id: generic-db info: name: Generic Database File - Exposure author: Michal Mikolas (nanuqcz) severity: high description: | This is collection of some web frameworks recommendation or default configuration for SQLite database file location. If this file is publicly accessible due to server misconfiguration, it could result in application data leak including users sensitive data, password hashes etc. reference: - https://laravel.com/docs/11.x/database#sqlite-configuration # database/database.sqlite - https://laravel.com/docs/5.2/database # database/database.sqlite - https://github.com/laracasts/larabook/blob/master/app/config/database.php#L51 # app/database/production.sqlite - https://forum.codeigniter.com/post-389846.html # writable/db.sqlite3 - https://github.com/codeigniter4projects/playground/blob/develop/.env.example#L33 # writable/database.db - https://symfony.com/doc/current/doctrine.html#configuring-the-database # var/app.db - https://symfony.com/doc/4.x/doctrine.html#configuring-the-database # var/app.db - https://symfony.com/doc/3.x/doctrine.html # app/sqlite.db - https://symfony.com/doc/2.x/doctrine.html # sqlite.db - https://openclassrooms.com/forum/sujet/symfony3-sqlite-could-not-create-database # var/data/db.sqlite - https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration # var/data/data.sqlite - https://stackoverflow.com/questions/31762878/sqlite-3-database-with-django # db.sqlite3 - https://medium.com/@codewithbushra/using-sqlite-as-a-database-backend-in-django-projects-code-with-bushra-d23e3100686e # db.sqlite3 - https://gist.github.com/jwo/4512764?permalink_comment_id=2235763#gistcomment-2235763 # db/production.sqlite3 - https://stackoverflow.com/a/30345819/1632572 # db/production.sqlite3 - https://developerhowto.com/2018/12/29/build-a-rest-api-with-node-js-and-express-js/ # db.sqlite - https://sqldocs.org/sqlite/sqlite-nodejs/ # mydb.sqlite - https://stackoverflow.com/questions/41620788/error-database-connection-sqlite-is-missing-or-could-not-be-created-cakephp # app/data/app_db.sqlite - https://stackoverflow.com/questions/2722383/using-sqlite3-with-cakephp # app/webroot/database.sqlite, app/database.sqlite - https://levelup.gitconnected.com/how-to-connect-and-use-the-sqlite-database-in-codeigniter-3-48cd50d3e78d # application/databases/db.sqlite - https://turmanauli.medium.com/how-to-connect-codeigniter-to-sqlite3-database-like-a-pro-2177497a6d30 # application/db/database.sqlite - https://forum.codeigniter.com/thread-74522.html # application/Database/db1.db - https://stackoverflow.com/a/37088960/1632572 # application/database/data.db - https://docs.laminas.dev/tutorials/getting-started/database-and-models/ # data/*.db - https://phalcon-nucleon.github.io/#!database/getting-started.html # storage/database/database.sqlite - https://www.yiiframework.com/doc/blog/1.1/en/prototype.database # protected/data/*.db - https://pusher.com/tutorials/rest-api-slim-part-1/ # db/database.db - https://www.digitalocean.com/community/tutorials/how-to-use-the-fat-free-php-framework # db/database.sqlite - https://doc.nette.org/en/database/configuration#toc-single-connection # app/Model/*.db - https://www.sqlite.org/fileformat.html # SQLite file always starts with "SQLite format {sqlite_version}" - https://en.wikipedia.org/wiki/List_of_file_signatures # SQLite binary signature: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 metadata: max-request: 89 tags: files,database,exposure,sqlite,sqlite3,fuzz,sqli http: - method: GET path: - "{{BaseURL}}/{{path}}" payloads: path: - database/database.sqlite - database/production.db - database/production.sqlite - database/production.sqlite3 - app/database/production.sqlite - writable/db.sqlite3 - writable/database.db - var/app.db - var/data/db.sqlite - var/data/data.sqlite - app/sqlite.db - sqlite.db - db.sqlite3 - db/production.sqlite3 - db.sqlite - mydb.sqlite - app/data/app_db.sqlite - app/webroot/database.sqlite - app/database.sqlite - application/databases/db.sqlite - application/db/database.sqlite - application/Database/db1.db - application/database/data.db - data/app.db - data/sqlite.db - data/sqlite3.db - data/database.db - data/production.db - storage/database/database.sqlite - protected/data/app.db - protected/data/sqlite.db - protected/data/sqlite3.db - protected/data/database.db - protected/data/production.db - db/database.db - db/database.sqlite - app/Model/app.db - app/Model/sqlite.db - app/Model/sqlite3.db - app/Model/database.db - app/Model/production.db - app.db - sqlite3.db - app.sqlite - app.sqlite3 - database.db - database.sqlite - database.sqlite3 - production.db - production.sqlite - production.sqlite3 - db/db.sqlite - db/db.sqlite3 - db/sqlite.db - db/sqlite3.db - db/app.db - db/app.sqlite - db/app.sqlite3 - db/database.sqlite3 - db/production.db - db/production.sqlite - app/db.sqlite - app/db.sqlite3 - app/sqlite3.db - app/app.db - app/app.sqlite - app/app.sqlite3 - app/database.db - app/database.sqlite3 - app/production.db - app/production.sqlite - app/production.sqlite3 - data/db.sqlite - data/db.sqlite3 - data/app.sqlite - data/app.sqlite3 - data/database.sqlite - data/database.sqlite3 - data/production.sqlite - data/production.sqlite3 - database/db.sqlite - database/db.sqlite3 - database/sqlite.db - database/sqlite3.db - database/app.db - database/app.sqlite - database/app.sqlite3 - database/database.db - database/database.sqlite3 stop-at-first-match: true matchers: - type: dsl dsl: - 'startswith(body, "SQLite")' # SQLite file always starts with "SQLite format {sqlite_version}" - 'contains(body, "CREATE TABLE")' # SQLite file usually contains "CREATE TABLE", meaning there is at least one table - '!contains(body, "