Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

SQL Injection Strings In URI

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

SQL Injection Strings In URI

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
    - https://brightsec.com/blog/sql-injection-payloads/
    - https://github.com/payloadbox/sql-injection-payload-list
    - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
    keywords:
        - '@@version'
        - '%271%27%3D%271'
        - '=select '
        - '=select('
        - '=select%20'
        - 'concat_ws('
        - 'CONCAT(0x'
        - 'from mysql.innodb_table_stats'
        - 'from%20mysql.innodb_table_stats'
        - 'group_concat('
        - 'information_schema.tables'
        - 'json_arrayagg('
        - 'or 1=1#'
        - 'or%201=1#'
        - 'order by '
        - 'order%20by%20'
        - 'select * '
        - 'select database()'
        - 'select version()'
        - 'select%20*%20'
        - 'select%20database()'
        - 'select%20version()'
        - 'select%28sleep%2810%29'
        - 'SELECTCHAR('
        - 'table_schema'
        - 'UNION ALL SELECT'
        - 'UNION SELECT'
        - 'UNION%20ALL%20SELECT'
        - 'UNION%20SELECT'
        - "'1'='1"
    filter_main_status:
        sc-status: 404
    condition: selection and keywords and not 1 of filter_main_*
falsepositives:
    - Java scripts and CSS Files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/web/webserver_generic/web_sql_injection_in_access_logs.yml