id: error-based-sql-injection info: name: Error based SQL injection author: geeknik severity: critical description: A SQL injection vulnerability was identified based on an error message returned by the server. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cwe-id: CWE-89 metadata: max-request: 1 tags: sqli,generic,error http: - method: GET path: - "{{BaseURL}}/'" matchers-condition: and matchers: - type: word words: - "Adminer" # False Positive part: body negative: true - type: regex regex: # MySQL - "SQL syntax.{0,200}?MySQL" - "Warning.{0,200}?\\Wmysqli?_" - "MySQLSyntaxErrorException" - "valid MySQL result" - "check the manual that (corresponds to|fits) your MySQL server version" - "Unknown column '[^ ]+' in 'field list'" - "MySqlClient\\." - "com\\.mysql\\.jdbc" - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" - "Pdo[./_\\\\]Mysql" - "MySqlException" - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" # MariaDB - "check the manual that (corresponds to|fits) your MariaDB server version" # Drizzle - "check the manual that (corresponds to|fits) your Drizzle server version" # MemSQL - "MemSQL does not support this type of query" - "is not supported by MemSQL" - "unsupported nested scalar subselect" # PostgreSQL - "PostgreSQL.{0,200}?ERROR" - "Warning.{0,200}?\\Wpg_" - "valid PostgreSQL result" - "Npgsql\\." - "PG::SyntaxError:" - "org\\.postgresql\\.util\\.PSQLException" - "ERROR:\\s\\ssyntax error at or near" - "ERROR: parser: parse error at or near" - "PostgreSQL query failed" - "org\\.postgresql\\.jdbc" - "Pdo[./_\\\\]Pgsql" - "PSQLException" # Microsoft SQL Server - "Driver.{0,200}? SQL[\\-\\_\\ ]*Server" - "OLE DB.{0,200}? SQL Server" - "\\bSQL Server[^<"]+Driver" - "Warning.{0,200}?\\W(mssql|sqlsrv)_" - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" - "(?s)Exception.{0,200}?\\bRoadhouse\\.Cms\\." - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" - "\\[SQL Server\\]" - "ODBC SQL Server Driver" - "ODBC Driver \\d+ for SQL Server" - "SQLServer JDBC Driver" - "com\\.jnetdirect\\.jsql" - "macromedia\\.jdbc\\.sqlserver" - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" - "com\\.microsoft\\.sqlserver\\.jdbc" - "Pdo[./_\\\\](Mssql|SqlSrv)" - "SQL(Srv|Server)Exception" - "Unclosed quotation mark after the character string" # Microsoft Access - "Microsoft Access (\\d+ )?Driver" - "JET Database Engine" - "Access Database Engine" - "ODBC Microsoft Access" - "Syntax error \\(missing operator\\) in query expression" # Oracle - "\\bORA-\\d{5}" - "Oracle error" - "Oracle.{0,200}?Driver" - "Warning.{0,200}?\\W(oci|ora)_" - "quoted string not properly terminated" - "SQL command not properly ended" - "macromedia\\.jdbc\\.oracle" - "oracle\\.jdbc" - "Zend_Db_(Adapter|Statement)_Oracle_Exception" - "Pdo[./_\\\\](Oracle|OCI)" - "OracleException" # IBM DB2 - "CLI Driver.{0,200}?DB2" - "DB2 SQL error" - "\\bdb2_\\w+\\(" - "SQLCODE[=:\\d, -]+SQLSTATE" - "com\\.ibm\\.db2\\.jcc" - "Zend_Db_(Adapter|Statement)_Db2_Exception" - "Pdo[./_\\\\]Ibm" - "DB2Exception" - "ibm_db_dbi\\.ProgrammingError" # Informix - "Warning.{0,200}?\\Wifx_" - "Exception.{0,200}?Informix" - "Informix ODBC Driver" - "ODBC Informix driver" - "com\\.informix\\.jdbc" - "weblogic\\.jdbc\\.informix" - "Pdo[./_\\\\]Informix" - "IfxException" # Firebird - "Dynamic SQL Error" - "Warning.{0,200}?\\Wibase_" - "org\\.firebirdsql\\.jdbc" - "Pdo[./_\\\\]Firebird" # SQLite - "SQLite/JDBCDriver" - "SQLite\\.Exception" - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" - "Warning.{0,200}?\\W(sqlite_|SQLite3::)" - "\\[SQLITE_ERROR\\]" - "SQLite error \\d+:" - "sqlite3.OperationalError:" - "SQLite3::SQLException" - "org\\.sqlite\\.JDBC" - "Pdo[./_\\\\]Sqlite" - "SQLiteException" # SAP MaxDB - "SQL error.{0,200}?POS([0-9]+)" - "Warning.{0,200}?\\Wmaxdb_" - "DriverSapDB" - "-3014.{0,200}?Invalid end of SQL statement" - "com\\.sap\\.dbtech\\.jdbc" - "\\[-3008\\].{0,200}?: Invalid keyword or missing delimiter" # Sybase - "Warning.{0,200}?\\Wsybase_" - "Sybase message" - "Sybase.{0,200}?Server message" - "SybSQLException" - "Sybase\\.Data\\.AseClient" - "com\\.sybase\\.jdbc" # Ingres - "Warning.{0,200}?\\Wingres_" - "Ingres SQLSTATE" - "Ingres\\W.{0,200}?Driver" - "com\\.ingres\\.gcf\\.jdbc" # FrontBase - "Exception (condition )?\\d+\\. Transaction rollback" - "com\\.frontbase\\.jdbc" - "Syntax error 1. Missing" - "(Semantic|Syntax) error [1-4]\\d{2}\\." # HSQLDB - "Unexpected end of command in statement \\[" - "Unexpected token.{0,200}?in statement \\[" - "org\\.hsqldb\\.jdbc" # H2 - "org\\.h2\\.jdbc" - "\\[42000-192\\]" # MonetDB - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" - "\\[MonetDB\\]\\[ODBC Driver" - "nl\\.cwi\\.monetdb\\.jdbc" # Apache Derby - "Syntax error: Encountered" - "org\\.apache\\.derby" - "ERROR 42X01" # Vertica - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" - "/vertica/Parser/scan" - "com\\.vertica\\.jdbc" - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" - "com\\.vertica\\.dsi\\.dataengine" # Mckoi - "com\\.mckoi\\.JDBCDriver" - "com\\.mckoi\\.database\\.jdbc" - "<REGEX_LITERAL>" # Presto - "com\\.facebook\\.presto\\.jdbc" - "io\\.prestosql\\.jdbc" - "com\\.simba\\.presto\\.jdbc" - "UNION query has different number of fields: \\d+, \\d+" # Altibase - "Altibase\\.jdbc\\.driver" # MimerSQL - "com\\.mimer\\.jdbc" - "Syntax error,[^\\n]+assumed to mean" # CrateDB - "io\\.crate\\.client\\.jdbc" # Cache - "encountered after end of query" - "A comparison operator is required here" # Raima Database Manager - "-10048: Syntax error" - "rdmStmtPrepare\\(.+?\\) returned" # Virtuoso - "SQ074: Line \\d+:" - "SR185: Undefined procedure" - "SQ200: No table " - "Virtuoso S0002 Error" - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" condition: or extractors: - type: regex name: MySQL regex: - "SQL syntax.{0,200}?MySQL" - "Warning.{0,200}?\\Wmysqli?_" - "MySQLSyntaxErrorException" - "valid MySQL result" - "check the manual that (corresponds to|fits) your MySQL server version" - "Unknown column '[^ ]+' in 'field list'" - "MySqlClient\\." - "com\\.mysql\\.jdbc" - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" - "Pdo[./_\\\\]Mysql" - "MySqlException" - "SQLSTATE[\\d+]: Syntax error or access violation" - type: regex name: MariaDB regex: - "check the manual that (corresponds to|fits) your MariaDB server version" - type: regex name: Drizzel regex: - "check the manual that (corresponds to|fits) your Drizzle server version" - type: regex name: MemSQL regex: - "MemSQL does not support this type of query" - "is not supported by MemSQL" - "unsupported nested scalar subselect" - type: regex name: PostgreSQL regex: - "PostgreSQL.{0,200}?ERROR" - "Warning.{0,200}?\\Wpg_" - "valid PostgreSQL result" - "Npgsql\\." - "PG::SyntaxError:" - "org\\.postgresql\\.util\\.PSQLException" - "ERROR:\\s\\ssyntax error at or near" - "ERROR: parser: parse error at or near" - "PostgreSQL query failed" - "org\\.postgresql\\.jdbc" - "Pdo[./_\\\\]Pgsql" - "PSQLException" - type: regex name: MicrosoftSQLServer regex: - "Driver.{0,200}? SQL[\\-\\_\\ ]*Server" - "OLE DB.{0,200}? SQL Server" - "\\bSQL Server[^<"]+Driver" - "Warning.{0,200}?\\W(mssql|sqlsrv)_" - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" - "(?s)Exception.{0,200}?\\bRoadhouse\\.Cms\\." - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" - "\\[SQL Server\\]" - "ODBC SQL Server Driver" - "ODBC Driver \\d+ for SQL Server" - "SQLServer JDBC Driver" - "com\\.jnetdirect\\.jsql" - "macromedia\\.jdbc\\.sqlserver" - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" - "com\\.microsoft\\.sqlserver\\.jdbc" - "Pdo[./_\\\\](Mssql|SqlSrv)" - "SQL(Srv|Server)Exception" - "Unclosed quotation mark after the character string" - type: regex name: MicrosoftAccess regex: - "Microsoft Access (\\d+ )?Driver" - "JET Database Engine" - "Access Database Engine" - "ODBC Microsoft Access" - "Syntax error \\(missing operator\\) in query expression" - type: regex name: Oracle regex: - "\\bORA-\\d{5}" - "Oracle error" - "Oracle.