防护规则学习之SQL注入
- 攻击类型:注入攻击
- ruleid: 942230
规则配置文件
我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf
点击展开ruleid=942230的配置内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])" \
"id:942230,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Detects conditional SQL injection attempts',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
匹配规则:
1 | (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~]) |
msg:'Detects conditional SQL injection attempts'这条规则检测条件式SQL注入的尝试。像case、like、having、if这些关键字就是条件式的SQL语法。
实例
- 例子1:匹配的变量是post提交参数(ARGS),参数名称是
1
Matched Data: HavinGQZxeoAnAjGb5Tbcwz2T1qAmuJK73rqizh2KlsDD4a762L2662KzhMLW1oGG0gvd4daqnHae0f27wqXVn/vLwDp52/ found within ARGS:padimg: <?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><BJCAROOT><Version>1</Version><SignTID>1122</SignTID><EncKey>bm4Ppg2N6pHJ24kpS1BHJ0d8UlLu3nKsbpOZ8c9TjGZtGLqqGWPXyolcIVTGnrfgzKZXYIkPWKREMFpqoujPoaCV0s/CSOQLqHjYc06gXsh7Imzwwy8p36ojyhv6A8j w8Jxuj0PDHYTBTXP3yVszrEfBe7pYtyF1uSH59444zw=</EncKey><Cert><EncCertSN>102105000006752389</EncCertSN><EncCertKeyID>N/A</EncCertKeyID><EncAlg>1</EncAlg></Cert><EncData>yNvts2rPTUFjCUVCCHPzqqMWrTJeqrJIpUTmhhSs3zDihU6BjLTv0KsDpkvj0EhE4D7RL/5YEpPCk3gNWp3WKQJQoPdkSmKmBKP85SgqAG6yN G mK0lBbnXgUsm8P9E8b72yMeLmrMzVrOwZDz49MeGzKoqaLzLAhxhypsP9kMPDkuZc9EepR5i/ LWnN/Qw C8eepwvZOh3zsoPPNoY9TThBVbHIsp3iFDe5yQ3Y6tKLM7ihAUDIlTHXc85ffplOeMJFQredULgGAcBte2cGPQ B0C3BvehKdZCsqPzdlSNSDHsU0yiK/vFJAbR/QopPrAKjYsfhCw/IZc wdDSbkC5vmKyFNHROsrPIkMBhV0WCnyowr4iIijqK 7Mq0MQJ0uGw2xaf 4NKf1LEtPaybvjxpMb/rWouIbc/s4Zm6g7wFfHYh7/e8kMLoqPGBQ4AlI9t8JQMknycvUOSi0qEcSXJeemny3woqBAMTiEhrBAxRc54f2wQsD92Ijyn1/5 pyxURjuUrSjNVPwJAp68vVrAwx5KrTu6tVmX/RqcddpJkF58arkqbGRAMtIlCgDF5syEnr7UV7Iiv4mKyWN/3r95dADM6iSy9jBRe5GzOdbSiI81fHlmi1l83I39cKTgajqoRD0ONr1qxFpmjk0D1/kLHUmKwVAZTQm OyZ1Hj5YEty3IkDxi gaZjWi86x3QqUCNDc1rygaTB/QOTn2x1mvd5CfUTuwi hhNm2dU3r0FDJXhI8ObGnBcIoFf6Hb4F8I/ezRQSlyOb6tG Z3EV2nqCsFgwOVL9baefpPFnERxysrK1Oc5i2SMHpdhyM4s2W/hYImnLCM2sNmmu1iA5Jc/3eL73MKA6TosrcVBo8ECl20atja6oCht/lWiQinAkKfRUDlHBJ/zjK8vEo4Jis5Gwpo4BtC9doETTrf2W5zjFKZjnHByq7pbfDa0jmtg6aA54Qy/z2JhHMFg3iPeig0kpbOI9kZkmBshC2ia uKtlXiAbthcazWEycuDnISXXGacjKS4GZ49zPMbS9KzoOZMsVT1Y yADLWf3ZDodsYxFoXR8tzAI02ZeaT6RLvg46iTL3Qkvhs3d rC/aJbHmSWY2EiocB9l7UzArve0ZEBSZKEQGCmO8fDNmRHHnnxDVRNcm0DKGYOF9z0faynk5UnBXoLyTDURP/HpULG5L4HaYr7lDWbLCzJurV1ovkuMeCvlGZ5drNGKBhBH60P4Cq8O5fHSCmUtFbV75SjAoHlGg/LUF2iHD3kvBwZSnHqg8AgMcMoQQpcLdDhDe9wLDWt574apt803fhWD9IHtzPokolc HbzTUfZvggd0agpFLV0Q2fD3V46ft1SMVhh5PhM 8TOX01df9D7nQonMIcRogYYg4h1VeM 7WSVh75vABa9O9/wyFaJ JkY7v4J3lMT5G1o47Yb4Nl/8yf1nAjMM9iUAmptlq1c8YbCjNGTfWOaJ3Dctf9Zeog02G2wfrdgWQSFby7
padimg,匹配的数据是HavinGQZxeoAnAjGb5Tbcwz2T1qAmuJK73rqizh2KlsDD4a762L2662KzhMLW1oGG0gvd4daqnHae0f27wqXVn/vLwDp52/。
也就是匹配到了关键字having。 - 例子2:匹配的变量是post提交参数(ARGS),参数名称是
1
Matched Data: if(a= found within ARGS:source: {\x22size\x22:1,\x22query\x22:{\x22filtered\x22:{\x22query\x22:{\x22match_all\x22:{}}}},\x22script_fields\x22:{\x22b9b7dd1c421e005bc9a7f70b848e3d0e\x22:{\x22script\x22:\x22import java.util.*;\x5cnimport java.io.*;\x5cna=\x5c\x221\x5c\x22;\x5cnif(a==\x5c\x221\x5c\x22)\x5cnreturn \x5c\x22098f6bcd4621d373cade4e832627b4f6\x5c\x22;\x22}}}
source,匹配的数据是if(a=。匹配的关键字就是if。
总结
easy。但是这个规则容易误拦截,尤其是if就只有两个字符,那些经过编码的数据很容易匹配到这个关键字。
