nuclei-templates/http/exposures/files/generic-db.yaml

id: generic-db

info:
  name: Generic DB file exposure
  author: Michal Mikolas (nanuqcz)
  severity: high
  description: This is collection of some web frameworks recommendation or default configuration for SQLite database file location. If this file is publicly accessible due to server misconfiguration, it could result in application data leak including users sensitive data, password hashes etc.
  reference:
    - https://laravel.com/docs/11.x/database#sqlite-configuration  # database/database.sqlite
    - https://laravel.com/docs/5.2/database  # database/database.sqlite
    - https://github.com/laracasts/larabook/blob/master/app/config/database.php#L51  # app/database/production.sqlite
    - https://forum.codeigniter.com/post-389846.html  # writable/db.sqlite3
    - https://github.com/codeigniter4projects/playground/blob/develop/.env.example#L33  # writable/database.db
    - https://symfony.com/doc/current/doctrine.html#configuring-the-database  # var/app.db
    - https://symfony.com/doc/4.x/doctrine.html#configuring-the-database  # var/app.db
    - https://symfony.com/doc/3.x/doctrine.html  # app/sqlite.db
    - https://symfony.com/doc/2.x/doctrine.html  # sqlite.db
    - https://openclassrooms.com/forum/sujet/symfony3-sqlite-could-not-create-database  # var/data/db.sqlite
    - https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration  # var/data/data.sqlite
    - https://stackoverflow.com/questions/31762878/sqlite-3-database-with-django  # db.sqlite3
    - https://medium.com/@codewithbushra/using-sqlite-as-a-database-backend-in-django-projects-code-with-bushra-d23e3100686e  # db.sqlite3
    - https://gist.github.com/jwo/4512764?permalink_comment_id=2235763#gistcomment-2235763  # db/production.sqlite3
    - https://stackoverflow.com/a/30345819/1632572  # db/production.sqlite3
    - https://developerhowto.com/2018/12/29/build-a-rest-api-with-node-js-and-express-js/  # db.sqlite
    - https://sqldocs.org/sqlite/sqlite-nodejs/  # mydb.sqlite
    - https://stackoverflow.com/questions/41620788/error-database-connection-sqlite-is-missing-or-could-not-be-created-cakephp  # app/data/app_db.sqlite
    - https://stackoverflow.com/questions/2722383/using-sqlite3-with-cakephp  # app/webroot/database.sqlite, app/database.sqlite
    - https://levelup.gitconnected.com/how-to-connect-and-use-the-sqlite-database-in-codeigniter-3-48cd50d3e78d  # application/databases/db.sqlite
    - https://turmanauli.medium.com/how-to-connect-codeigniter-to-sqlite3-database-like-a-pro-2177497a6d30  # application/db/database.sqlite
    - https://forum.codeigniter.com/thread-74522.html  # application/Database/db1.db
    - https://stackoverflow.com/a/37088960/1632572  # application/database/data.db
    - https://docs.laminas.dev/tutorials/getting-started/database-and-models/  # data/*.db
    - https://phalcon-nucleon.github.io/#!database/getting-started.html  # storage/database/database.sqlite
    - https://www.yiiframework.com/doc/blog/1.1/en/prototype.database  # protected/data/*.db
    - https://pusher.com/tutorials/rest-api-slim-part-1/  # db/database.db
    - https://www.digitalocean.com/community/tutorials/how-to-use-the-fat-free-php-framework  # db/database.sqlite
    - https://doc.nette.org/en/database/configuration#toc-single-connection  # app/Model/*.db
    - https://www.sqlite.org/fileformat.html  # SQLite file always starts with "SQLite format {sqlite_version}"
    - https://en.wikipedia.org/wiki/List_of_file_signatures  # SQLite binary signature: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
  metadata:
    verified: true
  tags: database,exposure,sqlite,sqlite3

