防护规则学习之SQL注入
- 攻击类型:注入攻击
- ruleid: 942160
规则配置文件
我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf
点击展开ruleid=942160的配置内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# -=[ PHPIDS - Converted SQLI Filters ]=-
# https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \
"id:942160,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Detects blind sqli tests using sleep() or benchmark()',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
这条规则延用了PHPID的规则:Detects SQL benchmark and sleep injection attempts including conditional queries
msg:'Detects blind sqli tests using sleep() or benchmark()'这条规则用来检测使用sleep()或者benchmark()进行的SQL盲注测试。
实例
1 | Matched Data: sleep(20) found within ARGS_NAMES:eval(compile('for x in range(1):\x5c\x5cn import time\x5c\x5cn time.sleep(20)','a','single')): eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(20)','a','single')) |
匹配的变量是变量名称(ARGS_NAMES),匹配的数据是sleep(20)。
总结
这个规则也没啥好说的,就是匹配关键字sleep和benchmark。
