Regular Expression: \burl\s*\(.+?\)
Description: CSS pointer to resource
Tags:
- xss
- rfi
- css
Impact: 2
- Obfuscation [6]
- High risk of false-positives [-4]
Resources:
Examples:
- @import url(http://foo/bar);
33
Regular Expression: \/\/.+?\/
Description: URL
Tags:
- rfi
Impact: 1
- Obfuscation [6]
- Very high risk of false-positives [-5]
Examples:
- http://foobar.org/
34
Regular Expression: \)\s*\[
Description: JavaScript language construct
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- ) [
35
Regular Expression: <\?(?!xml\s)
Description: PHP opening tag
Tags:
- rce
- php
Impact: 3
- Command execution [8]
- High risk of false-positives [-5]
Examples:
- <?php
- <?
36
Regular Expression: %(HOME(DRIVE|PATH)|SYSTEM(DRIVE|ROOT)|WINDIR|USER(DOMAIN|PROFILE|NAME)|((LOCAL)?APP|PROGRAM)DATA)%
Description: Common Windows environment variable
Tags:
- lfi
- win
Impact: 2
- File disclosure [5]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- %WINDIR%\\cmd.exe
37
Regular Expression: %\w+%
Description: Windows environment variable pattern
Tags:
- lfi
- win
Impact: 1
- File disclosure [5]
- High risk of false-positives [-3]
- Overlaps with 36 [-1]
Examples:
- %FOO%
38
Regular Expression: \bunion\b.+?\bselect\b
Description: Common SQL command “union select”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- ‘ UNION SELECT user()– –
39
Regular Expression: \bupdate\b.+?\bset\b
Description: Common SQL command “update”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- UPDATE users SET permissions=’admin’
40
Regular Expression: \bdrop\b.+?\b(database|table)\b
Description: Common SQL command “drop”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- DROP TABLE users
- DROP DATABASE blog
41
Regular Expression: \bdelete\b.+?\bfrom\b
Description: Common SQL command “delete”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- DELETE FROM users
42
Regular Expression: –.+?
Description: Common SQL comment syntax
Tags:
- sqli
Impact: 1
- SQL injection [6]
- Very high risk of false-positives [-5]
Examples:
- ‘ OR 1– –
43
Regular Expression: \[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\]
Description: MongoDB SQL commands
Tags:
- sqli
- mongo
Impact: 5
- SQL injection [6]
- Low risk of false-positives [-1]
Examples:
- [$ne]
44
Regular Expression: \$\(.+?\)
Description: jQuery selector
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- $(‘#login’)
45
Regular Expression: \/\*.*?\*\/
Description: C-style comment syntax
Tags:
- sqli
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Examples:
- /**/
46
Regular Expression: <!-.+?–>
Description: XML comment syntax
Tags:
- xss
- xxe
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- <!- –>
47
Regular Expression: <base\b.+?\bhref\b.+?>
Description: Base URL
Tags:
- xss
Impact: 6
- Cross-site scripting [6]
- Low risk of false-positives [0]
Resources:
Examples:
- <base href=”http://foo/”>
48
Regular Expression: <!(element|entity|\[CDATA)
Description: XML entity injections
Tags:
- xss
- xxe
Impact: 6
- File disclosure [6]
- Low risk of false-positives [0]
Examples:
- <![CDATA[<]]>script<![CDATA[>]]>
- <!ENTITY xxe SYSTEM “file:///dev/random” >]>
49
Regular Expression: <(applet|object|embed|audio|video|img|svg)
Description: Common JavaScript injection points (media)
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- <img onerror=”” />
50
Regular Expression: <a\b.+?\bhref\b
Description: Common JavaScript injection points (links)
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- <a href=””></a>
51
Regular Expression: <(form|button|input|keygen|textarea|select|option)
Description: Common JavaScript injection points (forms)
Tags:
- xss
Impact: 4
- Cross-site scripting [6]
- Mediocre risk of false-positives [-2]
Examples:
- <form></form>
52
Regular Expression: <(html|body|meta|link|i?frame|script|map)
Description: Common JavaScript injection points
Tags:
- xss
Impact: 4
- Cross-site scripting [6]
- Mediocre risk of false-positives [-2]
Examples:
- <script></script>
53
Regular Expression: (?<!\w)(boot\.ini|global\.asa|sam)\b
Description: Common Windows files
Tags:
- lfi
- win
Impact: 4
- Information disclosure [6]
- Mediocre risk of false-positives [-2]
Examples:
- C:\boot.ini
54
Regular Expression: \bon\w+\s*=
Description: HTML event handler
Tags:
- xss
Impact: 3
- Cross-site scripting [6]
- Mediocre risk of false-positives [-3]
Examples:
- <img onerror=”” />
55
Regular Expression: \b(chrome|file):\/\/
Description: Local file inclusion
Tags:
- xss
- lfi
Impact: 3
- Information disclosure [6]
- Mediocre risk of false-positives [-3]
Examples:
- file:///etc/passwd
56
Regular Expression: &#?(\w+);
Description: HTML escaped character
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Examples:
- &
57
Regular Expression: ^(\s*)\||\|(\s*)$
Description: Perl command injection
Tags:
- rce
- perl
Impact: 5
- Command injection [8]
- Mediocre risk of false-positives [-3]
Examples:
- |id
- id|
58
Regular Expression: <!–\W*?#\W*?(cmd|echo|exec|include|printenv)\b
Description: Apache server-side include
Tags:
- rce
- xss
- lfi
Impact: 6
- Command injection / file disclosure [8]
- Low risk of false-positives [-2]
Examples:
- <!–#include
59
Regular Expression: \{\s*\w+\s*:\s*[+-]?\s*\d+\s*:.*?\}
Description: Serialized PHP objects
Tags:
- php
Impact: 5
- Everything is possible [8]
- Mediocre risk of false-positives [-3]
Examples:
- O:3:”foo”:1:{s:8:”foobar”;s:3:”quz”;}
60
Regular Expression: [\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@
Description: Email injection
Tags:
- spam
Impact: 5
- Spam [4]
- Low risk of false-positives [1]
Examples:
- \nto: foo@bar.de
61
Regular Expression: \bcall_user_func\b.*?\(.+?\)
Description: Critical PHP function “call_user_func”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- call_user_func(‘foo’, $a);
62
Regular Expression: \bcreate_function\b.*?\(.+?\)
Description: Critical PHP function “create_function”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- create_function(‘$a’, ‘return $a;’);
63
Regular Expression: \beval\b.*?(\(.+?\)|\{.+?\})
Description: Critical function “eval”
Tags:
- rce
- php
- perl
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- eval(‘foo’);
- eval { foo(); }
64
Regular Expression: \bexec\b.*?\(.+?\)
Description: Critical PHP function “exec”
Tags:
- rce
- php
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Resources:
Examples:
- exec(‘cat /etc/passwd’);
65
Regular Expression: \bf(get|open|read|write)\b.*?\(.+?\)
Description: Critical PHP function “fopen/fget/fread/fwrite”
Tags:
- rce
- lfi
- php
Impact: 5
- Command execution / file disclosure [8]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- fopen(‘/etc/passwd’, ‘r’);
66
Regular Expression: \bfile_(get|put)_contents\b.*?\(.+?\)
Description: Critical PHP function “file_get_contents/file_put_contents”
Tags:
- rce
- lfi
- php
Impact: 7
- Command execution / file disclosure [8]
- Low risk of false-positives [-1]
Resources:
- https://secure.php.net/manual/function.file-get-contents.php
- https://secure.php.net/manual/function.file-put-contents.php
Examples:
- file_get_contents(‘/etc/passwd’);
- file_put_contents(‘/etc/passwd’, ‘foo’);
67
Regular Expression: \bmove_uploaded_file\b.*?\(.+?\)
Description: Critical PHP function “move_uploaded_file”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- move_uploaded_file($tmp_name, $name);
68
Regular Expression: \bpassthru\b.*?\(.+?\)
Description: Critical PHP function “passthru”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- passthru(‘cat /etc/passwd’);
69
Regular Expression: \bp(roc_)?open\b.*?\(.+?\)
Description: Critical PHP function “popen/proc_open”
Tags:
- rce
- php
