为了去往别处

0%

modsecurity防护crs规则学习之SQL注入-ruleid=942240

发表于 更新于 分类于
本文字数: 2.3k 阅读时长 ≈ 2 分钟
学习SQL注入

防护规则学习之SQL注入

  • 攻击类型:注入攻击
  • ruleid: 942240

规则配置文件

我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf

点击展开ruleid=942240的配置内容 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Regexp generated from util/regexp-assemble/regexp-942240.data using Regexp::Assemble.
# To rebuild the regexp:
#   cd util/regexp-assemble
#   ./regexp-assemble.pl regexp-942240.data
# Note that after assemble an outer bracket with an ignore case flag is added
# to the Regexp::Assemble output:
#   (?i:ASSEMBLE_OUTPUT)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;*?\s*?waitfor\s+(?:delay|time)\s+[\"'`]|;.*?:\s*?goto)|alter\s*?\w+.*?cha(?:racte)?r\s+set\s+\w+))" \
    "id:942240,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MySQL charset switch and MSSQL DoS attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

这条规则的正则表达式由F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\util\regexp-assemble\regexp-942240.data生成。

点击展开regexp-942240.data 

1
2
3
4
5
alter\s*?\w+.*?character\s+set\s+\w+
alter\s*?\w+.*?char\s+set\s+\w+
[\"'`];*?\s*?waitfor\s+time\s+[\"'`]
[\"'`];*?\s*?waitfor\s+delay\s+[\"'`]
[\"'`];.*?:\s*?goto

msg:'Detects MySQL charset switch and MSSQL DoS attempts'这条规则用于检测mysql字符转换和MSSQL Dos尝试。

实例

1
Matched Data: '; waitfor delay ' found within ARGS:activityId: 27)'; waitfor delay '0:0:2' --

匹配的变量是post参数(ARGS),参数名称是activityId,匹配的数据是'; waitfor delay '
image.png

总结

简单的规则。

-------------本文结束感谢您的阅读-------------