http:
  - method: GET
    path:
      # Recommended paths found in framework official docs or unofficial tutorials
      - "{{BaseURL}}/database/database.sqlite"
      - "{{BaseURL}}/database/production.sqlite"
      - "{{BaseURL}}/app/database/production.sqlite"
      - "{{BaseURL}}/writable/db.sqlite3"
      - "{{BaseURL}}/writable/database.db"
      - "{{BaseURL}}/var/app.db"
      - "{{BaseURL}}/var/data/db.sqlite"
      - "{{BaseURL}}/var/data/data.sqlite"
      - "{{BaseURL}}/app/sqlite.db"
      - "{{BaseURL}}/sqlite.db"
      - "{{BaseURL}}/db.sqlite3"
      - "{{BaseURL}}/db/production.sqlite3"
      - "{{BaseURL}}/db.sqlite"
      - "{{BaseURL}}/mydb.sqlite"
      - "{{BaseURL}}/app/data/app_db.sqlite"
      - "{{BaseURL}}/app/webroot/database.sqlite"
      - "{{BaseURL}}/app/database.sqlite"
      - "{{BaseURL}}/application/databases/db.sqlite"
      - "{{BaseURL}}/application/db/database.sqlite"
      - "{{BaseURL}}/application/Database/db1.db"
      - "{{BaseURL}}/application/database/data.db"
      - "{{BaseURL}}/data/app.db"
      - "{{BaseURL}}/data/sqlite.db"
      - "{{BaseURL}}/data/sqlite3.db"
      - "{{BaseURL}}/data/database.db"
      - "{{BaseURL}}/data/production.db"
      - "{{BaseURL}}/storage/database/database.sqlite"
      - "{{BaseURL}}/protected/data/app.db"
      - "{{BaseURL}}/protected/data/sqlite.db"
      - "{{BaseURL}}/protected/data/sqlite3.db"
      - "{{BaseURL}}/protected/data/database.db"
      - "{{BaseURL}}/protected/data/production.db"
      - "{{BaseURL}}/db/database.db"
      - "{{BaseURL}}/db/database.sqlite"
      - "{{BaseURL}}/app/Model/app.db"
      - "{{BaseURL}}/app/Model/sqlite.db"
      - "{{BaseURL}}/app/Model/sqlite3.db"
      - "{{BaseURL}}/app/Model/database.db"
      - "{{BaseURL}}/app/Model/production.db"

      # General paths
      - "{{BaseURL}}/app.db"
      - "{{BaseURL}}/sqlite3.db"
      - "{{BaseURL}}/app.sqlite"
      - "{{BaseURL}}/app.sqlite3"
      - "{{BaseURL}}/database.db"
      - "{{BaseURL}}/database.sqlite"
      - "{{BaseURL}}/database.sqlite3"
      - "{{BaseURL}}/production.db"
      - "{{BaseURL}}/production.sqlite"
      - "{{BaseURL}}/production.sqlite3"
      - "{{BaseURL}}/db/db.sqlite"
      - "{{BaseURL}}/db/db.sqlite3"
      - "{{BaseURL}}/db/sqlite.db"
      - "{{BaseURL}}/db/sqlite3.db"
      - "{{BaseURL}}/db/app.db"
      - "{{BaseURL}}/db/app.sqlite"
      - "{{BaseURL}}/db/app.sqlite3"
      - "{{BaseURL}}/db/database.sqlite3"
      - "{{BaseURL}}/db/production.db"
      - "{{BaseURL}}/db/production.sqlite"
      - "{{BaseURL}}/app/db.sqlite"
      - "{{BaseURL}}/app/db.sqlite3"
      - "{{BaseURL}}/app/sqlite3.db"
      - "{{BaseURL}}/app/app.db"
      - "{{BaseURL}}/app/app.sqlite"
      - "{{BaseURL}}/app/app.sqlite3"
      - "{{BaseURL}}/app/database.db"
      - "{{BaseURL}}/app/database.sqlite3"
      - "{{BaseURL}}/app/production.db"
      - "{{BaseURL}}/app/production.sqlite"
      - "{{BaseURL}}/app/production.sqlite3"
      - "{{BaseURL}}/data/db.sqlite"
      - "{{BaseURL}}/data/db.sqlite3"
      - "{{BaseURL}}/data/app.sqlite"
      - "{{BaseURL}}/data/app.sqlite3"
      - "{{BaseURL}}/data/database.sqlite"
      - "{{BaseURL}}/data/database.sqlite3"
      - "{{BaseURL}}/data/production.sqlite"
      - "{{BaseURL}}/data/production.sqlite3"
      - "{{BaseURL}}/database/db.sqlite"
      - "{{BaseURL}}/database/db.sqlite3"
      - "{{BaseURL}}/database/sqlite.db"
      - "{{BaseURL}}/database/sqlite3.db"
      - "{{BaseURL}}/database/app.db"
      - "{{BaseURL}}/database/app.sqlite"
      - "{{BaseURL}}/database/app.sqlite3"
      - "{{BaseURL}}/database/database.db"
      - "{{BaseURL}}/database/database.sqlite3"
      - "{{BaseURL}}/database/production.db"
      - "{{BaseURL}}/database/production.sqlite3"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      # SQLite file always starts with "SQLite format {sqlite_version}"
      - type: dsl
        dsl:
          - 'startswith(body, "SQLite format ")'

      # SQLite file usually contains "CREATE TABLE", meaning there is at least one table
      - type: word
        part: body
        words:
          - "CREATE TABLE "
generic-db: Added checking of SQLite database files exposure. 2024-03-13 11:51:16 +00:00			`id: generic-db`

			`info:`
			`name: Generic DB file exposure`
			`author: Michal Mikolas (nanuqcz)`
			`severity: high`
			`description: This is collection of some web frameworks recommendation or default configuration for SQLite database file location. If this file is publicly accessible due to server misconfiguration, it could result in application data leak including users sensitive data, password hashes etc.`
			`reference:`
			`- https://laravel.com/docs/11.x/database#sqlite-configuration # database/database.sqlite`
			`- https://laravel.com/docs/5.2/database # database/database.sqlite`
			`- https://github.com/laracasts/larabook/blob/master/app/config/database.php#L51 # app/database/production.sqlite`
			`- https://forum.codeigniter.com/post-389846.html # writable/db.sqlite3`
			`- https://github.com/codeigniter4projects/playground/blob/develop/.env.example#L33 # writable/database.db`
			`- https://symfony.com/doc/current/doctrine.html#configuring-the-database # var/app.db`
			`- https://symfony.com/doc/4.x/doctrine.html#configuring-the-database # var/app.db`
			`- https://symfony.com/doc/3.x/doctrine.html # app/sqlite.db`
			`- https://symfony.com/doc/2.x/doctrine.html # sqlite.db`
			`- https://openclassrooms.com/forum/sujet/symfony3-sqlite-could-not-create-database # var/data/db.sqlite`
			`- https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration # var/data/data.sqlite`
			`- https://stackoverflow.com/questions/31762878/sqlite-3-database-with-django # db.sqlite3`
			`- https://medium.com/@codewithbushra/using-sqlite-as-a-database-backend-in-django-projects-code-with-bushra-d23e3100686e # db.sqlite3`
			`- https://gist.github.com/jwo/4512764?permalink_comment_id=2235763#gistcomment-2235763 # db/production.sqlite3`
			`- https://stackoverflow.com/a/30345819/1632572 # db/production.sqlite3`
			`- https://developerhowto.com/2018/12/29/build-a-rest-api-with-node-js-and-express-js/ # db.sqlite`
			`- https://sqldocs.org/sqlite/sqlite-nodejs/ # mydb.sqlite`
			`- https://stackoverflow.com/questions/41620788/error-database-connection-sqlite-is-missing-or-could-not-be-created-cakephp # app/data/app_db.sqlite`
			`- https://stackoverflow.com/questions/2722383/using-sqlite3-with-cakephp # app/webroot/database.sqlite, app/database.sqlite`
			`- https://levelup.gitconnected.com/how-to-connect-and-use-the-sqlite-database-in-codeigniter-3-48cd50d3e78d # application/databases/db.sqlite`
			`- https://turmanauli.medium.com/how-to-connect-codeigniter-to-sqlite3-database-like-a-pro-2177497a6d30 # application/db/database.sqlite`
			`- https://forum.codeigniter.com/thread-74522.html # application/Database/db1.db`
			`- https://stackoverflow.com/a/37088960/1632572 # application/database/data.db`
			`- https://docs.laminas.dev/tutorials/getting-started/database-and-models/ # data/*.db`
			`- https://phalcon-nucleon.github.io/#!database/getting-started.html # storage/database/database.sqlite`
			`- https://www.yiiframework.com/doc/blog/1.1/en/prototype.database # protected/data/*.db`
			`- https://pusher.com/tutorials/rest-api-slim-part-1/ # db/database.db`
			`- https://www.digitalocean.com/community/tutorials/how-to-use-the-fat-free-php-framework # db/database.sqlite`
			`- https://doc.nette.org/en/database/configuration#toc-single-connection # app/Model/*.db`
generic-db: Added more exact matchers to make sure the exposured file is really SQLite file. 2024-03-18 20:37:49 +00:00			`- https://www.sqlite.org/fileformat.html # SQLite file always starts with "SQLite format {sqlite_version}"`
			`- https://en.wikipedia.org/wiki/List_of_file_signatures # SQLite binary signature: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20`
generic-db: Added checking of SQLite database files exposure. 2024-03-13 11:51:16 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`metadata:`
			`verified: true`
			`tags: database,exposure,sqlite,sqlite3`

			`http:`
			`- method: GET`
			`path:`
			`# Recommended paths found in framework official docs or unofficial tutorials`
			`- "{{BaseURL}}/database/database.sqlite"`
			`- "{{BaseURL}}/database/production.sqlite"`
			`- "{{BaseURL}}/app/database/production.sqlite"`
			`- "{{BaseURL}}/writable/db.sqlite3"`
			`- "{{BaseURL}}/writable/database.db"`
			`- "{{BaseURL}}/var/app.db"`
			`- "{{BaseURL}}/var/data/db.sqlite"`
			`- "{{BaseURL}}/var/data/data.sqlite"`
			`- "{{BaseURL}}/app/sqlite.db"`
			`- "{{BaseURL}}/sqlite.db"`
			`- "{{BaseURL}}/db.sqlite3"`
			`- "{{BaseURL}}/db/production.sqlite3"`
			`- "{{BaseURL}}/db.sqlite"`
			`- "{{BaseURL}}/mydb.sqlite"`
			`- "{{BaseURL}}/app/data/app_db.sqlite"`
			`- "{{BaseURL}}/app/webroot/database.sqlite"`
			`- "{{BaseURL}}/app/database.sqlite"`
			`- "{{BaseURL}}/application/databases/db.sqlite"`
			`- "{{BaseURL}}/application/db/database.sqlite"`
			`- "{{BaseURL}}/application/Database/db1.db"`
			`- "{{BaseURL}}/application/database/data.db"`
			`- "{{BaseURL}}/data/app.db"`
			`- "{{BaseURL}}/data/sqlite.db"`
			`- "{{BaseURL}}/data/sqlite3.db"`
			`- "{{BaseURL}}/data/database.db"`
			`- "{{BaseURL}}/data/production.db"`
			`- "{{BaseURL}}/storage/database/database.sqlite"`
			`- "{{BaseURL}}/protected/data/app.db"`
			`- "{{BaseURL}}/protected/data/sqlite.db"`
			`- "{{BaseURL}}/protected/data/sqlite3.db"`
			`- "{{BaseURL}}/protected/data/database.db"`
			`- "{{BaseURL}}/protected/data/production.db"`
			`- "{{BaseURL}}/db/database.db"`
			`- "{{BaseURL}}/db/database.sqlite"`
			`- "{{BaseURL}}/app/Model/app.db"`
			`- "{{BaseURL}}/app/Model/sqlite.db"`
			`- "{{BaseURL}}/app/Model/sqlite3.db"`
			`- "{{BaseURL}}/app/Model/database.db"`
			`- "{{BaseURL}}/app/Model/production.db"`

			`# General paths`
			`- "{{BaseURL}}/app.db"`
			`- "{{BaseURL}}/sqlite3.db"`
			`- "{{BaseURL}}/app.sqlite"`
			`- "{{BaseURL}}/app.sqlite3"`
			`- "{{BaseURL}}/database.db"`
			`- "{{BaseURL}}/database.sqlite"`
			`- "{{BaseURL}}/database.sqlite3"`
			`- "{{BaseURL}}/production.db"`
			`- "{{BaseURL}}/production.sqlite"`
			`- "{{BaseURL}}/production.sqlite3"`
			`- "{{BaseURL}}/db/db.sqlite"`
			`- "{{BaseURL}}/db/db.sqlite3"`
			`- "{{BaseURL}}/db/sqlite.db"`
			`- "{{BaseURL}}/db/sqlite3.db"`
			`- "{{BaseURL}}/db/app.db"`
			`- "{{BaseURL}}/db/app.sqlite"`
			`- "{{BaseURL}}/db/app.sqlite3"`
			`- "{{BaseURL}}/db/database.sqlite3"`
			`- "{{BaseURL}}/db/production.db"`
			`- "{{BaseURL}}/db/production.sqlite"`
			`- "{{BaseURL}}/app/db.sqlite"`
			`- "{{BaseURL}}/app/db.sqlite3"`
			`- "{{BaseURL}}/app/sqlite3.db"`
			`- "{{BaseURL}}/app/app.db"`
			`- "{{BaseURL}}/app/app.sqlite"`
			`- "{{BaseURL}}/app/app.sqlite3"`
			`- "{{BaseURL}}/app/database.db"`
			`- "{{BaseURL}}/app/database.sqlite3"`
			`- "{{BaseURL}}/app/production.db"`
			`- "{{BaseURL}}/app/production.sqlite"`
			`- "{{BaseURL}}/app/production.sqlite3"`
			`- "{{BaseURL}}/data/db.sqlite"`
			`- "{{BaseURL}}/data/db.sqlite3"`
			`- "{{BaseURL}}/data/app.sqlite"`
			`- "{{BaseURL}}/data/app.sqlite3"`
			`- "{{BaseURL}}/data/database.sqlite"`
			`- "{{BaseURL}}/data/database.sqlite3"`
			`- "{{BaseURL}}/data/production.sqlite"`
			`- "{{BaseURL}}/data/production.sqlite3"`
			`- "{{BaseURL}}/database/db.sqlite"`
			`- "{{BaseURL}}/database/db.sqlite3"`
			`- "{{BaseURL}}/database/sqlite.db"`
			`- "{{BaseURL}}/database/sqlite3.db"`
			`- "{{BaseURL}}/database/app.db"`
			`- "{{BaseURL}}/database/app.sqlite"`
			`- "{{BaseURL}}/database/app.sqlite3"`
			`- "{{BaseURL}}/database/database.db"`
			`- "{{BaseURL}}/database/database.sqlite3"`
			`- "{{BaseURL}}/database/production.db"`
			`- "{{BaseURL}}/database/production.sqlite3"`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`

generic-db: Added more exact matchers to make sure the exposured file is really SQLite file. 2024-03-18 20:37:49 +00:00			`# SQLite file always starts with "SQLite format {sqlite_version}"`
generic-db: Improved SQLite file signature matcher to match exactly beginning of the document. 2024-03-18 21:51:49 +00:00			`- type: dsl`
			`dsl:`
			`- 'startswith(body, "SQLite format ")'`
generic-db: Added more exact matchers to make sure the exposured file is really SQLite file. 2024-03-18 20:37:49 +00:00
			`# SQLite file usually contains "CREATE TABLE", meaning there is at least one table`
			`- type: word`
			`part: body`
			`words:`
			`- "CREATE TABLE "`