Impact: 6
- Command execution [8]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- proc_open(‘cat’, $descriptorspec, $pipes, $cwd, $env);
70
Regular Expression: \breadfile\b.*?\(.+?\)
Description: Critical PHP function “readfile”
Tags:
- lfi
- php
Impact: 5
- File disclosure [7]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- readfile(‘/etc/passwd’);
71
Regular Expression: \bshell_exec\b.*?\(.+?\)
Description: Critical PHP function “shell_exec”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
Examples:
- shell_exec(‘cat /etc/passwd’);
72
Regular Expression: \bsystem\b.*?\(.+?\)
Description: Critical PHP function “system”
Tags:
- rce
- php
Impact: 5
- Command execution [8]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- system(‘cat /etc/passwd’);
73
Regular Expression: \bpreg_(replace|match)\b.*?\(.+?\)
Description: Critical PHP function “preg_match/preg_replace”
Tags:
- rce
- php
Impact: 7
- Command execution [8]
- Low risk of false-positives [-1]
Resources:
- https://secure.php.net/manual/function.preg-replace.php
- https://secure.php.net/manual/function.preg-match.php
Examples:
- preg_replace(‘//e’, ‘phpinfo()’, $x);
74
Regular Expression: \binclude(_once)?\b.*?;
Description: Critical PHP function “include”
Tags:
- rce
- lfi
- php
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Examples:
- include(‘/etc/passwd’);
- include_once ‘/etc/passwd’;
75
Regular Expression: \brequire(_once)?\b.*?;
Description: Critical PHP function “require”
Tags:
- rce
- lfi
- php
Impact: 4
- Command execution [8]
- High risk of false-positives [-4]
Examples:
- require(‘/etc/passwd’);
- require_once ‘/etc/passwd’;
76
Regular Expression: \{\s*\$\s*\{.+?\}\s*\}
Description: PHP complex curly syntax
Tags:
- rce
- php
Impact: 8
- Command execution / information disclosure [8]
- Low risk of false-positives [0]
Resources:
Examples:
- {${phpinfo()}}
77
Regular Expression: @(cc_on|set)\b
Description: Conditional compilation token
Tags:
- xss
Impact: 3
- Command execution [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- @cc_on
78
Regular Expression: \bfirefoxurl\s*:
Description: Firefox “firefoxurl” URI handler
Tags:
- xss
Impact: 3
- Cache poisoning [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- firefoxurl://
79
Regular Expression: \bwyciwyg\s*:
Description: Firefox “wyciwyg” URI handler
Tags:
- xss
Impact: 3
- Cache poisoning [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- wyciwyg://
80
Regular Expression: \bdocument\b.*?\.
Description: JavaScript attribute “document”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- document.cookie
81
Regular Expression: \bwindow\b.*?\.
Description: JavaScript attribute “window”
Tags:
- xss
Impact: 2
- Cross-site scripting [6]
- High risk of false-positives [-4]
Resources:
Examples:
- window.content
82
Regular Expression: =\s*\w+\s*\+\s*[‘”]
Description: Common concatenation pattern
Tags:
- xss
Impact: 1
- Cross-site scripting [6]
- High risk of false-positives [-5]
Examples:
- = foo + ‘
83
Regular Expression: \+=\s*\(\s*[‘”]
Description: Common concatenation pattern
Tags:
- xss
Impact: 1
- Cross-site scripting [6]
- High risk of false-positives [-5]
Examples:
- += (‘
84
Regular Expression: [‘”]\s*\+\s*[‘”]
Description: Common concatenation pattern
Tags:
- xss
Impact: 1
- Cross-site scripting [6]
- High risk of false-positives [-5]
Examples:
- ‘ + ‘
85
Regular Expression: \|\(\w+=
Description: LDAP
Tags:
- ldap
Impact: 3
- Information disclosure [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- |(foo=
86
Regular Expression: \bfunction\b[^(]*\([^)]*\)
Description: Common function declaration
Tags:
- xss
- rce
Impact: 3
- Common code pattern [6]
- Mediocre risk of false-positives [-3]
Examples:
- function foo() {}
87
Regular Expression: \bbenchmark\b.*?\(.+?,.+?\)
Description: Blind MySQL “benchmark”
Tags:
- sqli
- mysql
Impact: 6
- SQL injection [6]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT BENCHMARK(1000000,ENCODE(‘hello’,’goodbye’))
88
Regular Expression: \bsleep\b.*?\(.+?\)
Description: Blind SQL “sleep”
Tags:
- sqli
- dos
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT SLEEP(1000)
89
Regular Expression: \bload_file\b.*?\(.+?\)
Description: MySQL file disclosure “load_file”
Tags:
- sqli
- mysql
Impact: 7
- SQL injection / file disclosure [7]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT LOAD_FILE(‘/etc/passwd’)
90
Regular Expression: \bload\b.*?\bdata\b.*?\binfile\b.*?\binto\b.*?\btable\b
Description: MySQL file disclosure “load data”
Tags:
- sqli
- mysql
Impact: 7
- SQL injection / file disclosure [7]
- Low risk of false-positives [0]
Resources:
Examples:
- LOAD DATA INFILE ‘foo’ INTO TABLE bar
91
Regular Expression: \bselect\b.*?\binto\b.*?\b(out|dump)file\b
Description: MySQL file write “into outfile”
Tags:
- sqli
- mysql
Impact: 8
- SQL injection / file write [8]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT ‘foo’ INTO OUTFILE ‘bar’
- SELECT ‘foo’ INTO DUMPFILE ‘bar’
92
Regular Expression: \b(group_)?concat(_ws)?\b.*?\(.+?\)
Description: MySQL function “concat”
Tags:
- sqli
- mysql
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- SELECT CONCAT(foo, ‘:’, bar)
- SELECT GROUP_CONCAT(foo)
93
Regular Expression: \binformation_schema\b
Description: MySQL information disclosure
Tags:
- sqli
- mysql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Resources:
Examples:
- SELECT schema_name FROM information_schema.schemata
94
Regular Expression: \bpg_sleep\b.*?\(.+?\)
Description: Blind PgSQL “pg_sleep”
Tags:
- sqli
- dos
- pgsql
Impact: 6
- SQL injection [6]
- Low risk of false-positives [0]
Resources:
Examples:
- SELECT pg_sleep(1.5)
95
Regular Expression: \bwaitfor\b.*?\b(delay|time(out)?)\b
Description: Blind TSQL “waitfor”
Tags:
- sqli
- dos
- tsql
Impact: 4
- SQL injection [6]
- Mediocre risk of false-positives [-2]
Resources:
Examples:
- WAITFOR { DELAY ‘1000’ }
- WAITFOR { TIME ‘1000’ }
96
Regular Expression: \b(char_|bit_)?length\b.*?\(.+?\)
Description: Common SQL function “length”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_length
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_bit-length
Examples:
- SELECT LENGTH(‘foo’)
- SELECT CHAR_LENGTH(‘foo’)
- SELECT BIT_LENGTH(‘foo’)
97
Regular Expression: \b(un)?hex\b.*?\(.+?\)
Description: Common SQL function “hex/unhex”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_hex
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_unhex
Examples:
- SELECT HEX(‘foo’)
- SELECT UNHEX(’00’)
98
Regular Expression: \b(from|to)_base64\b.*?\(.+?\)
Description: Common MySQL function “from_base64/to_base64”
Tags:
- sqli
Impact: 4
- SQL injection [6]
- Low risk of false-positives [-2]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_from-base64
- https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_to-base64
Examples:
- SELECT TO_BASE64(‘foo’)
- SELECT FROM_BASE64(‘foo’)
99
Regular Expression: \bsubstr(ing(_index)?)?\b.*?\(.+?,.+?\)
Description: Common SQL function “substr”
Tags:
- sqli
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Resources:
Examples:
- SELECT SUBSTR(‘foo’,1)
- SELECT SUBSTRING(‘foo’,1)
- SELECT SUBSTRING_INDEX(‘foo’,1)
100
Regular Expression: \b(current_)?user\b.*?\(.*?\)
Description: Common SQL function “user”
Tags:
- sqli
Impact: 2
- SQL injection / information disclosure [6]
- High risk of false-positives [-4]
Examples:
- SELECT user()
- SELECT current_user()
101
Regular Expression: \bversion\b.*?\(.*?\)
Description: Common SQL function “version”
Tags:
- sqli
Impact: 2
- SQL injection / information disclosure [6]
- High risk of false-positives [-4]
Examples:
- SELECT version()
102
Regular Expression: @@.+?
