Old scripts

active/sqli_errs.lua

@@ -0,0 +1,59 @@
+SQLI_ERRORS = read(string.format("%s/txt/sqli_errs.txt",SCRIPT_PATH))
+
+PAYLOADS = {
+    "'123",
+    "''123",
+    "`123",
+    "\")123",
+    "\"))123",
+    "`)123",
+    "`))123",
+    "'))123",
+    "')123\"123",
+    "[]123",
+    "\"\"123",
+    "'\"123",
+    "\"'123",
+    "\123",
+}
+
+local function send_report(url,parameter,payload,matching_error)
+    NewReport:setName("SQL Injection")
+    NewReport:setDescription("https://owasp.org/www-community/attacks/SQL_Injection")
+    NewReport:setRisk("high")
+    NewReport:setUrl(url)
+    NewReport:setParam(parameter)
+    NewReport:setAttack(payload)
+    NewReport:setEvidence(matching_error)
+end
+
+function main(url) 
+    local resp = http:send("GET",HttpMessage:getUrl())
+    if resp.errors:GetErrorOrNil() then
+        local log_msg = string.format("[SQLI_ERRORS] Connection Error: %s",new_url)
+        log_error(log_msg)
+        return
+    end
+    for param_index, param_name in pairs(HttpMessage:getParams()) do
+        STOP_PARAM = false
+        for payload_index, payload in pairs(PAYLOADS) do 
+            local new_url = HttpMessage:setParam(param_name,payload)
+            local resp = http:send("GET",new_url)
+            local body = resp.body:GetStrOrNil()
+            if STOP_PARAM == true then
+                break
+            end
+            for sqlerror_match in SQLI_ERRORS:gmatch("[^\n]+") do
+                    local match = is_match(sqlerror_match,body)
+                    if ( match == false or match == nil) then
+                            -- NOTHING
+                    else
+                        send_report(resp.url:GetStrOrNil(),param_name,payload,sqlerror_match)
+                        Reports:addReport(NewReport)
+                        STOP_PARAM = true
+                        break
+                    end
+            end
+        end
+    end
+end

