Error based SQL Injection
ID: sqli-error-based
Severity: critical
Author: geeknik,pdteam
Tags: sqli,error,dast
Description
Section titled “Description”Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data,or to override valuable ones, or even to execute dangerous system level commands on the database host.This is accomplished by the application taking user input and combining it with static parameters to build an SQL query .
YAML Source
Section titled “YAML Source”id: sqli-error-based
info: name: Error based SQL Injection author: geeknik,pdteam severity: critical description: | Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build an SQL query . metadata: max-request: 3 tags: sqli,error,dast
http: - pre-condition: - type: dsl dsl: - 'method != "OPTIONS"'
payloads: injection: - "'" - "\"" - ";"
fuzzing: - part: request type: postfix mode: single fuzz: - "{{injection}}"
stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "Adminer" negative: true # False Positive
- type: regex regex: # MySQL - "SQL syntax.*?MySQL" - "Warning.*?\\Wmysqli?_" - "MySQLSyntaxErrorException" - "valid MySQL result" - "check the manual that (corresponds to|fits) your MySQL server version" - "Unknown column '[^ ]+' in 'field list'" - "MySqlClient\\." - "com\\.mysql\\.jdbc" - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" - "Pdo[./_\\\\]Mysql" - "MySqlException" - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" # MariaDB - "check the manual that (corresponds to|fits) your MariaDB server version" # Drizzle - "check the manual that (corresponds to|fits) your Drizzle server version" # MemSQL - "MemSQL does not support this type of query" - "is not supported by MemSQL" - "unsupported nested scalar subselect" # PostgreSQL - "PostgreSQL.*?ERROR" - "Warning.*?\\Wpg_" - "valid PostgreSQL result" - "Npgsql\\." - "PG::SyntaxError:" - "org\\.postgresql\\.util\\.PSQLException" - "ERROR:\\s\\ssyntax error at or near" - "ERROR: parser: parse error at or near" - "PostgreSQL query failed" - "org\\.postgresql\\.jdbc" - "Pdo[./_\\\\]Pgsql" - "PSQLException" # Microsoft SQL Server - "Driver.*? SQL[\\-\\_\\ ]*Server" - "OLE DB.*? SQL Server" - "\\bSQL Server[^<"]+Driver" - "Warning.*?\\W(mssql|sqlsrv)_" - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" - "\\[SQL Server\\]" - "ODBC SQL Server Driver" - "ODBC Driver \\d+ for SQL Server" - "SQLServer JDBC Driver" - "com\\.jnetdirect\\.jsql" - "macromedia\\.jdbc\\.sqlserver" - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" - "com\\.microsoft\\.sqlserver\\.jdbc" - "Pdo[./_\\\\](Mssql|SqlSrv)" - "SQL(Srv|Server)Exception" - "Unclosed quotation mark after the character string" # Microsoft Access - "Microsoft Access (\\d+ )?Driver" - "JET Database Engine" - "Access Database Engine" - "ODBC Microsoft Access" - "Syntax error \\(missing operator\\) in query expression" # Oracle - "\\bORA-\\d{5}" - "Oracle error" - "Oracle.*?Driver" - "Warning.*?\\W(oci|ora)_" - "quoted string not properly terminated" - "SQL command not properly ended" - "macromedia\\.jdbc\\.oracle" - "oracle\\.jdbc" - "Zend_Db_(Adapter|Statement)_Oracle_Exception" - "Pdo[./_\\\\](Oracle|OCI)" - "OracleException" # IBM DB2 - "CLI Driver.*?DB2" - "DB2 SQL error" - "\\bdb2_\\w+\\(" - "SQLCODE[=:\\d, -]+SQLSTATE" - "com\\.ibm\\.db2\\.jcc" - "Zend_Db_(Adapter|Statement)_Db2_Exception" - "Pdo[./_\\\\]Ibm" - "DB2Exception" - "ibm_db_dbi\\.ProgrammingError" # Informix - "Warning.*?\\Wifx_" - "Exception.*?Informix" - "Informix ODBC Driver" - "ODBC Informix driver" - "com\\.informix\\.jdbc" - "weblogic\\.jdbc\\.informix" - "Pdo[./_\\\\]Informix" - "IfxException" # Firebird - "Dynamic SQL Error" - "Warning.*?\\Wibase_" - "org\\.firebirdsql\\.jdbc" - "Pdo[./_\\\\]Firebird" # SQLite - "SQLite/JDBCDriver" - "SQLite\\.Exception" - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" - "Warning.*?\\W(sqlite_|SQLite3::)" - "SQLITE_ERROR" - "SQLite error \\d+:" - "sqlite3.OperationalError:" - "SQLite3::SQLException" - "org\\.sqlite\\.JDBC" - "Pdo[./_\\\\]Sqlite" - "SQLiteException" # SAP MaxDB - "SQL error.