id: suspicious-sql-error-messages

info:
  name: SQL - Error Messages
  author: geeknik
  severity: critical
  description: SQL error messages that indicate probing for an injection attack were detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-89
  tags: file,logs,sql,error

file:
  - extensions:
      - all

    extractors:
      - type: regex
        name: oracle
        part: body
        regex:
          - 'quoted string not properly terminated'

      - type: regex
        name: mysql
        part: body
        regex:
          - 'You have an error in your SQL syntax'

      - type: regex
        name: sql_server
        part: body
        regex:
          - 'Unclosed quotation mark'

      - type: regex
        name: sqlite
        part: body
        regex:
          - 'near \"\*\"\: syntax error'
          - 'SELECTs to the left and right of UNION do not have the same number of result columns'

# Enhanced by mp on 2022/10/12