{0,200}?Driver" - "Warning.{0,200}?\\W(oci|ora)_" - "quoted string not properly terminated" - "SQL command not properly ended" - "macromedia\\.jdbc\\.oracle" - "oracle\\.jdbc" - "Zend_Db_(Adapter|Statement)_Oracle_Exception" - "Pdo[./_\\\\](Oracle|OCI)" - "OracleException" - type: regex name: IBMDB2 regex: - "CLI Driver.{0,200}?DB2" - "DB2 SQL error" - "\\bdb2_\\w+\\(" - "SQLCODE[=:\\d, -]+SQLSTATE" - "com\\.ibm\\.db2\\.jcc" - "Zend_Db_(Adapter|Statement)_Db2_Exception" - "Pdo[./_\\\\]Ibm" - "DB2Exception" - "ibm_db_dbi\\.ProgrammingError" - type: regex name: Informix regex: - "Warning.{0,200}?\\Wifx_" - "Exception.{0,200}?Informix" - "Informix ODBC Driver" - "ODBC Informix driver" - "com\\.informix\\.jdbc" - "weblogic\\.jdbc\\.informix" - "Pdo[./_\\\\]Informix" - "IfxException" - type: regex name: Firebird regex: - "Dynamic SQL Error" - "Warning.{0,200}?\\Wibase_" - "org\\.firebirdsql\\.jdbc" - "Pdo[./_\\\\]Firebird" - type: regex name: SQLite regex: - "SQLite/JDBCDriver" - "SQLite\\.Exception" - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" - "Warning.{0,200}?\\W(sqlite_|SQLite3::)" - "\\[SQLITE_ERROR\\]" - "SQLite error \\d+:" - "sqlite3.OperationalError:" - "SQLite3::SQLException" - "org\\.sqlite\\.JDBC" - "Pdo[./_\\\\]Sqlite" - "SQLiteException" - type: regex name: SAPMaxDB regex: - "SQL error.{0,200}?POS([0-9]+)" - "Warning.{0,200}?\\Wmaxdb_" - "DriverSapDB" - "-3014.{0,200}?Invalid end of SQL statement" - "com\\.sap\\.dbtech\\.jdbc" - "\\[-3008\\].{0,200}?: Invalid keyword or missing delimiter" - type: regex name: Sybase regex: - "Warning.{0,200}?\\Wsybase_" - "Sybase message" - "Sybase.{0,200}?Server message" - "SybSQLException" - "Sybase\\.Data\\.AseClient" - "com\\.sybase\\.jdbc" - type: regex name: Ingres regex: - "Warning.{0,200}?\\Wingres_" - "Ingres SQLSTATE" - "Ingres\\W.{0,200}?Driver" - "com\\.ingres\\.gcf\\.jdbc" - type: regex name: FrontBase regex: - "Exception (condition )?\\d+\\. Transaction rollback" - "com\\.frontbase\\.jdbc" - "Syntax error 1. Missing" - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\." - type: regex name: HSQLDB regex: - "Unexpected end of command in statement \\[" - "Unexpected token.{0,200}?in statement \\[" - "org\\.hsqldb\\.jdbc" - type: regex name: H2 regex: - "org\\.h2\\.jdbc" - "\\[42000-192\\]" - type: regex name: MonetDB regex: - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" - "\\[MonetDB\\]\\[ODBC Driver" - "nl\\.cwi\\.monetdb\\.jdbc" - type: regex name: ApacheDerby regex: - "Syntax error: Encountered" - "org\\.apache\\.derby" - "ERROR 42X01" - type: regex name: Vertica regex: - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" - "/vertica/Parser/scan" - "com\\.vertica\\.jdbc" - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" - "com\\.vertica\\.dsi\\.dataengine" - type: regex name: Mckoi regex: - "com\\.mckoi\\.JDBCDriver" - "com\\.mckoi\\.database\\.jdbc" - "<REGEX_LITERAL>" - type: regex name: Presto regex: - "com\\.facebook\\.presto\\.jdbc" - "io\\.prestosql\\.jdbc" - "com\\.simba\\.presto\\.jdbc" - "UNION query has different number of fields: \\d+, \\d+" - type: regex name: Altibase regex: - "Altibase\\.jdbc\\.driver" - type: regex name: MimerSQL regex: - "com\\.mimer\\.jdbc" - "Syntax error,[^\\n]+assumed to mean" - type: regex name: CrateDB regex: - "io\\.crate\\.client\\.jdbc" - type: regex name: Cache regex: - "encountered after end of query" - "A comparison operator is required here" - type: regex name: RaimaDatabaseManager regex: - "-10048: Syntax error" - "rdmStmtPrepare\\(.+?\\) returned" - type: regex name: Virtuoso regex: - "SQ074: Line \\d+:" - "SR185: Undefined procedure" - "SQ200: No table " - "Virtuoso S0002 Error" - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" # digest: 4b0a00483046022100e504b0e3c6ec673ac12eb5792cb55d4177d83a3e9802e9e878422bdb026fe19902210080a1e1d97b9d885fcc6af795d65189caa539132ad85843699c4402ef42565208:922c64590222798bb761d5b6d8e72950