mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
761e570d59
modules/recon/sql-dump-exposure.yaml flags an exposed SQL dump on its mysqldump and pg_dump idioms paired against a guard that drops SQL shown inside an html page, then extracts the dumped table name. modules/recon/sqlite-database-exposure.yaml flags an exposed SQLite file on the 16 byte format magic anchored to the start of the body, then extracts a schema table name. anchoring the magic keeps a page that merely embeds the header from being reported. modules/recon/redis-dump-exposure.yaml flags an exposed Redis RDB snapshot on the RDB magic anchored to the start of the body, then extracts the format version. internal/modules/database_file_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a SQL tutorial page, a bare select, prose that names the sqlite or redis format, a header embedded mid body, a plain 200 body and a 404, none of which may match. verify: go test ./internal/modules, each matcher, magic anchor, guard and extractor proven to bite (break -> red, restore -> green).
61 lines
1.3 KiB
YAML
61 lines
1.3 KiB
YAML
# SQL Dump Exposure Detection Module
|
|
|
|
id: sql-dump-exposure
|
|
info:
|
|
name: SQL Dump Exposure
|
|
author: sif
|
|
severity: high
|
|
description: Detects an exposed SQL database dump that leaks schema and row data
|
|
tags: [database, sql, mysql, postgres, dump, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/dump.sql"
|
|
- "{{BaseURL}}/backup.sql"
|
|
- "{{BaseURL}}/database.sql"
|
|
- "{{BaseURL}}/db.sql"
|
|
- "{{BaseURL}}/mysql.sql"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: body
|
|
condition: or
|
|
words:
|
|
- "-- MySQL dump"
|
|
- "-- PostgreSQL database dump"
|
|
- "-- Dumping data for table"
|
|
- "-- Server version"
|
|
- "DROP TABLE IF EXISTS"
|
|
- "CREATE TABLE IF NOT EXISTS"
|
|
- "ENGINE=InnoDB"
|
|
- "ENGINE=MyISAM"
|
|
- "COPY public."
|
|
- "INSERT INTO "
|
|
|
|
- type: word
|
|
part: body
|
|
negative: true
|
|
condition: or
|
|
words:
|
|
- "<!DOCTYPE"
|
|
- "<!doctype"
|
|
- "<html"
|
|
- "<HTML"
|
|
- "<head>"
|
|
- "<title>"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: dump_table
|
|
part: body
|
|
regex:
|
|
- '(?:CREATE TABLE|INSERT INTO)\s+(?:IF NOT EXISTS\s+)?["`]?(?:[A-Za-z0-9_]+\.)?["`]?([A-Za-z0-9_]+)'
|
|
group: 1
|