Show signatures

ID	Sign
1	\s\{.?;\s\}\s;
2	\s\{.?$.?$.?=>.*?\'
3	\{\{.*?\}\}
4	\bfind_in_set\b.*?$.+?,.+?$
5	["'].*?>;
6	\bsqlite_master\b
7	\bmysql.?\..?user\b
8	#.+?\)[";\s]*>;
10	>;.?<;\s\/?[\w\s]+>;
11	\blocation\b.?\..?\bhash\b
12	\bwith\b\s*$.+?$[\s\w]+\(
13	(\b(do\|while\|for)\b.?$[^)]$.?\{)\|(\}.?\b(do\|while\|for)\b.?$[^)]$)
15	\.\.[\/\\]
16	%(c0\.\|af\.\|5c\.)
18	\.(ht(access\|passwd\|group))\|(apache\|httpd)\d?\.conf
19	\/etc\/[.\/].\/(passwd\|shadow\|master\.passwd)
23	php:\/\/filter
24	php:\/\/input
25	convert\.base64-(de\|en)code
26	php:\/\/output
27	zlib\.(de\|in)flate
29	@import\b
31	\)\s*\[
32	<\?(?!xml\s)
33	%(HOME(DRIVE\|PATH)\|SYSTEM(DRIVE\|ROOT)\|WINDIR\|USER(DOMAIN\|PROFILE\|NAME)\|((LOCAL)?APP\|PROGRAM)DATA)%
34	\bunion\b.+?\bselect\b
36	\bupdate\b.+?\bset\b
37	\bdrop\b.+?\b(database\|table)\b
38	\bdelete\b.+?\bfrom\b
39	--.+?
41	<!-.+?-->;
42	<base\b.+?\bhref\b.+?>;
43	<(applet\|object\|embed\|audio\|video\|img\|svg)
44	<!(element\|entity\|\[CDATA)
45	<a\b.+?\bhref\b
46	<(html\|body\|meta\|link\|i?frame\|script\|map)
47	<(form\|button\|input\|keygen\|textarea\|select\|option)
48	(?:<!\w)(boot\.ini\|global\.asa\|sam)\b
49	\bon\w+\s*=
50	\b(chrome\|file):\/\/
51	&;#?(\w+);
52	^(\s)\\|\|\\|(\s)$
53	<;!--\W?#\W?(cmd\|echo\|exec\|include\|printenv)\b
54	\{\s\w+\s:\s[+-]?\s\d+\s:.?\}
55	\bcall_user_func\b.*?$.+?$
56	\bcreate_function\b.*?$.+?$
57	\beval\b.*?($.+?$\|\{.+?\})
58	\bexec\b.*?$.+?$
59	\bf(get\|open\|read\|write)\b.*?$.+?$
60	\bfile_(get\|put)_contents\b.*?$.+?$
61	\bmove_uploaded_file\b.*?$.+?$
62	\bpassthru\b.*?$.+?$
63	\bp(roc_)?open\b.*?$.+?$
64	\breadfile\b.*?$.+?$
65	\bshell_exec\b.*?$.+?$
68	\binclude(_once)?\b.*?;
70	[\n\r]\s\b(?:to\|b?cc)\b\s:.*?\@
71	\brequire(_once)?\b.*?;
72	\bdocument\b.*?\.
73	\\|\(\w+=
74	\bload\b.?\bdata\b.?\binfile\b.?\binto\b.?\btable\b
75	\bwaitfor\b.*?\b(delay\|time(out)?)\b
76	\b(current_)?user\b.?$.?$
78	\bwhere\b.+?(\b(n?and\|x?or\|not)\b\|(\&;\&;\|\\|\\|))
79	\bselect\b.+?\bfrom\b
80	\+=\s\(\s['";]
81	\bbenchmark\b.*?$.+?,.+?$
82	\b(group_)?concat(_ws)?\b.*?$.+?$
83	\b(from\|to)_base64\b.*?$.+?$
87	\bpg_user\b
88	\{\s$\s\{.+?\}\s*\}
89	@(cc_on\|set)\b
90	\bwindow\b.*?\.