active/txt/sqli_errs.txt

@@ -0,0 +1,155 @@
+unsupported nested scalar subselect
+ibm_db_dbi\.ProgrammingError
+(?s)Exception.*?Roadhouse\.Cms\.
+Warning.*?\Wmaxdb_
+![0-9]{5}![^]
+nl\.cwi\.monetdb\.jdbc
+SQLServer JDBC Driver
+Pdo[./_\](Oracle|OCI)
+SQL Server[^<"]+[0-9a-fA-F]{8}
+DB-Error.*
+quoted string not properly terminated
+check the manual that (corresponds to|fits) your MySQL server version
+valid MySQL result
+org\.jkiss\.dbeaver\.ext\.vertica
+/vertica/Parser/scan
+Altibase\.jdbc\.driver
+ODBC SQL Server Driver
+ORA-\d{5}
+is not supported by MemSQL
+SQL Server[^<"]+Driver
+Warning.*?\Wsybase_
+Syntax error \(missing operator\) in query expression
+macromedia\.jdbc\.oracle
+\[-3008\].*?: Invalid keyword or missing delimiter
+org\.sqlite\.JDBC
+com\.mckoi\.database\.jdbc
+Sybase.*?Server message
+Unexpected end of command in statement \[
+macromedia\.jdbc\.sqlserver
+Oracle.*?Driver
+Warning.*?\W(oci|ora)_
+OLE DB.*? SQL Server
+Virtuoso S0002 Error
+Pdo[./_\]Mysql
+SybSQLException
+Oracle error
+Warning.*?\W(sqlite_|SQLite3::)
+SQLite/JDBCDriver
+Zend_Db_(Adapter|Statement)_Db2_Exception
+Pdo[./_\]Pgsql
+ERROR:\s\ssyntax error at or near
+Warning.*?\Wifx_
+SQ074: Line \d+:
+Syntax error 1. Missing
+<REGEX_LITERAL>
+MySQLSyntaxErrorException
+\[42000-192\]
+org\.h2\.jdbc
+Driver.*? SQL[\-\_\ ]*Server
+com\.mysql\.jdbc
+DriverSapDB
+com\.sap\.dbtech\.jdbc
+CLI Driver.*?DB2
+io\.prestosql\.jdbc
+com\.mckoi\.JDBCDriver
+org\.firebirdsql\.jdbc
+Sybase message
+Zend_Db_(Adapter|Statement)_Oracle_Exception
+-10048: Syntax error
+MemSQL does not support this type of query
+Warning.*?\Wibase_
+org\.hsqldb\.jdbc
+com\.sybase\.jdbc
+PSQLException
+com\.facebook\.presto\.jdbc
+Pdo[./_\]Firebird
+SQLCODE[=:\d, -]+SQLSTATE
+Dynamic SQL Error
+org\.postgresql\.util\.PSQLException
+ODBC Informix driver
+SQL syntax.*?MySQL
+check the manual that (corresponds to|fits) your MariaDB server version
+Unclosed quotation mark after the character string
+Pdo[./_\]Ibm
+-3014.*?Invalid end of SQL statement
+Microsoft SQL Native Client error '[0-9a-fA-F]{8}
+SQ200: No table
+com\.ibm\.db2\.jcc
+Microsoft Access (\d+ )?Driver
+PostgreSQL query failed
+Access Database Engine
+Pdo[./_\]Sqlite
+ODBC Driver \d+ for SQL Server
+SR185: Undefined procedure
+sqlite3.OperationalError:
+Syntax error,[^
+JET Database Engine
+Exception.*?Informix
+Warning.*?\Wmysqli?_
+Zend_Db_(Adapter|Statement)_Mysqli_Exception
+valid PostgreSQL result
+com\.jnetdirect\.jsql
+DB2Exception
+Informix ODBC Driver
+]+assumed to mean
+\[SQL Server\]
+oracle\.jdbc
+Warning.*?\Wpg_
+SQL error.*?POS([0-9]+)
+Syntax error: Encountered
+Npgsql\.
+SQLite error \d+:
+SQL(Srv|Server)Exception
+Ingres SQLSTATE
+com\.vertica\.dsi\.dataengine
+org\.apache\.derby
+UNION query has different number of fields: \d+, \d+
+IfxException
+weblogic\.jdbc\.informix
+Unknown column '[^ ]+' in 'field list'
+]+(failed|unexpected|error|syntax|expected|violation|exception)
+SQL command not properly ended
+com\.simba\.presto\.jdbc
+io\.crate\.client\.jdbc
+Sybase\.Data\.AseClient
+DB2 SQL error
+\[SQLITE_ERROR\]
+PostgreSQL.*?ERROR
+com\.informix\.jdbc
+Unexpected token.*?in statement \[
+Exception (condition )?\d+\. Transaction rollback
+A comparison operator is required here
+db2_\w+\(
+com\.ingres\.gcf\.jdbc
+ERROR 42X01
+OracleException
+(Semantic|Syntax) error [1-4]\d{2}\.
+Zend_Db_(Adapter|Statement)_Sqlsrv_Exception
+System\.Data\.SqlClient\.SqlException\.(SqlException|SqlConnection\.OnError)
+com\.mimer\.jdbc
+SQLiteException
+(Microsoft|System)\.Data\.SQLite\.SQLiteException
+check the manual that (corresponds to|fits) your Drizzle server version
+\[(Virtuoso Driver|Virtuoso iODBC Driver)\]\[Virtuoso Server\]
+Warning.*?\W(mssql|sqlsrv)_
+SQLSTATE\[\d+\]: Syntax error or access violation
+ODBC Microsoft Access
+MySqlException
+org\.postgresql\.jdbc
+Pdo[./_\]Informix
+Warning.*?\Wingres_
+com\.vertica\.jdbc
+encountered after end of query
+PG::SyntaxError:
+\[MonetDB\]\[ODBC Driver
+com\.microsoft\.sqlserver\.jdbc
+Ingres\W.*?Driver
+, Sqlstate: (3F|42).{3}, (Routine|Hint|Position):
+Pdo[./_\](Mssql|SqlSrv)
+ERROR: parser: parse error at or near
+MySqlClient\.
+com\.frontbase\.jdbc
+SQLite3::SQLException
+rdmStmtPrepare\(.+?\) returned
+SQLite\.Exception

active/txt/xss.txt

@@ -0,0 +1 @@
+"><img src=x onerror=alert()>