alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; reference:cve,2015-7297; reference:cve,2015-7587; reference:cve,2015-7858; classtype:attempted-admin; sid:2021992; rev:2; metadata:created_at 2015_10_22, former_category WEB_SPECIFIC_APPS, updated_at 2020_06_04;)

Added 2021-08-02 19:08:35 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:2; metadata:created_at 2015_10_22, updated_at 2020_06_04;)

Added 2020-06-04 18:24:49 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:2; metadata:created_at 2015_10_22, updated_at 2015_10_22;)

Added 2018-09-13 19:51:51 UTC


Added 2018-09-13 18:00:28 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:2; metadata:created_at 2015_10_22, updated_at 2015_10_22;)

Added 2017-08-07 21:16:47 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:2;)

Added 2015-10-22 17:42:56 UTC


Topic revision: r1 - 2021-08-02 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats