LoFP LoFP / user searches in search boxes of the respective website

Techniques

Sample rules

Windows Webshell Strings

Description

Detects common commands used in Windows webshells

Detection logic

condition: all of selection_*
selection_keywords:
- =whoami
- =net%20user
- =net+user
- =net%2Buser
- =cmd%20/c%
- =cmd+/c+
- =cmd%2B/c%
- =cmd%20/r%
- =cmd+/r+
- =cmd%2B/r%
- =cmd%20/k%
- =cmd+/k+
- =cmd%2B/k%
- =powershell%
- =powershell+
- =tasklist%
- =tasklist+
- =wmic%
- =wmic+
- =ssh%
- =ssh+
- =python%
- =python+
- =python3%
- =python3+
- =ipconfig
- =wget%
- =wget+
- =curl%
- =curl+
- =certutil
- =copy%20%5C%5C
- =dsquery%
- =dsquery+
- =nltest%
- =nltest+
selection_method:
  cs-method: GET

Cross Site Scripting Strings

Description

Detects XSS attempts injected via GET requests in access logs

Detection logic

condition: select_method and keywords and not filter
filter:
  sc-status: 404
keywords:
- =<script>
- =%3Cscript%3E
- =%253Cscript%253E
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- document.cookie
- document.domain
- ' onerror='
- ' onresize='
- ' onload="'
- onmouseover=
- ${alert
- javascript:alert
- javascript%3Aalert
select_method:
  cs-method: GET

Server Side Template Injection Strings

Description

Detects SSTI attempts sent via GET requests in access logs

Detection logic

condition: select_method and keywords and not filter
filter:
  sc-status: 404
keywords:
- ={{
- =%7B%7B
- =${
- =$%7B
- =<%=
- =%3C%25=
- =@(
- freemarker.template.utility.Execute
- .getClass().forName('javax.script.ScriptEngineManager')
- T(org.apache.commons.io.IOUtils)
select_method:
  cs-method: GET

SQL Injection Strings In URI

Description

Detects potential SQL injection attempts via GET requests in access logs.

Detection logic

condition: selection and keywords and not 1 of filter_main_*
filter_main_status:
  sc-status: 404
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- =select(
- =select%20
- concat_ws(
- CONCAT(0x
- from mysql.innodb_table_stats
- from%20mysql.innodb_table_stats
- group_concat(
- information_schema.tables
- json_arrayagg(
- or 1=1#
- or%201=1#
- 'order by '
- order%20by%20
- 'select * '
- select database()
- select version()
- select%20*%20
- select%20database()
- select%20version()
- select%28sleep%2810%29
- SELECTCHAR(
- table_schema
- UNION ALL SELECT
- UNION SELECT
- UNION%20ALL%20SELECT
- UNION%20SELECT
- '''1''=''1'
selection:
  cs-method: GET