Updated exec, default, fruit, sql and xss rules

wireghoul · Apr 9, 2024 · 772ec16 · 772ec16
1 parent 4d70b7e
commit 772ec16
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 20 deletions.
diff --git a/signatures/default.db b/signatures/default.db
@@ -1,6 +1,7 @@
 asm[[:space:]]+['"]['"]['"]
 unsafeAddr([[:space:]]+|[[:space:]]*\()
 addr[[:space:]]*\(
+fmt[[:space:]]*\([[:space:]]*['"][Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*\{[a-zA-Z0-9]+\]
 # Execution
 exec[[:space:]]*\([^;]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
 passthru[[:space:]]*\(.*\)
@@ -20,6 +21,7 @@ eval[[:space:]]*\(.*\$.*\)
 (include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
+new[[:space:]]+\$_(GET|REQUEST|POST|COOKIE).*\(
 \.cookie[[:space:]]*\(.*\.(query|param)
 \.location\.hash\.slice[[:space:]]*\(
 .innerHTML[[:space:]]*=.*\.(location\.hash|query|param)

diff --git a/signatures/exec.db b/signatures/exec.db
@@ -5,6 +5,10 @@ new[[:space:]]+(System\.Diagnostic\.)?Process(StartInfo)?[[:space:]]*\(.*
 new[[:space:]]+Cli[[:space:]]*\(.*
 # via Microsoft.VisualBasic
 \.Shell[[:space:]]*\(.*
+exec\.Command[[:space:]]*\(
+syscall\.Exec[[:space:]]*\(
+os\.StartProcess[[:space:]]*\(
+session\.Run[[:space:]]*\(
 # Perl exec signatures
 exec(\s*\(|\s+).*\$.*\)?
 fork(\s*\(|\s+).*\)?
@@ -14,7 +18,7 @@ open(\s*\(?|\s+)*\$.*\)?
 # PHP - Execution
 assert([[:space:]]*\(|[[:space:]]+[\"\'])[^\)]+\)?
 exec([[:space:]]*\(|[[:space:]]+[\"\'])[^\)]+\)?
-`[^`]+\$[^`]+`
+`[^`]*\$[^`]+`
 passthru([[:space:]]*\(|[[:space:]]+[\"\'])[^\)]+\)?
 popen([[:space:]]*\(|[[:space:]]+[\"\'])[^\)]+\)?
 proc_close([[:space:]]*\(|[[:space:]]+[\"\'])[^\)]+\)?
@@ -24,6 +28,14 @@ proc_nice([[:space:]]*\(|[[:space:]]+).*\)?
 proc_terminate([[:space:]]*\(|[[:space:]]+).*\)?
 shell_exec([[:space:]]*\(|[[:space:]]+).*\)?
 system([[:space:]]*\(|[[:space:]]+[\"\']).*\)?
+\.instance_eval.*
+eval([[:space:]]*\(|[[:space:]]+[^\(])
+spawn([[:space:]]*\(|[[:space:]]+[^\(])
+system[[:space:]]*\(
+\.open[[:space:]]*\(
+\.(public_)?send[[:space:]]*\(
+`.*#\{[^`]+`
+File\.(read|new|open|delete)[[:space:]]*\(
 .*\=.*\!\!
 [a-z0-9A-Z]\.\!
 \.execSync[[:space:]]*\(

diff --git a/signatures/fruit.db b/signatures/fruit.db
@@ -1,5 +1,6 @@
 intent\.setData[[:space:]]*\([[:space:]]*Uri\.parse[[:space:]]*\([^\]*\)
-setIntent[[:space:]]*\([^\,]+\,[ _a-zA-Z0-9\.\(\)]+\.getIntent[[:space:]]*\(\)
+set(Intent|Result)[[:space:]]*\([^\,]+\,[[:space:]]*([_a-zA-Z0-9\.\(\)]+\.)?getIntent[[:space:]]*\(\)
+loadUrl[[:space:]]*\(.*getIntent\(\)\.getStringExtra
 \.rawQuery[[:space:]]*\([^\"\']+\)
 \.rawQuery[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
 printf[[:space:]]*\([[:space:]]*[^\,\'\"]+[[:space:]]*\)[[:space:]]*\;
@@ -26,17 +27,14 @@ Process.Start[[:space:]]*\(.*\+
 \.Arguments[[:space:]]*=(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|.*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
 \.SelectNodes[[:space:]]*\(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 ReadAllBytes[[:space:]]*\(.*[Rr]equest
-\.WriteString\(.*URL\.Query\(\).*\)
-\.Write\(.*URL.Query\(\).*\)
-\.Println\(.*URL.Query\(\).*\)
-\.Raw\(.*URL.Query\(\).*\)
-\.Query\(.*URL.Query\(\).*\)
-\.QueryContext\(.*URL.Query\(\).*\)
-\.QueryRow\(.*URL.Query\(\).*\)
-\.QueryRowContext\(.*URL.Query\(\).*\)
-\.Exec\(.*URL.Query\(\).*\)
-\.ExecContext\(.*URL.Query\(\).*\)
-\.Open\(.*URL.Query\(\).*\)
+\.Write(String)?[[:space:]]*\(.*URL\.Query[[:space:]]*\(.*\)
+\.Println[[:space:]]*\(.*URL.Query[[:space:]]*\(.*\)
+\.Raw[[:space:]]*\(.*URL.Query[[:space:]]*\(.*\)
+\.Query(Row)?(Context)?[[:space:]]*\(.*URL.Query[[:space:]]*\(.*\)
+\.Exec(Context)?[[:space:]]*\(.*URL.Query[[:space:]]*\(.*\)
+\.Open[[:space:]]*\(.*URL.Query[[:space:]]*\(.*\)
+SELECT[[:space:]]+.*%s
+\.Where[[:space:]]*\(.*%s
 response.sendRedirect[[:space:]]*\(.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram).*\)
 out\.print(ln)?.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram)
 <%=([Rr]equest|\.[Gg]et[Pp]aram)

diff --git a/signatures/sql.db b/signatures/sql.db
@@ -11,6 +11,7 @@ exec[[:space:]]*@
 execute[[:space:]]*@
 executestatement[[:space:]]*\(
 executeSQL[[:space:]]*\(
+\.ExecuteSqlRaw[[:space:]]*\(
 #setfilter
 executeQuery[[:space:]]*\(
 GetQueryResultInXML[[:space:]]*\(
@@ -42,13 +43,10 @@ StoredProcedure[[:space:]]*\(
 (LIKE|like)[[:space:]]+[^\(\)\;]+(\{[0-9]+\}|[\'\"][[:space:]]+\+)
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*(\{[0-9]+\}|[\'\"][[:space:]]+\+)
 (LIMIT|limit)[[:space:]]+.*(\{[0-9]+\}|[\'\"][[:space:]]+\+)
-\.Raw\(.*\)
-\.Query\(.*\)
-\.QueryContext\(.*\)
-\.QueryRow\(.*\)
-\.QueryRowContext\(.*\)
-\.Exec\(.*\)
-\.ExecContext\(.*\)
+\.Raw[[:space:]]*\(.*\)
+\.Exec[[:space:]]*\(.*\)
+\.ExecContext[[:space:]]*\(.*\)
+\.Query(Row(Context)?)?[[:space:]]*\(
 #MongoDB rules
 \.connect\(
 \.createCollection\(
@@ -103,6 +101,8 @@ px_.*[[:space:]]*\(.*\$.*\)
 ovrimos_.*[[:space:]]*\(.*\$.*\)
 maxdb_.*[[:space:]]*\(.*\$.*\)
 db2_.*[[:space:]]*\(.*\$.*\)
+[Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=[[:space:]]*\{\}
+[Aa][Nn][Dd][[:space:]]+.*=[[:space:]]*\{\}
 (WHERE|where)[[:space:]]+.*=.*[\'\"][[:space:]]*\+.*
 [\'\" ]+AND[[:space:]]+.*=.*\+.*
 (LIKE|like)[[:space:]]+[^\;]+\+.*

diff --git a/signatures/xss.db b/signatures/xss.db
@@ -10,6 +10,9 @@ QueryUnescape\(.*
 <%=.*[Rr]equest\.
 response.sendRedirect[[:space:]]*\(.*[Rr]equest.*\)
 <c:out.*\$\{param
+renderToString[[:space:]]*\(
+to_html[[:space:]]*\(
+\.render[[:space:]]*\(
 # Perl xss signatures
 print[[:space:]]*.*\$.*->param\(?.*\)?
 # PHP xss signatures