Adversaries may attempt SQL injection by embedding malicious strings in URI parameters to exploit vulnerabilities in web applications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential database breaches early.
Detection Rule
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
- https://brightsec.com/blog/sql-injection-payloads/
- https://github.com/payloadbox/sql-injection-payload-list
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- '=select('
- '=select%20'
- 'concat_ws('
- 'CONCAT(0x'
- 'from mysql.innodb_table_stats'
- 'from%20mysql.innodb_table_stats'
- 'group_concat('
- 'information_schema.tables'
- 'json_arrayagg('
- 'or 1=1#'
- 'or%201=1#'
- 'order by '
- 'order%20by%20'
- 'select * '
- 'select database()'
- 'select version()'
- 'select%20*%20'
- 'select%20database()'
- 'select%20version()'
- 'select%28sleep%2810%29'
- 'SELECTCHAR('
- 'table_schema'
- 'UNION ALL SELECT'
- 'UNION SELECT'
- 'UNION%20ALL%20SELECT'
- 'UNION%20SELECT'
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*
falsepositives:
- Java scripts and CSS Files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
imWebSession
| where HttpRequestMethod =~ "GET" and ("@@version" or "%271%27%3D%271" or "=select " or "=select(" or "=select%20" or "concat_ws(" or "CONCAT(0x" or "from mysql.innodb_table_stats" or "from%20mysql.innodb_table_stats" or "group_concat(" or "information_schema.tables" or "json_arrayagg(" or "or 1=1#" or "or%201=1#" or "order by " or "order%20by%20" or "select * " or "select database()" or "select version()" or "select%20*%20" or "select%20database()" or "select%20version()" or "select%28sleep%2810%29" or "SELECTCHAR(" or "table_schema" or "UNION ALL SELECT" or "UNION SELECT" or "UNION%20ALL%20SELECT" or "UNION%20SELECT" or "'1'='1") and (not(HttpStatusCode == 404))Scenario: A legitimate scheduled job uses a SQL query in a URI to generate reports.
Filter/Exclusion: Exclude URIs containing report_generator.php or scheduled_job.php using a regex pattern like report_generator|scheduled_job.
Scenario: An admin is using a web-based SQL tool (e.g., phpMyAdmin) to query a database directly.
Filter/Exclusion: Exclude requests to /phpmyadmin/ or /admin/ using a path-based filter.
Scenario: A developer is testing a web application using a local tool like Postman or curl, and the URI includes SQL-like strings for debugging.
Filter/Exclusion: Exclude requests originating from local IP ranges (e.g., 192.168.0.0/16) or user agents like PostmanRuntime/....
Scenario: A system uses a URI to pass SQL-like parameters for filtering data in a legitimate API endpoint.
Filter/Exclusion: Exclude URIs containing filter=, search=, or query= with a regex like filter|search|query.
Scenario: A log management tool (e.g., ELK Stack, Splunk) is configured to send SQL-like strings in URIs for log parsing or indexing.
Filter/Exclusion: Exclude requests to /logstash/, /splunk/, or /elk/ using a path-based filter.