防护规则学习之SQL注入
- 攻击类型:注入攻击
- ruleid: 942140
规则配置文件
我直接从github下载了owasp-modsecurity-crs-3.3
的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf
点击展开ruleid=942140的配置内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# -=[ Detect DB Names ]=-
# Regexp generated from util/regexp-assemble/regexp-942140.data using Regexp::Assemble.
To rebuild the regexp:
cd util/regexp-assemble
./regexp-assemble.pl regexp-942140.data
Note that after assemble an outer bracket with an ignore case flag and a word boundary is added
to the Regexp::Assemble output:
Add ignore case flag and word boundary: "(?i:\bASSEMBLE_OUTPUT)"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\b|s(?:(?:ys(?:\.database_name|aux)|qlite(?:_temp)?_master)\b|chema(?:_name\b|\W*\())|d(?:atabas|b_nam)e\W*\())" \
"id:942140,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQL Injection Attack: Common DB Names Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
这条规则的正则表达式是从util/regexp-assemble/regexp-942140.data
生成的。
点击展开regexp-942140.data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25database\W*\(
db_name\W*\(
information_schema\b
master\.\.sysdatabases\b
msdb\b
msysaccessobjects\b
msysaccessstorage\b
msysaccessxml\b
msysaces\b
msysmodules2\b
msysmodules\b
msysobjects\b
msysqueries\b
msysrelationships\b
mysql\.db\b
northwind\b
pg_catalog\b
pg_toast\b
schema_name\b
schema\W*\(
sqlite_master\b
sqlite_temp_master\b
sysaux\b
sys\.database_name\b
tempdb\b
msg:'SQL Injection Attack: Common DB Names Detected'
这条规则是检测常见的数据库名称。
实例
1 | Matched Data: MSDb found within ARGS:padimg: <?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><BJCAROOT><Version>1</Version><SignTID>1122</SignTID><EncKey>MSDb/9OSDPk3JEzTsaR/pfxktGJy68vS8Dz6s1MX6y0y BlB25Fa72 31I3syty0mOiHH49dI8huN9BbHFjZF7E5VdCeZ6vgrtiEUl9LU7X6SLM0UOyGEZJPjqhZR7tFXDmJx6y5f00yznvIPdJ8R3V52YnR5OWnYPMO0f2SRZM=</EncKey><Cert><EncCertSN>102105000006752389</EncCertSN><EncCertKeyID>N/A</EncCertKeyID><EncAlg>1</EncAlg></Cert><EncData>7R8inJH6DySoIX0wDfdJBc5LC1v0HilpVFyZwBWiCdht sicAKUQEtbpMkIuJ8d9zmcEbo/cXA263Esm JU6H3 d5xqFLCyGS7FnN4lkS6M5qmOdXRUYHfb6RXt4O/TKwmUTsS6jEl2cQMWjhFm1k0yY PluQxRC1nmhUaH7FZGkLse1BiOBza8skWbpKn6bnTjaVeub5WjnpEiyZT/EqpQLXRVPH5bc8 P Q69IJorA3HvykeGb2MB/jJ9CD rchZobj0qoL0oRtXnCKCvosQjwb2lRe90QFn9gNPbgQJ1Y9729i47/adP7SgXWZmjCmpFgxE1izOcBINcI1Pka4laKWx5hPNOYntYOCtlc6o65b9nbB ZkRdtWWHvNc45V00EoVrRIDsXvO7FziDNTgob2n9RWz XnquWxu8c9hUyCYGn6AoYnPdsdJHy7Ju4wVnEBLsZIlo8gUh63wyKZBWrZJ/RiGXoofObU5eLowmgdrXpgQTeergnzQR23tqmpx9vC6p92iQWqxQLtH8dbDDzIqUyx45wwfKhGhw/0HrTL/pBI3DnPPSHA9ftBwLTvbxqX/x MlAX2ZXCjF1WESBIkThpMXSvNqcVhledyLx5YMJnwANwKvfYLB4ojrrcS2hBEbry1c3QAfU/dU18PSFWXbAr1YJUJptwfLVzWKPspW5NqJ QE37EBVN9/sJslDlUQ3VF0nR /O3TYRfSXxotcS6tqfbDCtwYv5CNjyernUVyL6paZy xs5zZy22TQ/ftMRJSMGbAM9e7vHjnWVo/ 7tfouD 9PBtvXyauhSAubaarljUV9jbpL1ve8uafh2QC7U647xSVpVTvGvG4uFTeJ8UccepW2gZB78fYJ/HRPu8wwgySAt5AYkynfaFb36PPHeoPX/HInW5iD0F SeOGXKjIOxu6bZWnbD/Tlk3OyrMacXDp3vXIBZNqqMQV5fw3crGjZsOUH8V6H43 vBHbc AQp6Yhc8yfORF4caOmQFBwr/Xo6Q84vtlqNPgV1ivjbu4ccoCCjG J57nSA6fghEyo6VLc6ib76LU9VNBwyOOgUT61ZKciFmyR5ift5VeYiJ9ZwZ318gqJsCgSEpEIMgZagvBSJHHTJaEU1Y npn1T8DxiIFvwAasuG029NLPzN4utON7MlaQxNDlUNVuT9xnU4yFGAos3Gh105x/2SqzNpyAX0zmxKDi/uSO1L1/xViU4f3PCmOHNi7V6ObcpMdYXgsR9y7hgveoLJUpTqrTJnslTmB7OADOTfECAYHtEcloPlxioUn2vSevZlsB5NGFCZq1os aDENp18VoGFJlDmEreAPV7ZYlCSgBRWv99 2ZdoX6/jXXtp9EomM XXr4HZBM88gWZ9/8QgG8xqkz9VfMS7b3p3kYMEoBriyhOVIecu092ROEZ7Jt2F9U35Fbygg3xIZQCxkOjTWNzBG/HueHz3oi6/5S0TK6tMdbpVsPlZie8dvzrtpOFKyzyHaTQj09LqgTQ0ab4FrFZ 8UlH8BBDIwPtFme7g7paSqDWc8eVavwl4kx/EH0eADp96xGriGzHSepxGE2syehd1u8UpAnDljihouuB |
匹配的变量是post提交的参数(ARGS),参数名称是padimg
,匹配到的数据是MSDb
。<所以,用户post提交的参数实际是一个XML
总结
这条规则也不复杂。