91	\bload_file\b.*?$.+?$
92	\bselect\b.?\binto\b.?\b(out\|dump)file\b
93	\b(char_\|bit_)?length\b.*?$.+?$
94	\boct\b.*?$.+?$
95	\bwhere\b.+?(\b(not_)?(like\|regexp)\b\|[=<;>;])
97	\bpg_database\b
98	\bfirefoxurl\s*:
100	\bfunction\b[^(]$[^)]$
102	\b(un)?hex\b.*?$.+?$
103	\bord\b.*?$.+?$
106	\b(current_)?database\b.?$.?$
107	\bwyciwyg\s*:
108	=\s\w+\s\+\s*['";]
109	\bsleep\b.*?$.+?$
110	\binformation_schema\b
111	\bsubstr(ing(_index)?)?\b.*?$.+?,.+?$
112	\bascii\b.*?$.+?$
113	\bcha?r\b.*?$.+?$
119	[\"'`];?\s?union\b\s?[^\s]
122	phpinfo(\s*)\(
123	(?:\\\/\\w\\s\\)\\s\$)\|(?:\\([\\w\\s]+\\([\\w\\s]+\$[\\w\\s]+\\))\|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\$[^)[]+\\[[^\\]]+\\][^)]\$)\|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d][}\\])])\|(?:\"\\)?\\]\\W\\[)\|(?:=\\s[^\\s:;]+\\s[{([][^}\\])]+[}\\])];)
127	%c0%ae[\/\\\]
172	(?!.methodcall.)((?:\"[^\"][^-]?>)\|(?:[^\\w\\s]\\s\\\/>)\|(?:>\"))
173	\b(?:(?:[;]+\|(<[?%](?:php)?)).[^\\w](?:echo\|print\|print_r\|var_dump\|[fp]open))\|(?:;\\srm\\s+-\\w+\\s+)\|(?:;.{.\\$\\w+\\s=)\|(?:\\$\\w+\\s\\[\\]\\s=\\s)\b
175	(?:(\\%SYSTEMROOT\\%))
176	(?:(union(.)select(.)from))
177	(?:procedure\\s+analyse\\s\$)\|(?:;\\s(declare\|open)\\s+[\\w-]+)\|(?:create\\s+(procedure\|function)\\s\\w+\\s\\(\\s\$\\s-)\|(?:declare[^\\w]+[@#]\\s\\w+)\|(exec\\s\\(\\s*@)
178	(?:(?:\\&&+)(?:(?:\\s+)?ls\|cat\|(?:\\?\\?)+\|ls\|type\|whoami\|dir\|cat\|curl\|wget\|id\|bin\|bash\|ifconfig))
179	(?:create\\s+function\\s+\\w+\\s+returns)\|(?:;\\s(?:select\|create\|rename\|truncate\|load\|alter\|delete\|update\|insert\|desc)\\s[\\[(]?\\w{2,})
180	(?i:(?:'\|%27)(?:.\|%20)(?i:OR\|AND\|UNION))
181	(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)
182	(?:function[^(]$[^)]$)\|(?:(?:delete\|void\|throw\|instanceof\|new\|typeof)[^\w.]+\w+\s[([])\|([)\]]\s\.\s\w+\s=)\|(?:$\snew\s+\w+\s$\.)
183	([^\\s\\w,.\\\/?+-]\\s)?(?<![a-mo-z]\\s)(?<![a-z\\\/_@])(\\sreturn\\s)?(?:alert\|inputbox\|showmod(?:al\|eless)dialog\|showhelp\|infinity\|isnan\|isnull\|iterator\|msgbox\|executeglobal\|expression\|prompt\|write(?:ln)?\|confirm\|dialog\|urn\|(?:un)?eval\|exec\|execscript\|tostring\|status\|execute\|window\|unescape\|navigate\|jquery\|getscript\|extend\|prototype)(?(1)[^\\w%\"]\|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))
184	(?:(?:msgbox\|eval)\\s\\+\|(?:language\\s=\\*vbscript))
185	(?:(select\|.)\\s+(?i:benchmark\|if\|sleep)\\s?\\(\\s\\(?\\s*\\w+)
186	(?:#@~\\^\\w+)\|(?:\\w+script:\|@import[^\\w]\|;base64\|base64,)\|(?:\\w\\s*\$[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\$)
187	([^:\\s\\w,.\\\/?+-]\\s)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\\|])(\\sreturn\\s)?(?:create(?:element\|attribute\|textnode)\|[a-z]+events?\|setattribute\|getelement\\w+\|appendchild\|createrange\|createcontextualfragment\|removenode\|parentnode\|decodeuricomponent\|\\wettimeout\|(?:ms)?setimmediate\|option\|useragent)(?(1)[^\\w%\"]\|(?:\\s*[^@\\s\\w%\",.+\\-]))
188	%2e%2e%2f
189	%252e%252e%252f
190	%c0%ae%c0%ae%c0%af
191	%uff0e%uff0e%u2215
192	%uff0e%uff0e%u2216
193	php://filter/read=string\.rot13/resource=
194	php://filter/convert\.iconv\.utf-8\.utf-16/resource=
195	php://filter/convert\.base64-encode/resource=
196	zip://
197	data://text/plain
198	php://input
199	phar://
200	/proc/self/
201	/var/lib/./sess_.
202	\.git
203	\.svn
204	\.htaccess
205	web\.config
206	\.htpasswd
207	httpd\.conf
208	\*\)\)%00
209	\)$cn=$\)\x00
210	\*\\|%26'
211	\*\\|&'
212	\$\\|\(mail=\$\)
213	\$\\|\(objectclass=\$\)
214	\)(uid=\\)\)\(\\|\(uid=\*
215	app\.request\.server\.all
216	file_excerpt
217	_self\.env\.registerUndefinedFilterCallback
218	_self\.env\.loadTemplate
219	_self\.env\.getFilter
220	\{\$smarty.version\}
221	Smarty_Internal_Write_File:
222	ENTITY .* SYSTEM
223	xmlns:xi="http://www.w3.org/2001/XInclude"
224	<img src=.* onerror
225	<svg.*onload
226	<div onpointerover=
227	<div onpointerdown=
228	<div onpointerenter=
229	<div onpointerleave=
230	<div onpointermove=
231	<div onpointerout=
232	<div onpointerup=
233	php:function
234	0e462097431906509019562988736854
235	0e830400451993494058024219903391
236	0e291659922323405260514745084877
237	0e291242476940776845150308577824
238	06da5430449f8f6f23dfc1276f722738
239	0e07766915004133176347055865026311692244
240	0e281250946775200129471613219196999537878926740638594636
241	0e46289032038065916139621039085883773413820991920706299695051332
242	0e66298694359207596086558843543959518835691168370379069085300385
243	/cast/i
244	/query_to_xml/i
245	/PG_SLEEP\|GENERATE_SERIES/i
246	/pg_read_file\|pg_ls_dir/i
247	/lo_from_bytea\|lo_put\|lo_export/i
248	/CHR\(/i
249	\$\$([a-zA-Z0-9])\$\$
250	\$ne\|\$gt\|\$lt\|\$nin\|\$regex\|\$eq\|\$in\|\$where\|\$or
251	/\$where:\|\$comment/i
252	this\.[a-zA-Z]
253	/python -c\| py -c/i
254	os\.\|subprocess\.\|lambda [_a-zA-Z]
255	__main__\|import [a-zA-Z0-9_]\|from [a-zA-Z0-9_]
256	\${[a-zA-Z0-9_]}\|{{[a-zA-Z0-9_]}}\|<#[ a-zA-Z0-9_]>
257	\b(ALTER\|CREATE\|DELETE\|DROP\|EXEC(UTE){0,1}\|INSERT( +INTO){0,1}\|MERGE\|SELECT\|UPDATE\|UNION( +ALL){0,1})\b
258	\/var\/spool\/cron\..*
259	^.\bUNION SELECT.
260	(?i)\.((((\w){1,5})\|application)\.(exe\|pif\|application\|gadget\|ms[ipc]\|com\|hta\|cpl\|jar\|bat\|cmd\|vb[se]?\|jse?\|ws[fch]?\|ps[12](xml)?\|psc[12]\|msh\d?(xml)?\|scf\|lnk\|inf\|reg\|do[ct](m)?\|xl[sta](m)?\|p[po][tas](m)?\|sldm))
261	(?i)onload=function{[a-zA-Z]+\.[a-zA-Z]+$[a-zA-Z]+\.[a-zA-Z]+$\};x\.open$"GET","file:\/\/\/\/wp-config"$;x\.send;<\/script>
262	(?i)onload=function{[a-zA-Z]+\.[a-zA-Z]+$[a-zA-Z]+\.[a-zA-Z]+$\};x\.open$"GET","file:\/\/\/\/wp-config.php_old"$;x\.send;<\/script>
263	(?i)(python\|os\|system\|bat\|exec).*(bin\/)?(:!\|:)?(sh\|bash\|shell\|cmd\|powershell)
264	^updatexml$\d,concat\(\d[a-zA-Z]+,[a-zA-Z]+\($\),\d\)$
265	"\/><img\/onerror=\\x0Ajavascript:alert$1$\\x0Asrc=xxx:x\s\/>
266	/\b.alert$document\.cookie$.\s/gm
267	SELECT
268	nwaftest
269	\{\{
270	\$\(
271	\$\{
272	\/\*
273	\*\/
274	;
275	'
276	\?
277	\['#
278	\\'%
279	%\\'
280	=\\"
281	=\\'
282	\*\\'
283	!=
284	\\\\
285	\.\.\/
286	\-\-
287	#
288	\.\.\\\.\.\\
289	\.\/\.\/
290	\/\.source
291	symbol\.replace
292	<\/noscript
293	<\/xmp
294	<\/style
295	<\/script
296	<\/title
297	svg>
298	<<
299	>>
300	crypto\.generateCRMFRequest
301	Range\.createContextualFragment
302	<svg\/on
303	extractvalue
304	updatexml
305	group_concat
306	system_user
307	version
308	table_name
309	table\.name
310	isnull
311	create_digest
312	to_base64
313	master_pos_wait
314	str_replace
315	user_meta
316	regexp
317	wp_comment
318	wp_usermeta
319	wp_post
320	wp_term
321	wp_user
322	wp_options
323	action=getTopic
324	found_rows
325	tceles
326	noinu
327	substring%
328	@@version
329	schema
330	datadir
331	hostname
332	rowcount
333	coercibility
334	COLLATION
335	CONNECTION_ID
336	current_user
337	last_insert_id
338	row_count
339	session_user
340	@user
341	validate_password_strength
342	libraryContent
343	base64_decode
344	globals\[
345	<\?
346	\?>
347	<\?php
348	get_defined_functions
349	_PHPLIB\[libdir\]
350	burpcollaborator\.net
351	constructor\.constructor
352	XAttacker\.php
353	svg>
354	\.vscode
355	\.ds_store
356	sftp\-config\.json
357	\.idea\/
358	composer\.json
359	db_details_importdocsql\.php
360	\/math_sum\.mscgi
361	\/admentor\/admin\/admin\.asp
362	\/timthumb\.php
363	\/timthumbdir\/cache
364	\/w3tc\/dbcache
365	php:\/\/
366	ftp:\/\/
367	zlib:\/\/
368	data:\/\/
369	glob:\/\/
370	phar:\/\/
371	file:\/\/
372	\/cfide\/componentutils
373	\/mysqldumper
374	\/bin\/sh
375	\.htpasswd
376	\.htaccess
377	whitelist\.pac
378	proxy\.pac
379	$\?p=b$$\(\?p=b$$\?j:\(\?p<b>c$$\?p<b>a\(\?p=b$\)\)>wgxcredits\)
380	0000::1
381	127\.0\.0
382	$\?j:\(\?\\|\(:\(\?\\|\(\?'r'$$\\k'r'$\\|$\(\?'r'$\)\)h'rk'rf\)\\|s$\?'r'$\)\)\)
383	\/var\/www\/
384	\/philboard_admin\.asp
385	\/cgi\-bin\/ls
386	\/wp\-includes\/rss\-functions\.php
387	\/wp\-content\/themes\/RightNow\/includes\/uploadify\/upload_settings_image\.php
388	X\-Pingback\-Forwarded\-For:
389	\/sqlite\/main\.php
390	\/htmlscript
391	\/post\-query
392	javascript:
393	\/DatabaseFunctions\.php
394	\/GlobalFunctions\.php
395	\/UpdateClasses\.php
396	\/scripts\/setup\.php
397	\/server_sync\.php
398	PageServices
399	\/htgrep
400	\/WEB\-INF\/
401	\/proc\/self\/
402	phpb8b5f2a0\-3c92\-11d3\-a3a9\-4c7b08c10000
403	\/_vti_rpc
404	\/server\-status
405	\/balancer\-manager
406	\/host\-manager\/
407	fx29shcook
408	cmd_txt=1
409	c99\.php
410	webconfig\.txt\.php
411	wpad\.dat
412	composer\.phar
413	\/admin\/templates\/header\.php
414	\/soapcaller\.bs
415	\/plugin_googlemap2_proxy\.php
416	\/images\/stories\/story\.php
417	\/\.ssh\/
418	\/known_hosts
419	\/authorized_keys
420	proftpdpasswd
421	\+\+\+\+\+\+\+\+result
422	\/jmx\-console\/htmladaptor
423	internal dummy connection
424	base64
425	cghwaw5mbygpoyag
426	http:\/\/http:\/\/
427	mid%
428	dual
429	strcmp\(
430	data:image
431	\.exec\(
432	\/invoker\/ejbinvokerservlet
433	service:wanipconnection:
434	\/struts2\-blank\/
435	java\.beans\.eventhandler
436	java\.lang\.
437	typo3_conf
438	name\[0%20
439	java\.io\.
440	java\.util\.
441	fill 'url
442	\$mft
443	\.ph
444	swp_url=http
445	system\.listmethods
446	system\.getcapabilities
447	pingback\.ping
448	deployment\-config\.json
449	ftpsync\.settings
450	eval\-stdin\.php
451	@pdiscoveryio
452	sysdate\(
453	Fuzz Faster
454	\.start\(
455	X\-Scanner: Netsparker
456	codepoints\-to\-string\(
457	string\-length\(
458	db\.collection\.find\(
459	knoxss\.me
460	array_map\(
461	base_convert\(
462	scaninfo@expanseinc\.com
463	\.xss\.ht
464	load_file\(
465	scaninfo@paloaltonetworks\.com
466	charCodeAt\(
467	fromcharcode\(
468	\.newInstance\(
469	\.forName\(
470	config_db\.php
471	x\-wvs\-id
472	JSON\.stringify\(
473	set_time_limit\(
474	\/vendor\/phpunit\/phpunit\/src\/Util\/PHP\/eval\-stdin\.php
475	\.interact\.sh
476	reflect\.apply\(
477	promise\.all\(
478	\.then\(alert
479	\/backup\/
480	0x00
481	string\.fromcodepoint\(
482	\.tolowercase\(
483	netsystemsresearch\.com
484	internet\-structure\-research\-project\-bot
485	\/config\.bak\.php
486	anonymousfox\.co
487	system\.multicall
488	str_pad\(
489	mysqli::
490	\/\.aws\/credentials
491	BluechipBacklinks
492	rookee\.bot
493	\.httpservletresponse
494	wp_is_mobile
495	PHP\/\{5\\|6\\|7\}
496	class\.classloader\.resources\.dircontext\.docbase
497	github\.com\/gocolly
498	\.get_host_address\(
499	\.touppercase\(
500	0x\[\]
501	0x\[\]=androxgh0st
502	\.equals\(
503	class\.module\.classLoader
504	\.getInputStream\(
505	\.getRuntime\(
506	\.getParameter\(
507	springframework\.context\.support\.FileSystemXmlApplicationContext
508	sort\.call
509	eval\.apply
510	\.surf\.ias\-lab\.de
511	\.shift
512	\.with\(
513	__class__
514	\.getResource\(
515	freemarker\.template\.utility\.execute
516	MakeViewVariableOptionalSolution
517	@\(
518	\{\$
519	<%=
520	\.map\(
521	#\{
522	dict:\/\/
523	sftp:\/\/
524	tftp:\/\/
525	ldap:\/\/
526	gopher:\/\/
527	netdoc:\/\/
528	db\.injection\.insert\(
529	\*\{
530	BugBountyBot
531	console\.log\(
532	navigation\.onnavigate
533	document\.queryselector\(
534	\.setAttribute\(
535	json_depth\(
536	x\-web\-scanner\-info
537	(\d+\s,\s){4,}
538	\W&&\W
539	\W@@\w
540	\W\\|\\|\W
541	\{\{.+\}\}
542	(\.)+(\\\|\/)+(\.)+(\\\|\/)+
543	\\x[0-9a-z]{2,2}
544	(\\\|%)u[0-9a-f]{4,4}
545	[&=<]\.0
546	[\^<>]0\.
547	(\s\|\.)src(\s\|\+)*=
548	(^\|\W)eval\(\|@eval\W
549	<svg(\s\|\+)
550	(^\|\W)alert\/?(\.(source\|call\|apply\|bind\|valueof))?[\(\`\&\]]
551	array\.(map\|from\|prototype)
552	(^\|\W)document(\.[a-z]+)+\(
553	<img(\s\|\+)
554	<base(\s\|\+)
555	<i?frame\W
556	on(error\|cut\|begin\|wheel\|blur\|change\|input\|reset\|select\|down\|keypress\|keyup\|paste\|copy\|toggle)(\s\|\+)*\=
557	onmouse(down\|enter\|leave\|move\|out\|over\|up\|wheel)(\s\|\+)*\=
558	<script(\s\|\+\|\/\|\>)
559	on(aux\|dbl)?click(\s\|\+)*\=
560	ontouchcancel(\s\|\+)*\=
561	(^\|\W)set(Timeout\|Interval\|Immediate)\(
562	(^\|\W)execscript\(
563	window[?]?\.(location\|alert\|name)
564	document[.;](location\|domain\|cookie)
565	(^\|\W)location\.(assign\|reload\|replace\|tostring)\(
566	(^\|\W)history(\.[a-z]+)+\(
567	(^\|\W)(local\|session)Storage\(
568	(^\|\W)createElement\(
569	[^-:=\.\w\\|]where[^-:=\.\w\\|]
570	[^-:=\.\w\\|]update[^-:=\.\w\\|]
571	[^-:=\.\w\\|]table[^-:=\.\w\\|]
572	group[^-:=\.\w\\|/]+by
573	order[^-:=\.\w\\|]+by
574	[^-:=\.\w\\|]limit[^-:=\.\w\\|]
575	[^-:=\.\w\\|]select[^-:=\.\w\\|]
576	[^-:=\.\w\\|]insert[^-:=\.\w\\|]
577	[^-:=\.\w\\|]truncate[^-:=\.\w\\|]
578	(^\|\W)benchmark\(
579	(^\|\W)((var)?char\|chr)\W*[(@]+[\d\s]
580	[^-:=\.\w\\|]if[^-:=\.\w\\|]
581	select[^-:=\.\w\\|]{1,50}(.\|\s){0,50}from
582	(^\|\W)concat\(
583	(^\|\W)system\(
584	(^\|\W)extractvalue\(
585	(^\|\W)elt\(
586	(encode\|decode)\W*[]
587	\Wrlike\(
588	[^-:=\.\w\\|]database[^-:=\.\w\\|]
589	(^\|\W)not\W+in\(
590	json(_\w+){1,2}\(
591	[^-:=\.\w\\|]contains[^-:=\.\w\\|]
592	[^-:=\.\w\\|]sleep[^-:=\.\w\\|]
593	\`\`\s*\`\`
594	_(en\|de)crypt\(
595	log\d+\W*($\|$)
596	/(bin\|sbin)/
597	[^-:=\.\w\\|]replace[^-:=\.\w\\|]
598	\d+[\'\`]
599	(^\|\W)print(_r\|ln)?\(
600	\d\'\s*\w+=(\d+\|\')
601	=(\-\w+\|\w+[\'\)\"])(.\|\s){0,30}\s+where\s+(.\|\s){0,30}\s+(OR\|AND)
602	ctx=web\&cache_filename=.+\.php.+IMresizedData=\<\?php
603	\w+=\d+\'($\|\s)
604	\d+[\'\`]
605	(\b(m(s(ysaccessobjects\|ysaces\|ysobjects\|ysqueries\|ysrelationships\|ysaccessstorage\|ysaccessxml\|ysmodules\|ysmodules2\|db)\|aster\.\.sysdatabases\|ysql\.db)\b\|s(ys(\.database_name\|aux)\b\|chema(\W\(\|_name\b)\|qlite(_temp)?_master\b)\|d(atabas\|b_nam)e\W\(\|information_schema\b\|pg_(catalog\|toast)\b\|northwind\b\|tempdb\b))
606	sleep$(\s?)(\d?)(\s*?)$\|benchmark$(.{0,50}?),(.{0,50}?)$
607	(((select\|;)\s+(benchmark\|if\|sleep)\s?\(\s?\(?\s*?\w+))
608	((alter\s?\w+.{0,50}?(character\|char)\s+set\s+\w+)\|([\"'`];?\s?waitfor\s+(time\|delay)\s+[\"'`])\|([\"'`];.{0,50}\s?\Wgoto\W))
609	(^\|\W)union(.\|\s){1,50}select(.\|\s){1,50}from\W
610	((select\s?pg_sleep)\|(waitfor\s?delay\s?[\"'`]+\s?\d)\|(;\s?shutdown\s?(;\|--\|#\|/\*\|{)))
611	["\[]\$(ne\|eq\|lte?\|gte?\|n?in\|mod\|all\|size\|exists\|type\|slice\|x?or\|div\|like\|between\|and\|where)["\]]
612	((procedure\s+analyse\s?$)\|(;\s?(declare\|open)\s+[\w-]+)\|(create\s+(procedure\|function)\s?\w+\s?\(\s?$\s?-)\|(declare[^\w]+[@#]\s?\w+)\|(exec\s?\(\s*?@))
613	xp_(servicecontrol\|regread\|regwrite\|regdeletevalue\|regdeletekey\|fileexist\|enumerrorlogs\|readerrorlogs\|enumdsn\|enumgroups\|ntsec_enumdomains)
614	(^\|&)src=[^&]*?(http\|ftp)
615	[?&]home=[^&]*?(http\|ftp)
616	[?&]size=[^&]*?\x3b
617	\[\#markup\]\=\S+\s+\S+
618	information(_\|\.)schema
619	(\s\|\+)(infile\|outfile\|dumpfile)(\s\|\+)
620	\s;\s
621	/%?\(.\|\s){0,50}\%?/
622	/%?\(.\|\s){0,50}\%?/
623	((/%?\(.\|\s){0,50}\%?/)(.\|\s){0,50}){3,}
624	name\[\d+.{20,}\]
625	admin(istrator)?'--
626	^(file\|ftps?\|https?)://(.{0,500})$
627	%0(.\|\s){0,50}([a-z]%){3,}
628	(%\w%.{0,50}){5,}
629	(^\|\W)response\.(write\|flush\|clear)\(
630	\w=\/?\.{1,2}(\\\|\/)
631	\$_\w{1,15}\[
632	auto_prepend_file\|auto_append_file
633	include.?dir\x3D
634	path=(https?\|ftps?\|php)
635	php\?goto=(https?\|ftps?\|php)
636	/(admin/addcontent\.inc\|images/psg)\.php
637	[^-:\.\w\\|]exec[^-:\.\w\\|\/]
638	(^\|\W)die\(
639	(.{1,50}$.{1,50}$){3,}
640	\.(.{0,250})~($\|\s)
641	src=https?\x3a\x2f[^\x26\x20]*?(\x24\x28\|%24%28)
642	\.(gemfile\|gemfile\|rb\|irbrc)($\|\s\|\:)
643	\.(bzr\|project\|sublime(-workspace)?\|md\|svn\|gitkeep\|s3cfg\|(git\|hg\|cvs)(ignore)?\|subversion\|csproj\|(ftp)?config\|cfg\|atom\|vb\|vscode\|circleci\|npmrc)($\|\s\|\/\|\:)
644	\.php[^3-7\/s][\w\-\_~]*(\.\w+)?$
645	\.(py\|pl\|cgi)($\|\s\|\:)
646	\.(jar\|jsp\|jspx\|jspf\|java\|coffee\|war\|yml\|cfm)($\|\s\|\:)
647	\.(conf\|ssh\|ini\|inc\|env\|inc\|viminfo\|properties\|dead\.letter\|passwd\|schema)($\|\s\|\:)
648	\.(phpinc\|save\|sav\|swp\|swo\|lock\|old\|orig\|log\|tmp\|temp\|restore\|suspected)($\|\s\|\:)
649	\.(bz2\|gz\|tar\|xz\|lzma)($\|\s\|\:)
650	^/wp-content/plugins/($\|\s)
651	/wp-content/plugins/.{1,50}/cache/
652	\.(mdb\|db\|sqlite\|sql)($\|\s\|\:)
653	id_(rsa\|dsa)\.ppk($\|\s\|\:)
654	etc/(passwd\|shadow)
655	\W(win\|system\|php)\.ini
656	\.(ksh\|rsh\|tcsh\|csh\|zsh\|zshrc\|bash\|bash_profile\|rksh\|sh_history)($\|\s\|\:)
657	\.(bat\|exe\|dll\|dat)($\|\s\|\:)
658	%psmodulepath%\|%public%\|%appdata%\|%localappdata%
659	%allusersprofile%\|%userdata%\|%username%\|%userprofile%
660	%homedrive%\|%homepath%
661	%homedrive%\|%homepath%
662	%systemdrive%\|%systemroot%\|%windir%\|%comspec%
663	%path%\|%pathext%
664	%computername%\|%logonserver%\|%prompt%\|%userdomain%
665	/(global\|dnewsweb\|swsrv\|ikonboard)\.cgi
666	/(ksh\|rsh\|tcsh\|csh\|zsh\|zshrc\|bash\|bash_profile\|rksh)($\|\s)
667	\/(math_sum.mscgi\|htsearch\|printenv\|db2www\|document.d2w)
668	php(pg\|my)admin
669	stdin\|stdout\|stderr
670	/dev/(tcp\|udp)
671	(^\|\W)php(_uname\|credits\|info\|version)\(
672	/~(root\|ftp\|nobody)
673	[^/]https?:/
674	(phpinfo\|phpsysinfo)\.php
675	phpe9568f3(4\|5\|6)-d428-11d2-a769-00aa001acf42
676	/_vti_(adm\|bin)/
677	act=\S+&(d\|f)=
678	act=(fxmailselfremove\|encoder\|eval\|sql\|phpinfo)
679	_act=(execute\|list\s+files\|upload)
680	(\s\|\+\|#)cmd=
681	c999sh_surl\|c999shvars
682	adminer.*\.php
683	(wso\|r57\|r57shell)\.php
684	/plugins/system/.{1,50}\.php
685	\.(key\|pem\|id_rsa\|id_dsa)($\|\s)
686	\.(sh\|bash\|nano\|irb\|psql\|mysql)_history($\|\s)
687	\.(bac\|bak\|bkp\|bkf\|bkp\|back\|backup\|bakup)($\|\s)
688	\.(history\|histfile)($\|\s)
689	nessus\|acunetix\|nmap\|sqlmap\|[nw]ikto\|dirbuster\|gobuster\|w3af\|webster\|openvas\|meterpreter\|network-services-auditor\|wpscan\|hydra\|XSpider\|Nuclei\|l9explore
690	absinthe\|autogetcolumn\|bsqlbf\|cisco-torch\|crimscanner\|appscan_fingerprint\|amiga-aweb\|digimarc webreader
691	sql\s+power\s+injector\|dav\.pm\|prog.customcrawler\|whcc\|grendel-scan\|masscan
692	shellshock-scan\|thanks-rob\|WebCruiser\|webinspect\|whisker\|chinaclaw\|whatweb\|wordpress hash grabber
693	mysqloit\|netsparker\|paros\|pavuk\|uil2pn\|friendly-scanner\|sundayddr\|zmeu\|sqlspider\|Evasions
694	apachebench\|datacha0s\|nv32ts\|brutus\|arachni\|synapse\|havij\|sucuri\|sitelock\|scanalert
695	http_get_vars\|n-stealth\|picscout\|t34mh4k\|webshag\|mozilla/\d+\.\d+\s+sf
696	php/\d+\.\|python-httplib\|winhttprequest\|pymills-spider/\|^\.
697	boundary=\S+[,\|;]
698	(\\[0-7]{1,3}){3,}
699	&#\d+;?
700	(&#x[2-7]\w;(.\|\s){0,50}){5,}
701	(file\|ftps?\|https?)://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
702	((merge.{0,50}?using\s?\()\|(execute\s?immediate\s?[\"'`])\|(match\s?[\w(),+-]+\s?against\s?\())
703	(^\|\W)(un)?hex\(
704	<[\s\+]![\s\+](doctype\|entity)[\s\+]+%[\s\+][a-za-z1-9_-]*[\s\+]+system
705	multipart/form-data;\s*boundary=[a-zA-Z0-9_-]{4000,}
706	$\s{0,50}$\s{0,50}\{\s{0,50}\:
707	script_fields.{0,50}import.{0,50}java\.util
708	\.\./\|php
709	['"`)][\s\+](OR\|AND\|\\|\\|\|\&\&)(\s+NOT)?[\s\+]+(.{1,25})[\s\+]([\!\<\>]?\=\|\<\|\>)[\s\+]*(.{1,25})
710	(^\|\W)((var)?char\|chr)\W=\W["']
711	(^\|\W)name_const\(
712	\.([~-][\w]?\|\$+)($\|\s\|\:)
713	\w=\/(etc\|usr\|var\|bin\|sbin\|lib\|lib64\|run\|sys\|dev\|root\|home\|opt\|srv\|mnt)\/
714	(^\|\W)draggable(\s\|\+)*\=
715	filename\s=\s.+\.(php\|pht\|py\|js\W\|rb\|pl\|pm\|cgi\|aspx)
716	(^\|\W)xbshell\W
717	(^\|\W)union(\s\|\+)+(all(\s\|\+)+)?select\W
718	(^\|\W)convert\(
719	(^\|\W)(md5\|crc32\|sha1\|hash\|crypt)\(
720	(^\|\W)HashBytes\(
721	(^\|\W)extractvalue\(
722	waitfor(\s\|\+)+delay\W
723	img(\s\|\+)*src=\"?(https?\:\/\/)?[\w\|\.\|\-\|\/]+\.(txt\|php\|py\|cgi\|asp)
724	\s(OR\|\\|\\|\|AND\|\&\&)(\snot)?\s(['")]\w['"(]\|\w)\s[!]?=\s(['")]\w['"(]\|\w)\s*\-\-
725	(^\|\W)function\(
726	(sql\|old\|bkp\|bck\|bckp\|back\|backup\|archive)\.(zip\|rar\|7zip\|bz2\|gz\|xz\|lzma\|tar\|gz\|tar\.gz)($\|\s\|\:)
727	(^\|\W)includecomponent\(
728	(^\|\W)__schema\W*\{
729	\/\.\.[\;\+]
730	(^\|\W)script[\s\+]+xmlns
731	(^\|\W)tostring\(
732	(^\|\W)shell_exec\(
733	\=[\s\+]\$\{\w+[\+\-\\/]\w+\}
734	(^\|\W)nslookup\W
735	\\|[\s\+]([\/](\w\|\.)+[\/]+)?(bash\|perl\|python\|php)\W
736	(^\|\W)gethostbyname\(
737	['"`)][\s\+]*(OR\|AND\|\\|\\|\|\&\&)(\s+NOT)?[\s\+\"\']+(.{1,25})[\s\+\"\']+([\!\<\>]?\=\|\<\|\>)[\s\+\"\']+(.{1,25})
738	bxss\W*\.me
739	on(waiting\|pause\|show\|start\|end\|unload\|drop\|submit\|close\|after(print\|scriptexecute)\|contextmenu\|cellchange)(\s\|\+)*\=
740	on(cuechange\|(de)?activate\|finish\|fullscreenchange\|hashchange\|invalid\|message\|repeat)(\s\|\+)*\=
741	on(resize\|scroll\|search\|seeked\|seeking\|timeupdate\|touchend\|touchmove\|touchstart\|volumechange)(\s\|\+)*\=
742	on(mozfullscreenchange\|pagehide\|pageshow\|popstate\|progress\|readystatechange\|transitioncancel\|transitionrun\|transitionstart\|unhandledrejection)(\s\|\+)*\=
743	onwebkitanimation(end\|iteration\|start\|end)(\s\|\+)*\=
744	onbefore((de)?activate\|copy\|cut\|editfocus\|paste\|update\|scriptexecute)(\s\|\+)*\=
745	onpointer(down\|enter\|leave\|move\|out\|over\|rawupdate\|up)(\s\|\+)*\=
746	onanimation(cancel\|iteration\|start\|end)(\s\|\+)*\=
747	(^\|\W)strrev\(
748	(djy\|qpy)l18\.com
749	(^\|\W)execute\(
750	(^\|\W)(atob\|btoa)\(
751	(^\|\W)get(Runtime\|Response\|Writer\|Property\|InputStream)\(
