Files
sif/modules/recon/sqlite-database-exposure.yaml
T
Tigah 761e570d59 feat(modules): add sql dump, sqlite and redis rdb exposure modules (#204)
modules/recon/sql-dump-exposure.yaml flags an exposed SQL dump on its
mysqldump and pg_dump idioms paired against a guard that drops SQL shown
inside an html page, then extracts the dumped table name.

modules/recon/sqlite-database-exposure.yaml flags an exposed SQLite file on
the 16 byte format magic anchored to the start of the body, then extracts a
schema table name. anchoring the magic keeps a page that merely embeds the
header from being reported.

modules/recon/redis-dump-exposure.yaml flags an exposed Redis RDB snapshot on
the RDB magic anchored to the start of the body, then extracts the format
version.

internal/modules/database_file_exposure_test.go drives the three modules end
to end through ExecuteHTTPModule and asserts the leak alongside the near
misses a strict review wants pinned: a SQL tutorial page, a bare select, prose
that names the sqlite or redis format, a header embedded mid body, a plain 200
body and a 404, none of which may match.

verify: go test ./internal/modules, each matcher, magic anchor, guard and
extractor proven to bite (break -> red, restore -> green).
2026-06-22 17:07:15 -07:00

40 lines
847 B
YAML

# SQLite Database Exposure Detection Module
id: sqlite-database-exposure
info:
name: SQLite Database Exposure
author: sif
severity: high
description: Detects an exposed SQLite database file that leaks the full application data
tags: [database, sqlite, laravel, dump, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/database.sqlite"
- "{{BaseURL}}/database.sqlite3"
- "{{BaseURL}}/db.sqlite3"
- "{{BaseURL}}/data.db"
- "{{BaseURL}}/database/database.sqlite"
- "{{BaseURL}}/storage/database.sqlite"
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- '^SQLite format 3\x00'
extractors:
- type: regex
name: table_name
part: body
regex:
- 'CREATE TABLE ["`]?([A-Za-z0-9_]+)'
group: 1