GROUP_NAME=SQL GROUP_DESCRIPTION=These signatures are designed to catch various SQL injection attacks in HTTP GET requests or POST bodies. For each signature there is a "PLUS" version which expects tokens to be separated by plusses, a "PCT" version which expects tokens to be separated by %20, and a "SPC" version which expects tokens to be separated by spaces (which many webservers will accept in POST bodies). # $Id: SQL.lib,v 1.6 2006/05/19 15:10:31 hlein Exp $ NAME=WEB:SQL-OR-NUM-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-OR-NUM-PLUS #/2bor/2b#=# DESCRIPTION=Detect constructs like "1 or 1=1", commonly used in SQL injection attacks to bypass the existing WHERE clause and dump all records. MODIFIED=Y DISABLED=N NAME=WEB:SQL-OR-NUM-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-OR-NUM-PCT #/2520or/2520#=# DESCRIPTION=Detect constructs like "1 or 1=1", commonly used in SQL injection attacks to bypass the existing WHERE clause and dump all records. MODIFIED=Y DISABLED=N NAME=WEB:SQL-OR-NUM-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-OR-NUM-SPC #/20or/20#=# DESCRIPTION=Detect constructs like "1 or 1=1", commonly used in SQL injection attacks to bypass the existing WHERE clause and dump all records. MODIFIED=Y DISABLED=N NAME=WEB:SQL-OR-ALPHA-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-OR-ALPHA-PLUS /27/2bor/2b/27*/27=/27* DESCRIPTION=Detect constructs like "' or 'A'='A", commonly used in SQL injection attacks to bypass the existing WHERE clause and dump all records. MODIFIED=Y DISABLED=N NAME=WEB:SQL-OR-ALPHA-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-OR-ALPHA-PCT /27/2520or/2520/27*/27=/27* DESCRIPTION=Detect constructs like "' or 'A'='A", commonly used in SQL injection attacks to bypass the existing WHERE clause and dump all records. MODIFIED=Y DISABLED=N NAME=WEB:SQL-OR-ALPHA-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-OR-ALPHA-SPC /27/20or/20/27*/27=/27* DESCRIPTION=Detect constructs like "' or 'A'='A", commonly used in SQL injection attacks to bypass the existing WHERE clause and dump all records. MODIFIED=Y DISABLED=N NAME=WEB:SQL-UNION-SELECT-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-UNION-SELECT-PLUS /2bunion/2bselect/2b DESCRIPTION=Detect constructs like "union select ", commonly used in SQL injection attacks to pull records from additional tables besides those intended to be accessed. MODIFIED=Y DISABLED=N NAME=WEB:SQL-UNION-SELECT-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-UNION-SELECT-PCT /2520union/2520select/2520 DESCRIPTION=Detect constructs like "union select ", commonly used in SQL injection attacks to pull records from additional tables besides those intended to be accessed. MODIFIED=Y DISABLED=N NAME=WEB:SQL-UNION-SELECT-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-UNION-SELECT-SPC /20union/20select/20 DESCRIPTION=Detect constructs like "union select ", commonly used in SQL injection attacks to pull records from additional tables besides those intended to be accessed. MODIFIED=Y DISABLED=N NAME=WEB:SQL-VERSION SIGNATURE=T D A S 40 0 W WEB:SQL-VERSION /40/40version DESCRIPTION=Detect constructs like "@@version", which for some servers such as MSSQL will return the server version, telling the attacker that SQL injection attacks are possible. MODIFIED=Y DISABLED=N NAME=WEB:SQL-MASTER-SYSLOGINS SIGNATURE=T D A S 40 0 W WEB:SQL-MASTER-SYSLOGINS master/2e/2esyslogins DESCRIPTION=Detect constructs like "master..syslogins", an attempt to access user account data on MSSQL. MODIFIED=Y DISABLED=N NAME=WEB:SQL-FROM-ALLTABLES-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-FROM-ALL-PLUS from/2ball_tables DESCRIPTION=Detect constructs like "from all_tables", an attempt to enumerate data against an Oracle database. MODIFIED=Y DISABLED=N NAME=WEB:SQL-FROM-ALLTABLES-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-FROM-ALL-PCT from/2520all_tables DESCRIPTION=Detect constructs like "from all_tables", an attempt to enumerate data against an Oracle database. MODIFIED=Y DISABLED=N NAME=WEB:SQL-FROM-ALLTABLES-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-FROM-ALL-SPC from/20all_tables DESCRIPTION=Detect constructs like "from all_tables", an attempt to enumerate data against an Oracle database. MODIFIED=Y DISABLED=N NAME=WEB:SQL-FROM-USERTABLE-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-FROM-USERTABLE-PLUS from/2busertable DESCRIPTION=Detect constructs like "from usertable", an attempt to enumerate database data. MODIFIED=Y DISABLED=N NAME=WEB:SQL-FROM-USERTABLE-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-FROM-USERTABLE-PCT from/2520usertable DESCRIPTION=Detect constructs like "from usertable", an attempt to enumerate database data. MODIFIED=Y DISABLED=N NAME=WEB:SQL-FROM-USERTABLE-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-FROM-USERTABLE-SPC from/20usertable DESCRIPTION=Detect constructs like "from usertable", an attempt to enumerate database data. MODIFIED=Y DISABLED=N NAME=WEB:SQL-MASTER.XPCMDSHELL SIGNATURE=T D A S 40 0 W WEB:SQL-MASTER.XPCMDSHELL master/2e/2exp/5fcmdshell DESCRIPTION=Detect constructs like "master..xp_cmdshell", an attempt to execute arbitrary OS commands via SQL injection. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-XPCMDSHELL-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-XPCMDSHELL-PLUS exec/2bxp/5fcmdshell DESCRIPTION=Detect constructs like "exec xp_cmdshell", an attempt to execute arbitrary OS commands via SQL injection. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-XPCMDSHELL-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-XPCMDSHELL-PCT exec/2520xp/5fcmdshell DESCRIPTION=Detect constructs like "exec xp_cmdshell", an attempt to execute arbitrary OS commands via SQL injection. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-XPCMDSHELL-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-XPCMDSHELL-SPC exec/20xp/5fcmdshell DESCRIPTION=Detect constructs like "exec xp_cmdshell", an attempt to execute arbitrary OS commands via SQL injection. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-PLUS /2bexec/28/27 DESCRIPTION=Detect constructs like " exec('", an attempt to execute arbitrary SQL commands via SQL injection using MS-SQL's builtin EXEC command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-PCT /2520exec/28/27 DESCRIPTION=Detect constructs like " exec('", an attempt to execute arbitrary SQL commands via SQL injection using MS-SQL's builtin EXEC command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-SPC /20exec/28/27 DESCRIPTION=Detect constructs like " exec('", an attempt to execute arbitrary SQL commands via SQL injection using MS-SQL's builtin EXEC command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-SMC SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-SMC /3bexec/28/27 DESCRIPTION=Detect constructs like ";exec('", an attempt to execute arbitrary SQL commands via SQL injection using MS-SQL's builtin EXEC command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-IMMED-PLUS SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-IMMED-PLUS execute/3bimmediate DESCRIPTION=Detect constructs like "execute immediate", an attempt to execute arbitrary SQL commands via SQL injection using Oracle's builtin EXECUTE IMMEDIATE command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-IMMED-PCT SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-IMMED-PCT execute/2520immediate DESCRIPTION=Detect constructs like "execute immediate", an attempt to execute arbitrary SQL commands via SQL injection using Oracle's builtin EXECUTE IMMEDIATE command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-EXEC-IMMED-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-EXEC-IMMED-SPC execute/20immediate DESCRIPTION=Detect constructs like "execute immediate", an attempt to execute arbitrary SQL commands via SQL injection using Oracle's builtin EXECUTE IMMEDIATE command. MODIFIED=Y DISABLED=N NAME=WEB:SQL-INSERT-PLUS-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-INSERT-PLUS-SPC /3b/2binsert/2binto/2b DESCRIPTION=Detects constructs like "; insert into ", an attempt to add records to an existing table via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-INSERT-PCT-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-INSERT-PCT-SPC /3b/2520insert/2520into/2520 DESCRIPTION=Detects constructs like "; insert into ", an attempt to add records to an existing table via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-INSERT-SPC-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-INSERT-SPC-SPC /3b/20insert/20into/20 DESCRIPTION=Detects constructs like "; insert into ", an attempt to add records to an existing table via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-INSERT-PLUS-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-INSERT-PLUS-NOSPC /3binsert/2binto/2b DESCRIPTION=Detects constructs like ";insert into ", an attempt to add records to an existing table via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-INSERT-PCT-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-INSERT-PCT-NOSPC /3binsert/2520into/2520 DESCRIPTION=Detects constructs like ";insert into ", an attempt to add records to an existing table via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-INSERT-SPC-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-INSERT-SPC-NOSPC /3binsert/20into/20 DESCRIPTION=Detects constructs like ";insert into ", an attempt to add records to an existing table via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DROP-PLUS-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-DROP-PLUS-SPC /3b/2bdrop/2btable/2b DESCRIPTION=Detects constructs like "; drop table ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DROP-PCT-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-DROP-PCT-SPC /3b/2520drop/2520table/2520 DESCRIPTION=Detects constructs like "; drop table ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DROP-SPC-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-DROP-PLUS-SPC /3b/20drop/20table/20 DESCRIPTION=Detects constructs like "; drop table ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DROP-PLUS-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-DROP-PLUS-NOSPC /3bdrop/2btable/2b DESCRIPTION=Detects constructs like ";drop table ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DROP-PCT-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-DROP-PCT-NOSPC /3bdrop/2520table/2520 DESCRIPTION=Detects constructs like ";drop table ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DROP-SPC-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-DROP-PLUS-NOSPC /3bdrop/20table/20 DESCRIPTION=Detects constructs like ";drop table ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DELETE-PLUS-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-DELETE-PLUS-NOSPC /3bdelete/2bfrom/2b DESCRIPTION=Detects constructs like ";delete from ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DELETE-PCT-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-DELETE-PCT-NOSPC /3bdelete/2520from/2520 DESCRIPTION=Detects constructs like ";delete from ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DELETE-SPC-NOSPC SIGNATURE=T D A S 40 0 W WEB:SQL-DELETE-SPC-NOSPC /3bdelete/20from/20 DESCRIPTION=Detects constructs like ";delete from ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DELETE-PLUS-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-DELETE-PLUS-SPC /3b/2bdelete/2bfrom/2b DESCRIPTION=Detects constructs like "; delete from ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DELETE-PCT-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-DELETE-PCT-SPC /3b/2520delete/2520from/2520 DESCRIPTION=Detects constructs like "; delete from ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N NAME=WEB:SQL-DELETE-SPC-SPC SIGNATURE=T D A S 40 0 W WEB:SQL-DELETE-SPC-SPC /3b/20delete/20from/20 DESCRIPTION=Detects constructs like "; delete from ", an attempt to destroy data via SQL injection. Requiring the leading semicolon may cause some attacks to be missed, but it is necessary to avoid a fairly high false-positive rate. MODIFIED=Y DISABLED=N