752	(^\|\W)substring\(
753	(^\|\W)starts-with\(
754	(^\|\W)contains\(
755	(^\|\W)match\(
756	(^\|\W)document\[('\|"\|`)\w+('\|"\|`)\]
757	(^\|\W)confirm(\.call)?\(
758	(^\|\W)array\(
759	=\$\{\d+[+\-*%]\d+\}
760	(^\|\W)start-sleep[\s\+]+\-
761	(^\|\W)passthru\(
762	(^\|\W)sleep\(
763	(^\|\W)typeof\(
764	\Wisfinite\(
765	(^\|\W)sleep[\s\+]+\d
766	(^\|\W)prompt(\.call)?[(,`]
767	(^\|\W)substr\(
768	(^\|\W)ord\(
769	(^\|\W)mid\(
770	(^\|\W)ifnull\(
771	(^\|\W)cast\(
772	(^\|\W)database\(
773	(^\|\W)require\(
774	(^\|\W)endianness\(
775	(^\|\W)fillrect\(
776	@Grab(Config\|Resolver)?\(
777	(^\|\W)r87\.(com\|me)\W
778	(^\|\W)echo(\s\|\+)+\$\(
779	(^\|\W)echo(\s\|\+)+(\-\w+(\s\|\+)+)?[\'\"\`]
780	(database\|db\|dump)\.tar(\.gz)?($\|\s\|\:)
781	(^\|\W)alert\.name\W
782	config\.inc(\.(bz2\|gz\|xz\|tar(\.(bz2\|gz\|lzma\|xz))?))?($\|\s\|\:)
783	config\.(bz2\|gz\|xz\|tar(\.(bz2\|gz\|lzma\|xz))?)($\|\s\|\:)
784	(^\|\W)db.bz2($\|\s\|\:)
785	(^\|\W)cat_code\W
786	(^\|\W)(un)?escape\W
787	(^\|\W)updatexml\(
788	(^\|\W)valueOf\W*(\(\|\'\|\"\|.)
789	(^\|\W)window\.[a-z]
790	(^\|\W)(global\|window)eventhandlers\.[a-z]
791	(^\|\W)globalthis\W
792	(^\|\W)fopen\(
793	(^\|\W)f(write\|puts)\(
794	(^\|\W)printenv\W
795	(^\|\W)ini_set\(
796	(^\|\W)isset\(
797	\/wp-config\.(orig\|txt\|php[._](bak\|old\|new))
798	jndi\:(dns\|rmi\|iiop\|ldap)\:\/\/
799	\$\{(lower\|upper)\:
800	\$[\\]?\{\:\:\-[jndilaprmso][\\]?\}
801	\$[\\]?\{env\:ENV_NAME\:\-[jndilaprmso][\\]?\}
802	\.pydevproject($\|\s\|\:)
803	(alfa_data\|alfacgiapi\|cgialfa)\/.{0,50}\.alfa($\|\s\|\/\|\:)
804	\/(db\|backup\|config)\d*\.(bz2\|gz\|tar\|xz\|lzma)($\|\s\|\:)
805	(^\|\W)var_dump\(
806	CensysInspect\|censys\.io
807	\.(git\|svn)
808	while\s*\(
809	\.queryselector(all)?\(
810	reflect\.(apply\|cons\|def\|del\|get\|has\|isext\|own\|prev\|set)
811	(^\|\W)(wget\|curl)\W
812	(^\|\W)alert\W
813	\{\sphp\s\}
814	(^\|\W)window\[
815	(^\|\W)attr\(
816	:[\/\\]+windows[\/\\]+
817	['"][\s+];[\s+]return[\s+]
818	;[\s+]*([\/]([usrbinloca?]{3,5}[\/]){1,4})?([cat?]{3,3}\|[les?]{4,4})[\s+]+[\/]?\w+
819	echo[\s+]+var
820	exec[\s+]+cmd
821	(^\|\W)location\.(ancestor\|href\|protocol\|host\|pathname\|search\|hash\|origin)
822	top\[.{1,50}\]\(
823	&([lr]par\|quot\|apos\|grave\|tab\|nbsp);
824	\/(etc\|usr\|var\|bin\|sbin)\/
825	\{\{[_]self.\}\}
826	ondata(available\|setchanged\|setcomplete)?(\s\|\+)*\=
827	ondrag(end\|enter\|leave\|start\|over)?(\s\|\+)*\=
828	onmove(end\|start)?(\s\|\+)*\=
829	onrow(enter\|exit\|s(delete\|inserted))(\s\|\+)*\=
830	on(load(start\|eddata)?\|focus(in\|out)?\|key(down\|press\|up)\|pointer(over\|enter\|down\|move\|up\|cancel\|out\|leave))(\s\|\+)*\=
831	\$(ne\|eq\|lte?\|gte?\|n?in\|mod\|all\|size\|exists\|type\|slice\|x?or\|div\|like\|between\|and\|where):
832	\.oast\.(me\|pro)
833	\$0\s<<<\s\$
834	(^\|\W)printf\W

Добавить сигнатуру