Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-apache-access-log-detections
Overview
4Dashboards
23Benchmarks
36Queries
1Variables
GitHub

Detection: SQL Injection Error Based

Overview

Detect error-based SQL injection attacks that attempt to extract information from database error messages. Error-based SQL injection is a technique where attackers deliberately cause database errors that contain sensitive information. By manipulating SQL queries to generate specific errors, attackers can extract data from the database through the error messages themselves when those messages are displayed to users.

This detection identifies:

  • Database functions commonly used in error-based techniques (CONVERT, CAST, EXTRACTVALUE)
  • Database structure exposure functions (VERSION, @@version, DB_NAME)
  • SQL syntax that often triggers informative errors (HAVING, GROUP BY, ORDER BY)
  • Database system-specific functions used for error-based extraction

Error-based SQL injection can be particularly effective against applications that display detailed database error messages to users, as it turns error handling into an attack vector.

References:

Usage

Run the detection in your terminal:

powerpipe detection run apache_access_log_detections.detection.sql_injection_error_based

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run apache_access_log_detections.detection.sql_injection_error_based --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)


from
  apache_access_log
where
  request_uri is not null
  and (
    -- Error-based extraction patterns
    request_uri ilike '%convert%(%'
    or request_uri ilike '%cast%(%'
    or request_uri ilike '%extractvalue%(%'
    or request_uri ilike '%updatexml%(%'
    or request_uri ilike '%floor%(%'
    or request_uri ilike '%exp%(%'
    or request_uri ilike '%concat%(%'
    or request_uri ilike '%concat_ws%(%'
    or request_uri ilike '%group_concat%(%'
    -- Known error-based functions with database fingerprinting
    or request_uri ilike '%db_name%(%'
    or request_uri ilike '%@@version%'
    or request_uri ilike '%version%(%'
    or request_uri ilike '%pg_sleep%(%'
    or request_uri ilike '%sys.%'
    -- Common error triggers
    or request_uri ilike '%having%1=1%'
    or request_uri ilike '%order%by%'
    or request_uri ilike '%group%by%'
  )
order by
  tp_timestamp desc;

Tags

category = SQL Injection
mitre_attack_ids = TA0001:T1190
owasp_top_10 = A03:2021-Injection
plugin = apache
service = Apache/AccessLog