Files
sif/modules/recon/sql-dump-exposure.yaml
T
Tigah 761e570d59 feat(modules): add sql dump, sqlite and redis rdb exposure modules (#204)
modules/recon/sql-dump-exposure.yaml flags an exposed SQL dump on its
mysqldump and pg_dump idioms paired against a guard that drops SQL shown
inside an html page, then extracts the dumped table name.

modules/recon/sqlite-database-exposure.yaml flags an exposed SQLite file on
the 16 byte format magic anchored to the start of the body, then extracts a
schema table name. anchoring the magic keeps a page that merely embeds the
header from being reported.

modules/recon/redis-dump-exposure.yaml flags an exposed Redis RDB snapshot on
the RDB magic anchored to the start of the body, then extracts the format
version.

internal/modules/database_file_exposure_test.go drives the three modules end
to end through ExecuteHTTPModule and asserts the leak alongside the near
misses a strict review wants pinned: a SQL tutorial page, a bare select, prose
that names the sqlite or redis format, a header embedded mid body, a plain 200
body and a 404, none of which may match.

verify: go test ./internal/modules, each matcher, magic anchor, guard and
extractor proven to bite (break -> red, restore -> green).
2026-06-22 17:07:15 -07:00

61 lines
1.3 KiB
YAML

# SQL Dump Exposure Detection Module
id: sql-dump-exposure
info:
name: SQL Dump Exposure
author: sif
severity: high
description: Detects an exposed SQL database dump that leaks schema and row data
tags: [database, sql, mysql, postgres, dump, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/dump.sql"
- "{{BaseURL}}/backup.sql"
- "{{BaseURL}}/database.sql"
- "{{BaseURL}}/db.sql"
- "{{BaseURL}}/mysql.sql"
matchers:
- type: status
status:
- 200
- type: word
part: body
condition: or
words:
- "-- MySQL dump"
- "-- PostgreSQL database dump"
- "-- Dumping data for table"
- "-- Server version"
- "DROP TABLE IF EXISTS"
- "CREATE TABLE IF NOT EXISTS"
- "ENGINE=InnoDB"
- "ENGINE=MyISAM"
- "COPY public."
- "INSERT INTO "
- type: word
part: body
negative: true
condition: or
words:
- "<!DOCTYPE"
- "<!doctype"
- "<html"
- "<HTML"
- "<head>"
- "<title>"
extractors:
- type: regex
name: dump_table
part: body
regex:
- '(?:CREATE TABLE|INSERT INTO)\s+(?:IF NOT EXISTS\s+)?["`]?(?:[A-Za-z0-9_]+\.)?["`]?([A-Za-z0-9_]+)'
group: 1