*?POS([0-9]+)" - "Warning.*?\\Wmaxdb_" - "DriverSapDB" - "-3014.*?Invalid end of SQL statement" - "com\\.sap\\.dbtech\\.jdbc" - "\\[-3008\\].*?: Invalid keyword or missing delimiter" # Sybase - "Warning.*?\\Wsybase_" - "Sybase message" - "Sybase.*?Server message" - "SybSQLException" - "Sybase\\.Data\\.AseClient" - "com\\.sybase\\.jdbc" # Ingres - "Warning.*?\\Wingres_" - "Ingres SQLSTATE" - "Ingres\\W.*?Driver" - "com\\.ingres\\.gcf\\.jdbc" # FrontBase - "Exception (condition )?\\d+\\. Transaction rollback" - "com\\.frontbase\\.jdbc" - "Syntax error 1. Missing" - "(Semantic|Syntax) error [1-4]\\d{2}\\." # HSQLDB - "Unexpected end of command in statement \\[" - "Unexpected token.*?in statement \\[" - "org\\.hsqldb\\.jdbc" # H2 - "org\\.h2\\.jdbc" - "\\[42000-192\\]" # MonetDB - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" - "\\[MonetDB\\]\\[ODBC Driver" - "nl\\.cwi\\.monetdb\\.jdbc" # Apache Derby - "Syntax error: Encountered" - "org\\.apache\\.derby" - "ERROR 42X01" # Vertica - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" - "/vertica/Parser/scan" - "com\\.vertica\\.jdbc" - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" - "com\\.vertica\\.dsi\\.dataengine" # Mckoi - "com\\.mckoi\\.JDBCDriver" - "com\\.mckoi\\.database\\.jdbc" - "<REGEX_LITERAL>" # Presto - "com\\.facebook\\.presto\\.jdbc" - "io\\.prestosql\\.jdbc" - "com\\.simba\\.presto\\.jdbc" - "UNION query has different number of fields: \\d+, \\d+" # Altibase - "Altibase\\.jdbc\\.driver" # MimerSQL - "com\\.mimer\\.jdbc" - "Syntax error,[^\\n]+assumed to mean" # CrateDB - "io\\.crate\\.client\\.jdbc" # Cache - "encountered after end of query" - "A comparison operator is required here" # Raima Database Manager - "-10048: Syntax error" - "rdmStmtPrepare\\(.+?\\) returned" # Virtuoso - "SQ074: Line \\d+:" - "SR185: Undefined procedure" - "SQ200: No table " - "Virtuoso S0002 Error" - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" condition: or
extractors: - type: regex name: mysql regex: - "SQL syntax.*?MySQL" - "Warning.*?\\Wmysqli?_" - "MySQLSyntaxErrorException" - "valid MySQL result" - "check the manual that (corresponds to|fits) your MySQL server version" - "Unknown column '[^ ]+' in 'field list'" - "MySqlClient\\." - "com\\.mysql\\.jdbc" - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" - "Pdo[./_\\\\]Mysql" - "MySqlException" - "SQLSTATE[\\d+]: Syntax error or access violation"
- type: regex name: mariadb regex: - "check the manual that (corresponds to|fits) your MariaDB server version"
- type: regex name: drizzel regex: - "check the manual that (corresponds to|fits) your Drizzle server version"
- type: regex name: memsql regex: - "MemSQL does not support this type of query" - "is not supported by MemSQL" - "unsupported nested scalar subselect"
- type: regex name: postgresql regex: - "PostgreSQL.*?ERROR" - "Warning.*?\\Wpg_" - "valid PostgreSQL result" - "Npgsql\\." - "PG::SyntaxError:" - "org\\.postgresql\\.util\\.PSQLException" - "ERROR:\\s\\ssyntax error at or near" - "ERROR: parser: parse error at or near" - "PostgreSQL query failed" - "org\\.postgresql\\.jdbc" - "Pdo[./_\\\\]Pgsql" - "PSQLException"
- type: regex name: microsoftsqlserver regex: - "Driver.*? SQL[\\-\\_\\ ]*Server" - "OLE DB.*? SQL Server" - "\\bSQL Server[^<"]+Driver" - "Warning.*?\\W(mssql|sqlsrv)_" - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" - "\\[SQL Server\\]" - "ODBC SQL Server Driver" - "ODBC Driver \\d+ for SQL Server" - "SQLServer JDBC Driver" - "com\\.jnetdirect\\.jsql" - "macromedia\\.jdbc\\.sqlserver" - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" - "com\\.microsoft\\.sqlserver\\.jdbc" - "Pdo[./_\\\\](Mssql|SqlSrv)" - "SQL(Srv|Server)Exception" - "Unclosed quotation mark after the character string"
- type: regex name: microsoftaccess regex: - "Microsoft Access (\\d+ )?Driver" - "JET Database Engine" - "Access Database Engine" - "ODBC Microsoft Access" - "Syntax error \\(missing operator\\) in query expression"
- type: regex name: oracle regex: - "\\bORA-\\d{5}" - "Oracle error" - "Oracle.*?Driver" - "Warning.*?\\W(oci|ora)_" - "quoted string not properly terminated" - "SQL command not properly ended" - "macromedia\\.jdbc\\.oracle" - "oracle\\.jdbc" - "Zend_Db_(Adapter|Statement)_Oracle_Exception" - "Pdo[./_\\\\](Oracle|OCI)" - "OracleException"
- type: regex name: ibmdb2 regex: - "CLI Driver.*?DB2" - "DB2 SQL error" - "\\bdb2_\\w+\\(" - "SQLCODE[=:\\d, -]+SQLSTATE" - "com\\.ibm\\.db2\\.jcc" - "Zend_Db_(Adapter|Statement)_Db2_Exception" - "Pdo[./_\\\\]Ibm" - "DB2Exception" - "ibm_db_dbi\\.ProgrammingError"
- type: regex name: informix regex: - "Warning.*?\\Wifx_" - "Exception.*?Informix" - "Informix ODBC Driver" - "ODBC Informix driver" - "com\\.informix\\.jdbc" - "weblogic\\.jdbc\\.informix" - "Pdo[./_\\\\]Informix" - "IfxException"
- type: regex name: firebird regex: - "Dynamic SQL Error" - "Warning.*?\\Wibase_" - "org\\.firebirdsql\\.jdbc" - "Pdo[./_\\\\]Firebird"
- type: regex name: sqlite regex: - "SQLite/JDBCDriver" - "SQLite\\.Exception" - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" - "Warning.*?\\W(sqlite_|SQLite3::)" - "SQLITE_ERROR" - "SQLite error \\d+:" - "sqlite3.OperationalError:" - "SQLite3::SQLException" - "org\\.sqlite\\.JDBC" - "Pdo[./_\\\\]Sqlite" - "SQLiteException"
- type: regex name: sapmaxdb regex: - "SQL error.*?POS([0-9]+)" - "Warning.*?\\Wmaxdb_" - "DriverSapDB" - "-3014.*?Invalid end of SQL statement" - "com\\.sap\\.dbtech\\.jdbc" - "\\[-3008\\].*?: Invalid keyword or missing delimiter"
- type: regex name: sybase regex: - "Warning.*?\\Wsybase_" - "Sybase message" - "Sybase.*?Server message" - "SybSQLException" - "Sybase\\.Data\\.AseClient" - "com\\.sybase\\.jdbc"
- type: regex name: ingres regex: - "Warning.*?\\Wingres_" - "Ingres SQLSTATE" - "Ingres\\W.*?Driver" - "com\\.ingres\\.gcf\\.jdbc"
- type: regex name: frontbase regex: - "Exception (condition )?\\d+\\. Transaction rollback" - "com\\.frontbase\\.jdbc" - "Syntax error 1. Missing" - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\."
- type: regex name: hsqldb regex: - "Unexpected end of command in statement \\[" - "Unexpected token.*?in statement \\[" - "org\\.hsqldb\\.jdbc"
- type: regex name: h2 regex: - "org\\.h2\\.jdbc" - "\\[42000-192\\]"
- type: regex name: monetdb regex: - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" - "\\[MonetDB\\]\\[ODBC Driver" - "nl\\.cwi\\.monetdb\\.jdbc"
- type: regex name: apachederby regex: - "Syntax error: Encountered" - "org\\.apache\\.derby" - "ERROR 42X01"
- type: regex name: vertica regex: - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" - "/vertica/Parser/scan" - "com\\.vertica\\.jdbc" - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" - "com\\.vertica\\.dsi\\.dataengine"
- type: regex name: mckoi regex: - "com\\.mckoi\\.JDBCDriver" - "com\\.mckoi\\.database\\.jdbc" - "<REGEX_LITERAL>"
- type: regex name: presto regex: - "com\\.facebook\\.presto\\.jdbc" - "io\\.prestosql\\.jdbc" - "com\\.simba\\.presto\\.jdbc" - "UNION query has different number of fields: \\d+, \\d+"
- type: regex name: altibase regex: - "Altibase\\.jdbc\\.driver"
- type: regex name: mimersql regex: - "com\\.mimer\\.jdbc" - "Syntax error,[^\\n]+assumed to mean"
- type: regex name: cratedb regex: - "io\\.crate\\.client\\.jdbc"
- type: regex name: cache regex: - "encountered after end of query" - "A comparison operator is required here"
- type: regex name: raimadatabasemanager regex: - "-10048: Syntax error" - "rdmStmtPrepare\\(.+?\\) returned"
- type: regex name: virtuoso regex: - "SQ074: Line \\d+:" - "SR185: Undefined procedure" - "SQ200: No table " - "Virtuoso S0002 Error" - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"# digest: 4b0a00483046022100aa148dd908d30fe373522fd4b169a8c92376ca39b7eb6c41dbbfde1f0be384cf022100810e9ae8300cec98d33500199a98614dffe88f94777533129e5a3a8542084f5a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "dast/vulnerabilities/sqli/sqli-error-based.yaml"