activity_dashboard_bad_request_countactivity_dashboard_error_countactivity_dashboard_redirect_countactivity_dashboard_requests_by_dayactivity_dashboard_requests_by_errorsactivity_dashboard_requests_by_http_methodactivity_dashboard_requests_by_status_codeactivity_dashboard_requests_by_successful_requestsactivity_dashboard_requests_by_user_agentactivity_dashboard_success_countactivity_dashboard_top_10_clientsactivity_dashboard_top_10_urlsactivity_dashboard_total_logscross_site_scripting_angular_templatecross_site_scripting_attribute_injectioncross_site_scripting_common_patternscross_site_scripting_dom_basedcross_site_scripting_encodingcross_site_scripting_html_injectioncross_site_scripting_javascript_methodscross_site_scripting_javascript_uricross_site_scripting_script_tagencoded_path_traversalheader_based_local_file_inclusionhidden_file_accesslog4shell_vulnerabilityos_file_accesspath_traversalrestricted_file_accessspring4shell_vulnerabilitysql_injection_blind_basedsql_injection_common_patternssql_injection_error_basedsql_injection_time_basedsql_injection_union_basedsql_injection_user_agent_based
Query: sql_injection_blind_based
Usage
powerpipe query apache_access_log_detections.query.sql_injection_blind_basedTailpipe Tables
SQL
select tp_timestamp as timestamp, request_method as operation, request_uri as resource, status, http_user_agent as actor, tp_source_ip as source_ip, tp_id as source_id, -- Create new aliases to preserve original row data status as status_src, timestamp as timestamp_src, * exclude (status, timestamp)from apache_access_logwhere request_uri is not null and ( -- Blind condition checks request_uri ilike '%and%1=1%' or request_uri ilike '%and%1=2%' or request_uri ilike '%case%when%' or request_uri ilike '%substr%(%' or request_uri ilike '%substring%(%' or request_uri ilike '%ascii%(%' or request_uri ilike '%length%(%' or request_uri ilike '%benchmark%(%' -- Blind patterns with comparison operators or request_uri ilike '%and+1>0%' or request_uri ilike '%and+1<2%' or request_uri ilike '%and+ascii(substring%' or request_uri ilike '%and+length(%)%' -- URL encoded variants common in blind injections or request_uri ilike '%and%28select%' or request_uri ilike '%and%28case%' ) and request_uri not ilike '%rand%'order by tp_timestamp desc;Detections
The query is being used by the following detections: