前言
接下来,深入研究modsecurity的防护规则及原理。从SQL注入开始,顺便加强对SQL注入的理解。
防护规则学习之SQL注入
- 攻击类型:注入攻击
- ruleid: 942190
规则配置文件
我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf
点击展开ruleid=942190的配置内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Regexp generated from util/regexp-assemble/regexp-942190.data using Regexp::Assemble.
To rebuild the regexp:
cd util/regexp-assemble
./regexp-assemble.pl regexp-942190.data
Note that after assemble an outer bracket with an ignore case flag is added
to the Regexp::Assemble output:
(?i:ASSEMBLE_OUTPUT)
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;?\s*?(?:having|select|union)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s*?\([^\)]*?|elect.*?\w?user\()|into[\s+]+(?:dump|out)file\s*?[\"'`]|\s*?exec(?:ute)?.*?\Wxp_cmdshell|from\W+information_schema\W|exec(?:ute)?\s+master\.|\wiif\s*?\())" \
"id:942190,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Detects MSSQL code execution and information gathering attempts',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
该配置文件的正则是由util/regexp-assemble/regexp-942190.data生成的:
点击展开regexp-942190.data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20[\"'`]\s*?!\s*?[\"'`\w]
[\"'`];?\s*?having\b\s*?[^\s]
[\"'`];?\s*?select\b\s*?[^\s]
[\"'`];?\s*?union\b\s*?[^\s]
\s*?exec.*?\Wxp_cmdshell
\s*?execute.*?\Wxp_cmdshell
\wiif\s*?\(
connection_id\s*?\([^\)]*?
current_user\s*?\([^\)]*?
database\s*?\([^\)]*?
exec\s+master\.
execute\s+master\.
from\W+information_schema\W
into[\s+]+dumpfile\s*?[\"'`]
into[\s+]+outfile\s*?[\"'`]
schema\s*?\([^\)]*?
select.*?\w?user\(
union select @
union[\w(\s]*?select
user\s*?\([^\)]*?
SecRule的规则,具体规则如下:SecRule variable operator [Actions]
- variable变量:用来描述哪个变量应当被检查。
- operator变量:用来描述如何检查。Operator实际是正则表达式,但是Modsecurity自身会提供很多的Operator,利用的时候直接使用”@operator”即可。
- Actions:第三部分为可选的部分。匹配到规则之后,下一步操作。
于是我们仔细分析一下942190这条规则:
检查的变量包括:所有的Cookie信息(REQUEST_COOKIES以及!REQUEST_COOKIES:/__utm/)以及cookie的名称(REQUEST_COOKIES_NAMES),Post参数(ARGS)以及Post参数的名称(ARGS_NAMES),当然还有其中的XML文件(XML:/*)
1
REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
匹配规则(正则表达式):这个正则表达式实际上就是从
util/regexp-assemble/regexp-942190.data这个文件引入的。<regexp-942190.data可读性强一点,尤其是对于不熟悉正则语法的people1
"@rx (?i:(?:[\"'`](?:;?\s*?(?:having|select|union)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s*?\([^\)]*?|elect.*?\w?user\()|into[\s+]+(?:dump|out)file\s*?[\"'`]|\s*?exec(?:ute)?.*?\Wxp_cmdshell|from\W+information_schema\W|exec(?:ute)?\s+master\.|\wiif\s*?\())"
匹配到规则之后,下一步操作:将这些信息写入log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22"id:942190,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Detects MSSQL code execution and information gathering attempts',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
