LoFP LoFP / user searches in search boxes of the respective website

Techniques

Sample rules

Server Side Template Injection Strings

Description

Detects SSTI attempts sent via GET requests in access logs

Detection logic

condition: select_method and keywords and not filter
filter:
  sc-status: 404
keywords:
- ={{
- =%7B%7B
- =${
- =$%7B
- =<%=
- =%3C%25=
- =@(
- freemarker.template.utility.Execute
- .getClass().forName('javax.script.ScriptEngineManager')
- T(org.apache.commons.io.IOUtils)
select_method:
  cs-method: GET

Cross Site Scripting Strings

Description

Detects XSS attempts injected via GET requests in access logs

Detection logic

condition: select_method and keywords and not filter
filter:
  sc-status: 404
keywords:
- =<script>
- =%3Cscript%3E
- =%253Cscript%253E
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- document.cookie
- document.domain
- ' onerror='
- ' onresize='
- ' onload="'
- onmouseover=
- ${alert
- javascript:alert
- javascript%3Aalert
select_method:
  cs-method: GET

Windows Webshell Strings

Description

Detects common commands used in Windows webshells

Detection logic

condition: all of selection_*
selection_keywords:
- =whoami
- =net%20user
- =net+user
- =net%2Buser
- =cmd%20/c%
- =cmd+/c+
- =cmd%2B/c%
- =cmd%20/r%
- =cmd+/r+
- =cmd%2B/r%
- =cmd%20/k%
- =cmd+/k+
- =cmd%2B/k%
- =powershell%
- =powershell+
- =tasklist%
- =tasklist+
- =wmic%
- =wmic+
- =ssh%
- =ssh+
- =python%
- =python+
- =python3%
- =python3+
- =ipconfig
- =wget%
- =wget+
- =curl%
- =curl+
- =certutil
- =copy%20%5C%5C
- =dsquery%
- =dsquery+
- =nltest%
- =nltest+
selection_method:
  cs-method: GET

SQL Injection Strings In URI

Description

Detects potential SQL injection attempts via GET requests in access logs.

Detection logic

condition: selection and keywords and not 1 of filter_main_*
filter_main_status:
  sc-status: 404
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- =select(
- =select%20
- concat_ws(
- CONCAT(0x
- from mysql.innodb_table_stats
- from%20mysql.innodb_table_stats
- group_concat(
- information_schema.tables
- json_arrayagg(
- or 1=1#
- or%201=1#
- 'order by '
- order%20by%20
- 'select * '
- select database()
- select version()
- select%20*%20
- select%20database()
- select%20version()
- select%28sleep%2810%29
- SELECTCHAR(
- table_schema
- UNION ALL SELECT
- UNION SELECT
- UNION%20ALL%20SELECT
- UNION%20SELECT
- '''1''=''1'
selection:
  cs-method: GET