Home/sqlmap/YARA rules
YARA

YARA rules for sqlmap

4 rules · scoped to tool · back to sqlmap
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

4 of 4
direct SQLMap
SQLMap
This signature detects the SQLMap SQL injection tool
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule SQLMap {
   meta:
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      description = "This signature detects the SQLMap SQL injection tool"
      date = "01.07.2014"
      score = 60
      id = "55a72fe6-f82d-5d55-842f-5d7e1cfcc9fa"
   strings:
      $s1 = "except SqlmapBaseException, ex:"
   condition:
      1 of them
}
direct SqlMap
HKTL_SqlMap
Detects sqlmap hacktool
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule HKTL_SqlMap {
   meta:
      description = "Detects sqlmap hacktool"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/sqlmapproject/sqlmap"
      date = "2018-10-09"
      hash1 = "9444478b03caf7af853a64696dd70083bfe67f76aa08a16a151c00aadb540fa8"
      id = "da2029dd-c4ce-557f-a409-c468fa3deef3"
   strings:
      $x1 = "if cmdLineOptions.get(\"sqlmapShell\"):" fullword ascii
      $x2 = "if conf.get(\"dumper\"):" fullword ascii
   condition:
      filesize < 50KB and 1 of them
}
direct SqlMap
HKTL_SqlMap_backdoor
Detects SqlMap backdoors
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule HKTL_SqlMap_backdoor {
   meta:
      description = "Detects SqlMap backdoors"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/sqlmapproject/sqlmap"
      date = "2018-10-09"
      id = "bf09caac-cf15-5936-b5b4-df4f28788961"
   condition:
      (uint32(0) == 0x8e859c07 or
         uint32(0) == 0x2d859c07 or
         uint32(0) == 0x92959c07 or
         uint32(0) == 0x929d9c07 or
         uint32(0) == 0x29959c07 or
         uint32(0) == 0x2b8d9c07 or
         uint32(0) == 0x2b859c07 or
         uint32(0) == 0x28b59c07) and filesize < 2KB
}
direct
CN_Honker_SqlMap_Python_Run
Sample from CN Honker Pentest Toolset - file Run.exe
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule CN_Honker_SqlMap_Python_Run {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Run.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "a51479a1c589f17c77d22f6cf90b97011c33145f"
		id = "308d929a-0f38-5db4-92c2-2a7bf25bb64f"
	strings:
		$s1 = ".\\Run.log" fullword ascii
		$s2 = "[root@Hacker~]# Sqlmap " fullword ascii
		$s3 = "%sSqlmap %s" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin