turbot/tailpipe-mod-nginx-access-log-detections

Query: sql_injection_blind_based

Usage

powerpipe query nginx_access_log_detections.query.sql_injection_blind_based

Tailpipe Tables

SQL

select
tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
*
exclude (status)
from
nginx_access_log
where
request_uri is not null
and (
-- Blind condition checks
request_uri ilike '%and%1=1%'
or request_uri ilike '%and%1=2%'
or request_uri ilike '%case%when%'
or request_uri ilike '%substr%(%'
or request_uri ilike '%substring%(%'
or request_uri ilike '%ascii%(%'
or request_uri ilike '%length%(%'
or request_uri ilike '%benchmark%(%'
-- Blind patterns with comparison operators
or request_uri ilike '%and+1>0%'
or request_uri ilike '%and+1<2%'
or request_uri ilike '%and+ascii(substring%'
or request_uri ilike '%and+length(%)%'
-- URL encoded variants common in blind injections
or request_uri ilike '%and%28select%'
or request_uri ilike '%and%28case%'
)
order by
tp_timestamp desc;

Detections

The query is being used by the following detections: