Regex to match json operator for SQLi

bensonlow · July 5, 2023, 8:03am

I need to convert these into CF regex, i need some guidance on how to do it… anyone has any pointers to share?

[‘"`]\sor[\s\S]{1,50}({[’"][\s\S]{1,50}['"]:[\s\S]{1,50}})[\s\S]{1,20}(?||?&)\sarray([(?:'?[\s\S]{1,50}'?)]\s?)(?:;|–|#|$)

fritex · July 5, 2023, 10:03pm

May I ask if you’re using a plan type which does support the Regex, for, are you trying to use it on Firewall Rules or somewhere else?

In short, may I ask what should it match? Could you share the example (change the domain name, etc.) and share in bracketed/pretext in case you cannot post links here.

bensonlow · July 7, 2023, 12:45am

Hello Fritex,

I do have an pro plan and above to perform regex. This is to capture using custom firewall rules.

Here is an sample of the payload, i am trying to capture

[07:23:05] [PAYLOAD] ’ and ‘[“YjkeMhHf”, “zu”, “k”]’::jsonb->>1 = ‘zu’ union select null-- tfdj
[07:23:35] [PAYLOAD] ’ and (‘{“gZpjqdTXmOMB” : 3921, “IQItwTLQKNFhfu” : 4045, “gR” : 3736}’::jsonb%23>>‘{gR}’)::int8 = 3736 union select null,null-- nato
[07:24:05] [PAYLOAD] ’ and (‘{“VL” : 9888, “CbjKDRRrx” : 8105, “VAiTrLybnEYPErv” : 842}’::jsonb%23>>‘{CbjKDRRrx}’)::int8 = 8105 union select null,null,null-- oloa
[07:24:35] [PAYLOAD] ’ and ‘[“QNshScXhL”, “UV”, “oQkG”]’::jsonb->>1 = ‘UV’ union select null,null,null,null-- fwyz
[07:25:05] [PAYLOAD] ’ and ‘[“IfLdu”, “MmZbdbjeXQXoI”, “jjfcmvsCqHgSJMy”]’::jsonb->>0 = ‘IfLdu’ union select null,null,null,null,null-- wtjs
[07:25:35] [PAYLOAD] ’ and (‘{“nWI” : 3352, “YKO” : 8059, “dSsAOfxGC” : 6895}’::jsonb%23>>‘{YKO}’)::int8 = 8059 union select null,null,null,null,null,null-- flnf
[07:26:06] [PAYLOAD] ’ and (‘{“jpVtlBBUPFodP” : 6286, “znpvYVOwxi” : 3580, “z” : 9186}’::jsonb%23>>‘{jpVtlBBUPFodP}’)::int8 = 6286 union select null,null,null,null,null,null,null-- eucp
[07:26:36] [PAYLOAD] ’ and ‘{“GWC” : “WleQ”, “tsVi” : “o”, “wZpUIt” : “bxssWVRfINlz”}’::jsonb%23>>‘{tsVi}’ = ‘o’ union select null,null,null,null,null,null,null,null-- afsz
[07:27:06] [PAYLOAD] ’ and ‘[“urtVCPlwQf”, “QjCwQYS”, “FCXW”]’::jsonb->>1 = ‘QjCwQYS’ union select null,null,null,null,null,null,null,null,null-- cmob
[07:27:36] [PAYLOAD] ’ and ‘{“wDjc” : “wnWYwHwr”, “Jm” : “rev”, “FEUxnj” : “NBLELFL”}’::jsonb->>‘Jm’ = ‘rev’ union select null,null,null,null,null,null,null,null,null,null-- ojnt

bensonlow · July 7, 2023, 12:46am

Hello Fritex,

Here is another syntax i want to do conversion:
['"`]\sor[\s\S]{1,50}'([(?:'?[\s\S]{1,50}'?)]\s?)'::jsonb?[\s\S]{0,50}(?:->>)[\s\S]{1,50}(?:;|–|#|$)

this will match the payloads i have posted.

system · July 22, 2023, 12:47am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.