Detection: SQL Injection Common Patterns
Overview
Detect common SQL injection patterns targeting typical SQL keywords and syntax patterns. This detection identifies frequently used SQL injection techniques that might indicate an attempt to manipulate database queries, focusing on the most widespread syntax elements attackers use to compromise database security.
This detection identifies common SQL command patterns (SELECT, INSERT, DELETE, UPDATE), basic SQL injection techniques (OR 1=1), and SQL comment markers used to bypass security controls.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.sql_injection_common_patternsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.sql_injection_common_patterns --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- Basic SQL commands request_uri ilike '%select%from%' or request_uri ilike '%insert%into%' or request_uri ilike '%delete%from%' or request_uri ilike '%update%set%' or request_uri ilike '%drop%table%' or request_uri ilike '%truncate%table%' or request_uri ilike '%create%table%' or request_uri ilike '%alter%table%' or request_uri ilike '%exec%xp_%' or request_uri ilike '%information_schema%' -- Common SQL injection patterns or request_uri ilike '%or%1=1%' or request_uri ilike '%or%true%' or request_uri ilike '%/*_%*/%' or request_uri ilike '%--+%' or request_uri ilike '%-- %' or request_uri ilike '%;--%' -- URL encoded variants or request_uri ilike '%\x27%' or request_uri ilike '%\x22%' or request_uri ilike '%\x3D\x3D%' )order by tp_timestamp desc;