Description: SQL system variable
Tags:
- sqli
Impact: 1
- SQL injection / information disclosure [6]
- High risk of false-positives [-5]
Examples:
- SELECT @@user
103
Regular Expression: \boct\b.*?\(.+?\)
Description: Common SQL function “oct”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT OCT(12)
104
Regular Expression: \bord\b.*?\(.+?\)
Description: Common SQL function “ord”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT ORD(‘2’)
105
Regular Expression: \bascii\b.*?\(.+?\)
Description: Common SQL function “ascii”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT ASCII(‘2’)
106
Regular Expression: \bbin\b.*?\(.+?\)
Description: Common SQL function “bin”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT BIN(12)
107
Regular Expression: \bcha?r\b.*?\(.+?\)
Description: Common SQL function “char”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT CHAR(77,121,83,81,76)
108
Regular Expression: \bwhere\b.+?(\b(not_)?(like|regexp)\b|[=<>])
Description: Common SQL comparison “where”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/string-comparison-functions.html#operator_like
- https://dev.mysql.com/doc/refman/5.7/en/regexp.html#operator_regexp
Examples:
- SELECT foo FROM bar WHERE name LIKE ‘%admin%’
109
Regular Expression: \bif\b.*?\(.+?,.+?,.+?\)
Description: Common SQL comparison “if”
Tags:
- sqli
Impact: 2
- SQL injection [6]
- High risk of false-positives [-4]
Resources:
Examples:
- SELECT IF(1>2,2,3)
110
Regular Expression: \b(ifnull|nullif)\b.*?\(.+?,.+?\)
Description: Common SQL comparison “ifnull”
Tags:
- sqli
Impact: 3
- SQL injection [6]
- Mediocre risk of false-positives [-3]
Resources:
- https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html#function_ifnull
- https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html#function_nullif
Examples:
- SELECT IFNULL(1,0)
- SELECT NULLIF(1,1)
111
Regular Expression: \bwhere\b.+?(\b(n?and|x?or|not)\b|(\&\&|\|\|))
Description: Common SQL comparison “where”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- SELECT foo FROM bar WHERE id = 1 OR id = 2
112
Regular Expression: \bcase\b.+?\bwhen\b.+?\bend\b
Description: Common SQL comparison “case”
Tags:
- sqli
Impact: 4
- SQL injection [6]
- Low risk of false-positives [-2]
Resources:
Examples:
- CASE case_value WHEN when_value THEN statement_list END CASE
113
Regular Expression: \bexec\b.+?\bxp_cmdshell\b
Description: MSSQL code execution “xp_cmdshell”
Tags:
- sqli
- rce
- mssql
Impact: 9
- SQL injection / code execution [8]
- Low risk of false-positives [1]
Examples:
- exec master..xp_cmdshell ‘echo foo’
114
Regular Expression: \bcreate\b.+?\b(procedure|function)\b.*?\(.*?\)
Description: Common SQL command “create”
Tags:
- sqli
Impact: 4
- SQL injection [7]
- Mediocre risk of false-positives [-3]
Examples:
- CREATE PROCEDURE foo()
115
Regular Expression: \binsert\b.+?\binto\b.*?\bvalues\b.*?\(.+?\)
Description: Common SQL command “insert”
Tags:
- sqli
Impact: 5
- SQL injection [7]
- Mediocre risk of false-positives [-2]
Examples:
- INSERT INTO table (col1,col2) VALUES(‘foo’,’bar’)
116
Regular Expression: \bselect\b.+?\bfrom\b
Description: Common SQL command “select”
Tags:
- sqli
Impact: 3
- SQL injection [7]
- High risk of false-positives [-4]
Examples:
- SELECT foo FROM bar
117
Regular Expression: \bpg_user\b
Description: PgSQL information disclosure “pg_user”
Tags:
- sqli
- pgsql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT * FROM pg_user
118
Regular Expression: \bpg_database\b
Description: PgSQL information disclosure “pg_database”
Tags:
- sqli
- pgsql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT * FROM pg_database
119
Regular Expression: \bpg_shadow\b
Description: PgSQL information disclosure “pg_shadow”
Tags:
- sqli
- pgsql
Impact: 7
- SQL injection [6]
- Low risk of false-positives [1]
Examples:
- SELECT * FROM pg_shadow
120
Regular Expression: \b(current_)?database\b.*?\(.*?\)
Description: Common SQL function “database”
Tags:
- sqli
Impact: 2
- SQL injection / information disclosure [6]
- High risk of false-positives [-4]
Examples:
- SELECT database()
- SELECT current_database()
https://shadowd.zecure.org/documentation/blacklist/
https://github.com/zecure/shadowd