msg:'Detects MSSQL code execution and information gathering attempts',这条规则具体是检测MSSQL代码执行和信息收集尝试次数。
实例
- 例子1:由于logdata的格式是:
1
Matched Data: ' union a found within ARGS:pagetempid: ' union all select 1 /**/,2,user,name,MD5(concat(user,'l0aZXUYJ876Mn5rQoL55B',password,'123')),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from {P}_base_admin --
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'
此例, %{TX.0}的值是union a%{MATCHED_VAR_NAME}的值是ARGS%{MATCHED_VAR}的值是pagetempid
翻译过来就是,匹配的变量是post提交的参数(ARGS),参数名称是pagetempid,匹配到的规则是参数中含有' union a。
- 例子2:
1
Matched Data: \x22!5 found within ARGS_NAMES:\x5cx05U-\x5cxa7\x5cxd9\x5cx0c\x5cxf1\x5cx17\x5cx11OD\x5cxe1\x5cx8c\x5cxb5!\x5cx0e\x5cx7f\x5cxf3\x5cxc9\x5cxc2\x5cxc3\x5cxcf\x5cxd5\x5cxe4\x5cxc5V\x5cxf8\x5cxf4\x5cx1fV\x5cxd5\x5cx13\x5cxdf\x5cx9dV\x5cx04o\x5cxf2\x5cxd1Q\x5cxea\x5cxf3_\x5cxa2\x5cxec\x5cx7fZ\x5cxd3\x5cx1f\x5cxcd3\x5cxa6\x5ctO\x5cx8cO\x5cxbbZ\x5cxe3\x5cx83\x5cx1e\x5cx86\x5cx9b\x5cxbb\x5cxd1l\x5cx8cK\x5cx8fQ\x5cxc9c!)\x5cxd9\x5cxf7lu\x5cxae6\x5cv\x5cx9d[\x5cv\x5cxf1\x5cx9b|\x5cx1f\x5cx7fN[E\x5cxfb\x5cx9b\x5cr\x5cx1b\x5cx86\x5cx9eK1\x5cxc3\x5cx0f\x5cxf4\x5cxe4J}\x5cxa8\x5cx8c \x5cxf1\x5cx13\x5cx9c8~!\x5cxca1\x22!5\x5cx80~\x5cxdc\x5cxd9:\x5cxa1\x5cxa8\x5cxe7y\x5cxa0M\x5cxc5\x5cxf5\x5cxad\x5cxc5\x5cxa24\x5cx91z\x5cxc7\x5cxe7D\x5cx7f\x5cx0c\x5cx97\x5cxbb\x5cxde:\x5cx06#\x5cx1cZe1\x5cx9b;\x5cxf0\x5cx96\x5cxc1$\x5cxf6'\x5cx8b\x5cvA\x5cxaf\x5cx82ii\x5cxb2\x5cxb9-\x5cxd1_\x5cxd3\x5cxd0\x5cxe1\x5cxaa\x5cxad\x5cxf9\x5cx1eO\x5cxc2au\x5c\x5c\x5cxba\x5cxfc\x5cx12 \x5cx01tZ\x5cxa9<c\x5cxb7\x5cxf7\x5cx05>;\x5cxeei\x5cxd9{\x5cxac\x5cxdd\x5cxde\x5cxaaZK\x5cx87\x5cx1dt\x5cx16 \x5cxf1\x5cxc3\x5cxfc:\x5cxaf\x5cx03\x5cx8e\x5cxe2|\x5cxf0\x5cxb4\x5cxd3\x5cxeb\x5cxaa\x5cx9f\x5cx11\x5cxc7\x5cxc7\x5cx8d\x5cx93\x5cxe2\x5cxfc\x5cx9cC>\x5cx83\x5cxc2M#\x5cx94U\x5cxdb;\x5cxc6\x5cnB\x5cxd9ti\x5ct\x5cx8a\x5cxa8j\x5cxc2\x5cxf3\x5cxda\x5cxab\x5cxdd\x5cx07\x5cxe3.\x5cx87\x5cx93\x5cx94\x5cxbb\x5cx1a7\x5cxab\x5cx01k\x5cxf0)\x22\x5cxd9N\x5cxfb\x5c\x5c\x5cxe4\x5cxcb\x5cx9f\x5cx10W\x5cx8a\x5cx03\x5cx89\x5cx00\x5cxbar\x5cxeb\x5cxbb\x5cx8c0\x5cx17\x5cxbd\x5cxe0\x5cxa3K\x5cx0e\x5cxaf\x5cxca\x5cx9d\x5cxc8\x5cx9bf\x5cx16\x5cx80\x5cxaf\x5cxc0k\x5cxa0IJ\x5cxae\x5c\x5c\x5cxbf\x5cxa1{*\x22k0\x5cxee1\x5cxba\x5cxa4\x5cx9c\x5ct\x5cx82\x5cx05 \x5cx0eX\x5cxab\x5cxa71\x5cxd2??\x5cxfb\x5cxe7\x5cx1b: \x05U-\xa7\xd9\x0c\xf1\x17\x11OD\xe1\x8c\xb5!\x0e\x7f\xf3\xc9\xc2\xc3\xcf\xd5\xe4\xc5V\xf8\xf4\x1fV\xd5\x13\xdf\x9dV\x04o\xf2\xd1Q\xea\xf3_\xa2\xec\x7fZ\xd3\x1f\xcd3\xa6\x09O\x8cO\xbbZ\xe3\x83\x1e\x86\x9b\xbb\xd1l\x8cK\x8fQ\xc9c!)\xd9\xf7lu\xae6\x0b\x9d[\x0b\xf1\x9
这个编码没看懂😥原来是16进制编码,把16进制转换为字符串结果如下:
意思就是这个post参数名称匹配到了规则。匹配的内容是\x22!5。没有搞懂这是怎么匹配上去的😥
