nuclei-templates/http/exposures/files/generic-db.yaml

id: generic-db

info:
  name: Generic Database File - Exposure
  author: Michal Mikolas (nanuqcz)
  severity: high
  description: |
    This is collection of some web frameworks recommendation or default configuration for SQLite database file location. If this file is publicly accessible due to server misconfiguration, it could result in application data leak including users sensitive data, password hashes etc.    
  reference:
    - https://laravel.com/docs/11.x/database#sqlite-configuration # database/database.sqlite
    - https://laravel.com/docs/5.2/database # database/database.sqlite
    - https://github.com/laracasts/larabook/blob/master/app/config/database.php#L51 # app/database/production.sqlite
    - https://forum.codeigniter.com/post-389846.html # writable/db.sqlite3
    - https://github.com/codeigniter4projects/playground/blob/develop/.env.example#L33 # writable/database.db
    - https://symfony.com/doc/current/doctrine.html#configuring-the-database # var/app.db
    - https://symfony.com/doc/4.x/doctrine.html#configuring-the-database # var/app.db
    - https://symfony.com/doc/3.x/doctrine.html # app/sqlite.db
    - https://symfony.com/doc/2.x/doctrine.html # sqlite.db
    - https://openclassrooms.com/forum/sujet/symfony3-sqlite-could-not-create-database # var/data/db.sqlite
    - https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration # var/data/data.sqlite
    - https://stackoverflow.com/questions/31762878/sqlite-3-database-with-django # db.sqlite3
    - https://medium.com/@codewithbushra/using-sqlite-as-a-database-backend-in-django-projects-code-with-bushra-d23e3100686e # db.sqlite3
    - https://gist.github.com/jwo/4512764?permalink_comment_id=2235763#gistcomment-2235763 # db/production.sqlite3
    - https://stackoverflow.com/a/30345819/1632572 # db/production.sqlite3
    - https://developerhowto.com/2018/12/29/build-a-rest-api-with-node-js-and-express-js/ # db.sqlite
    - https://sqldocs.org/sqlite/sqlite-nodejs/ # mydb.sqlite
    - https://stackoverflow.com/questions/41620788/error-database-connection-sqlite-is-missing-or-could-not-be-created-cakephp # app/data/app_db.sqlite
    - https://stackoverflow.com/questions/2722383/using-sqlite3-with-cakephp # app/webroot/database.sqlite, app/database.sqlite
    - https://levelup.gitconnected.com/how-to-connect-and-use-the-sqlite-database-in-codeigniter-3-48cd50d3e78d # application/databases/db.sqlite
    - https://turmanauli.medium.com/how-to-connect-codeigniter-to-sqlite3-database-like-a-pro-2177497a6d30 # application/db/database.sqlite
    - https://forum.codeigniter.com/thread-74522.html # application/Database/db1.db
    - https://stackoverflow.com/a/37088960/1632572 # application/database/data.db
    - https://docs.laminas.dev/tutorials/getting-started/database-and-models/ # data/*.db
    - https://phalcon-nucleon.github.io/#!database/getting-started.html # storage/database/database.sqlite
    - https://www.yiiframework.com/doc/blog/1.1/en/prototype.database # protected/data/*.db
    - https://pusher.com/tutorials/rest-api-slim-part-1/ # db/database.db
    - https://www.digitalocean.com/community/tutorials/how-to-use-the-fat-free-php-framework # db/database.sqlite
    - https://doc.nette.org/en/database/configuration#toc-single-connection # app/Model/*.db
    - https://www.sqlite.org/fileformat.html # SQLite file always starts with "SQLite format {sqlite_version}"
    - https://en.wikipedia.org/wiki/List_of_file_signatures # SQLite binary signature: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
  metadata:
    max-request: 89
  tags: files,database,exposure,sqlite,sqlite3,fuzz,sqli

http:
  - method: GET
    path:

      - "{{BaseURL}}/{{path}}"

    payloads:
      path:
        - database/database.sqlite
        - database/production.db
        - database/production.sqlite
        - database/production.sqlite3
        - app/database/production.sqlite
        - writable/db.sqlite3
        - writable/database.db
        - var/app.db
        - var/data/db.sqlite
        - var/data/data.sqlite
        - app/sqlite.db
        - sqlite.db
        - db.sqlite3
        - db/production.sqlite3
        - db.sqlite
        - mydb.sqlite
        - app/data/app_db.sqlite
        - app/webroot/database.sqlite
        - app/database.sqlite
        - application/databases/db.sqlite
        - application/db/database.sqlite
        - application/Database/db1.db
        - application/database/data.db
        - data/app.db
        - data/sqlite.db
        - data/sqlite3.db
        - data/database.db
        - data/production.db
        - storage/database/database.sqlite
        - protected/data/app.db
        - protected/data/sqlite.db
        - protected/data/sqlite3.db
        - protected/data/database.db
        - protected/data/production.db
        - db/database.db
        - db/database.sqlite
        - app/Model/app.db
        - app/Model/sqlite.db
        - app/Model/sqlite3.db
        - app/Model/database.db
        - app/Model/production.db
        - app.db
        - sqlite3.db
        - app.sqlite
        - app.sqlite3
        - database.db
        - database.sqlite
        - database.sqlite3
        - production.db
        - production.sqlite
        - production.sqlite3
        - db/db.sqlite
        - db/db.sqlite3
        - db/sqlite.db
        - db/sqlite3.db
        - db/app.db
        - db/app.sqlite
        - db/app.sqlite3
        - db/database.sqlite3
        - db/production.db
        - db/production.sqlite
        - app/db.sqlite
        - app/db.sqlite3
        - app/sqlite3.db
        - app/app.db
        - app/app.sqlite
        - app/app.sqlite3
        - app/database.db
        - app/database.sqlite3
        - app/production.db
        - app/production.sqlite
        - app/production.sqlite3
        - data/db.sqlite
        - data/db.sqlite3
        - data/app.sqlite
        - data/app.sqlite3
        - data/database.sqlite
        - data/database.sqlite3
        - data/production.sqlite
        - data/production.sqlite3
        - database/db.sqlite
        - database/db.sqlite3
        - database/sqlite.db
        - database/sqlite3.db
        - database/app.db
        - database/app.sqlite
        - database/app.sqlite3
        - database/database.db
        - database/database.sqlite3

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'startswith(body, "SQLite")' # SQLite file always starts with "SQLite format {sqlite_version}"
          - 'contains(body, "CREATE TABLE")' # SQLite file usually contains "CREATE TABLE", meaning there is at least one table
          - '!contains(body, "<html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502207cfed365679d0046c1fa9acc0d1b0524d0d4d14d7dba99822b8c625690e23e5a022100b8236f0a11da485566732ec6fd4eb5eac874ad4d01077d83966a22d46c078d38:922c64590222798bb761d5b6d8e72950