复制
id: generic-db
info:
name: Generic Database File - Exposure
author: Michal Mikolas (nanuqcz)
severity: high
description: |
This is collection of some web frameworks recommendation or default configuration for SQLite database file location. If this file is publicly accessible due to server misconfiguration, it could result in application data leak including users sensitive data, password hashes etc.
reference:
- https://laravel.com/docs/11.x/database#sqlite-configuration # database/database.sqlite
- https://laravel.com/docs/5.2/database # database/database.sqlite
- https://github.com/laracasts/larabook/blob/master/app/config/database.php#L51 # app/database/production.sqlite
- https://forum.codeigniter.com/post-389846.html # writable/db.sqlite3
- https://github.com/codeigniter4projects/playground/blob/develop/.env.example#L33 # writable/database.db
- https://symfony.com/doc/current/doctrine.html#configuring-the-database # var/app.db
- https://symfony.com/doc/4.x/doctrine.html#configuring-the-database # var/app.db
- https://symfony.com/doc/3.x/doctrine.html # app/sqlite.db
- https://symfony.com/doc/2.x/doctrine.html # sqlite.db
- https://openclassrooms.com/forum/sujet/symfony3-sqlite-could-not-create-database # var/data/db.sqlite
- https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration # var/data/data.sqlite
- https://stackoverflow.com/questions/31762878/sqlite-3-database-with-django # db.sqlite3
- https://medium.com/@codewithbushra/using-sqlite-as-a-database-backend-in-django-projects-code-with-bushra-d23e3100686e # db.sqlite3
- https://gist.github.com/jwo/4512764?permalink_comment_id=2235763#gistcomment-2235763 # db/production.sqlite3
- https://stackoverflow.com/a/30345819/1632572 # db/production.sqlite3
- https://developerhowto.com/2018/12/29/build-a-rest-api-with-node-js-and-express-js/ # db.sqlite
- https://sqldocs.org/sqlite/sqlite-nodejs/ # mydb.sqlite
- https://stackoverflow.com/questions/41620788/error-database-connection-sqlite-is-missing-or-could-not-be-created-cakephp # app/data/app_db.sqlite
- https://stackoverflow.com/questions/2722383/using-sqlite3-with-cakephp # app/webroot/database.sqlite, app/database.sqlite
- https://levelup.gitconnected.com/how-to-connect-and-use-the-sqlite-database-in-codeigniter-3-48cd50d3e78d # application/databases/db.sqlite
- https://turmanauli.medium.com/how-to-connect-codeigniter-to-sqlite3-database-like-a-pro-2177497a6d30 # application/db/database.sqlite
- https://forum.codeigniter.com/thread-74522.html # application/Database/db1.db
- https://stackoverflow.com/a/37088960/1632572 # application/database/data.db
- https://docs.laminas.dev/tutorials/getting-started/database-and-models/ # data/*.db
- https://phalcon-nucleon.github.io/#!database/getting-started.html # storage/database/database.sqlite
- https://www.yiiframework.com/doc/blog/1.1/en/prototype.database # protected/data/*.db
- https://pusher.com/tutorials/rest-api-slim-part-1/ # db/database.db
- https://www.digitalocean.com/community/tutorials/how-to-use-the-fat-free-php-framework # db/database.sqlite
- https://doc.nette.org/en/database/configuration#toc-single-connection # app/Model/*.db
- https://www.sqlite.org/fileformat.html # SQLite file always starts with "SQLite format {sqlite_version}"
- https://en.wikipedia.org/wiki/List_of_file_signatures # SQLite binary signature: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
metadata:
max-request: 89
tags: files,database,exposure,sqlite,sqlite3,fuzz,sqli,vuln
http:
- method: GET
path:
- "{{BaseURL}}/{{path}}"
payloads:
path:
- database/database.sqlite
- database/production.db
- database/production.sqlite
- database/production.sqlite3
- app/database/production.sqlite
- writable/db.sqlite3
- writable/database.db
- var/app.db
- var/data/db.sqlite
- var/data/data.sqlite
- app/sqlite.db
- sqlite.db
- db.sqlite3
- db/production.sqlite3
- db.sqlite
- mydb.sqlite
- app/data/app_db.sqlite
- app/webroot/database.sqlite
- app/database.sqlite
- application/databases/db.sqlite
- application/db/database.sqlite
- application/Database/db1.db
- application/database/data.db
- data/app.db
- data/sqlite.db
- data/sqlite3.db
- data/database.db
- data/production.db
- storage/database/database.sqlite
- protected/data/app.db
- protected/data/sqlite.db
- protected/data/sqlite3.db
- protected/data/database.db
- protected/data/production.db
- db/database.db
- db/database.sqlite
- app/Model/app.db
- app/Model/sqlite.db
- app/Model/sqlite3.db
- app/Model/database.db
- app/Model/production.db
- app.db
- sqlite3.db
- app.sqlite
- app.sqlite3
- database.db
- database.sqlite
- database.sqlite3
- production.db
- production.sqlite
- production.sqlite3
- db/db.sqlite
- db/db.sqlite3
- db/sqlite.db
- db/sqlite3.db
- db/app.db
- db/app.sqlite
- db/app.sqlite3
- db/database.sqlite3
- db/production.db
- db/production.sqlite
- app/db.sqlite
- app/db.sqlite3
- app/sqlite3.db
- app/app.db
- app/app.sqlite
- app/app.sqlite3
- app/database.db
- app/database.sqlite3
- app/production.db
- app/production.sqlite
- app/production.sqlite3
- data/db.sqlite
- data/db.sqlite3
- data/app.sqlite
- data/app.sqlite3
- data/database.sqlite
- data/database.sqlite3
- data/production.sqlite
- data/production.sqlite3
- database/db.sqlite
- database/db.sqlite3
- database/sqlite.db
- database/sqlite3.db
- database/app.db
- database/app.sqlite
- database/app.sqlite3
- database/database.db
- database/database.sqlite3
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'startswith(body, "SQLite")' # SQLite file always starts with "SQLite format {sqlite_version}"
- 'contains(body, "CREATE TABLE")' # SQLite file usually contains "CREATE TABLE", meaning there is at least one table
- '!contains(body, "<html")'
- 'status_code == 200'
condition: and
# digest: 490a00463044022007c1d7dab7bd6a99d33fe666d1c87a12250f0a77e6aa36020b39d521be4028d602206a58aa2e41848e9c9c10197018d1a5fff92d7fd642dba77beacfef0a75f1fe46:922c64590222798bb761d5b6d8e72950