From 746631b37ffba4c0a9f897567b7ff06d61f79a9e Mon Sep 17 00:00:00 2001 From: Michal Mikolas Date: Wed, 13 Mar 2024 12:51:16 +0100 Subject: [PATCH] generic-db: Added checking of SQLite database files exposure. --- http/exposures/files/generic-db.yaml | 151 +++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 http/exposures/files/generic-db.yaml diff --git a/http/exposures/files/generic-db.yaml b/http/exposures/files/generic-db.yaml new file mode 100644 index 0000000000..a464ea071e --- /dev/null +++ b/http/exposures/files/generic-db.yaml @@ -0,0 +1,151 @@ +id: generic-db + +info: + name: Generic DB file exposure + author: Michal Mikolas (nanuqcz) + severity: high + description: This is collection of some web frameworks recommendation or default configuration for SQLite database file location. If this file is publicly accessible due to server misconfiguration, it could result in application data leak including users sensitive data, password hashes etc. + reference: + - https://laravel.com/docs/11.x/database#sqlite-configuration # database/database.sqlite + - https://laravel.com/docs/5.2/database # database/database.sqlite + - https://github.com/laracasts/larabook/blob/master/app/config/database.php#L51 # app/database/production.sqlite + - https://forum.codeigniter.com/post-389846.html # writable/db.sqlite3 + - https://github.com/codeigniter4projects/playground/blob/develop/.env.example#L33 # writable/database.db + - https://symfony.com/doc/current/doctrine.html#configuring-the-database # var/app.db + - https://symfony.com/doc/4.x/doctrine.html#configuring-the-database # var/app.db + - https://symfony.com/doc/3.x/doctrine.html # app/sqlite.db + - https://symfony.com/doc/2.x/doctrine.html # sqlite.db + - https://openclassrooms.com/forum/sujet/symfony3-sqlite-could-not-create-database # var/data/db.sqlite + - https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration # var/data/data.sqlite + - https://stackoverflow.com/questions/31762878/sqlite-3-database-with-django # db.sqlite3 + - https://medium.com/@codewithbushra/using-sqlite-as-a-database-backend-in-django-projects-code-with-bushra-d23e3100686e # db.sqlite3 + - https://gist.github.com/jwo/4512764?permalink_comment_id=2235763#gistcomment-2235763 # db/production.sqlite3 + - https://stackoverflow.com/a/30345819/1632572 # db/production.sqlite3 + - https://developerhowto.com/2018/12/29/build-a-rest-api-with-node-js-and-express-js/ # db.sqlite + - https://sqldocs.org/sqlite/sqlite-nodejs/ # mydb.sqlite + - https://stackoverflow.com/questions/41620788/error-database-connection-sqlite-is-missing-or-could-not-be-created-cakephp # app/data/app_db.sqlite + - https://stackoverflow.com/questions/2722383/using-sqlite3-with-cakephp # app/webroot/database.sqlite, app/database.sqlite + - https://levelup.gitconnected.com/how-to-connect-and-use-the-sqlite-database-in-codeigniter-3-48cd50d3e78d # application/databases/db.sqlite + - https://turmanauli.medium.com/how-to-connect-codeigniter-to-sqlite3-database-like-a-pro-2177497a6d30 # application/db/database.sqlite + - https://forum.codeigniter.com/thread-74522.html # application/Database/db1.db + - https://stackoverflow.com/a/37088960/1632572 # application/database/data.db + - https://docs.laminas.dev/tutorials/getting-started/database-and-models/ # data/*.db + - https://phalcon-nucleon.github.io/#!database/getting-started.html # storage/database/database.sqlite + - https://www.yiiframework.com/doc/blog/1.1/en/prototype.database # protected/data/*.db + - https://pusher.com/tutorials/rest-api-slim-part-1/ # db/database.db + - https://www.digitalocean.com/community/tutorials/how-to-use-the-fat-free-php-framework # db/database.sqlite + - https://doc.nette.org/en/database/configuration#toc-single-connection # app/Model/*.db + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + metadata: + verified: true + tags: database,exposure,sqlite,sqlite3 + +http: + - method: GET + path: + # Recommended paths found in framework official docs or unofficial tutorials + - "{{BaseURL}}/database/database.sqlite" + - "{{BaseURL}}/database/production.sqlite" + - "{{BaseURL}}/app/database/production.sqlite" + - "{{BaseURL}}/writable/db.sqlite3" + - "{{BaseURL}}/writable/database.db" + - "{{BaseURL}}/var/app.db" + - "{{BaseURL}}/var/data/db.sqlite" + - "{{BaseURL}}/var/data/data.sqlite" + - "{{BaseURL}}/app/sqlite.db" + - "{{BaseURL}}/sqlite.db" + - "{{BaseURL}}/db.sqlite3" + - "{{BaseURL}}/db/production.sqlite3" + - "{{BaseURL}}/db.sqlite" + - "{{BaseURL}}/mydb.sqlite" + - "{{BaseURL}}/app/data/app_db.sqlite" + - "{{BaseURL}}/app/webroot/database.sqlite" + - "{{BaseURL}}/app/database.sqlite" + - "{{BaseURL}}/application/databases/db.sqlite" + - "{{BaseURL}}/application/db/database.sqlite" + - "{{BaseURL}}/application/Database/db1.db" + - "{{BaseURL}}/application/database/data.db" + - "{{BaseURL}}/data/app.db" + - "{{BaseURL}}/data/sqlite.db" + - "{{BaseURL}}/data/sqlite3.db" + - "{{BaseURL}}/data/database.db" + - "{{BaseURL}}/data/production.db" + - "{{BaseURL}}/storage/database/database.sqlite" + - "{{BaseURL}}/protected/data/app.db" + - "{{BaseURL}}/protected/data/sqlite.db" + - "{{BaseURL}}/protected/data/sqlite3.db" + - "{{BaseURL}}/protected/data/database.db" + - "{{BaseURL}}/protected/data/production.db" + - "{{BaseURL}}/db/database.db" + - "{{BaseURL}}/db/database.sqlite" + - "{{BaseURL}}/app/Model/app.db" + - "{{BaseURL}}/app/Model/sqlite.db" + - "{{BaseURL}}/app/Model/sqlite3.db" + - "{{BaseURL}}/app/Model/database.db" + - "{{BaseURL}}/app/Model/production.db" + + # General paths + - "{{BaseURL}}/app.db" + - "{{BaseURL}}/sqlite3.db" + - "{{BaseURL}}/app.sqlite" + - "{{BaseURL}}/app.sqlite3" + - "{{BaseURL}}/database.db" + - "{{BaseURL}}/database.sqlite" + - "{{BaseURL}}/database.sqlite3" + - "{{BaseURL}}/production.db" + - "{{BaseURL}}/production.sqlite" + - "{{BaseURL}}/production.sqlite3" + - "{{BaseURL}}/db/db.sqlite" + - "{{BaseURL}}/db/db.sqlite3" + - "{{BaseURL}}/db/sqlite.db" + - "{{BaseURL}}/db/sqlite3.db" + - "{{BaseURL}}/db/app.db" + - "{{BaseURL}}/db/app.sqlite" + - "{{BaseURL}}/db/app.sqlite3" + - "{{BaseURL}}/db/database.sqlite3" + - "{{BaseURL}}/db/production.db" + - "{{BaseURL}}/db/production.sqlite" + - "{{BaseURL}}/app/db.sqlite" + - "{{BaseURL}}/app/db.sqlite3" + - "{{BaseURL}}/app/sqlite3.db" + - "{{BaseURL}}/app/app.db" + - "{{BaseURL}}/app/app.sqlite" + - "{{BaseURL}}/app/app.sqlite3" + - "{{BaseURL}}/app/database.db" + - "{{BaseURL}}/app/database.sqlite3" + - "{{BaseURL}}/app/production.db" + - "{{BaseURL}}/app/production.sqlite" + - "{{BaseURL}}/app/production.sqlite3" + - "{{BaseURL}}/data/db.sqlite" + - "{{BaseURL}}/data/db.sqlite3" + - "{{BaseURL}}/data/app.sqlite" + - "{{BaseURL}}/data/app.sqlite3" + - "{{BaseURL}}/data/database.sqlite" + - "{{BaseURL}}/data/database.sqlite3" + - "{{BaseURL}}/data/production.sqlite" + - "{{BaseURL}}/data/production.sqlite3" + - "{{BaseURL}}/database/db.sqlite" + - "{{BaseURL}}/database/db.sqlite3" + - "{{BaseURL}}/database/sqlite.db" + - "{{BaseURL}}/database/sqlite3.db" + - "{{BaseURL}}/database/app.db" + - "{{BaseURL}}/database/app.sqlite" + - "{{BaseURL}}/database/app.sqlite3" + - "{{BaseURL}}/database/database.db" + - "{{BaseURL}}/database/database.sqlite3" + - "{{BaseURL}}/database/production.db" + - "{{BaseURL}}/database/production.sqlite3" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + negative: true + words: + - "