前言
继续学习SQL注入规则。
防护规则学习之SQL注入
- 攻击类型:注入攻击
- ruleid: 942270
规则配置文件
我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf
点击展开ruleid=942270的配置内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \
"id:942270,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
匹配的规则是:
1 | (?i)union.*?select.*?from |
msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others'这条规则匹配的是基础sql注入,包括mysql, oracle和其他数据库的常用攻击字符串。
实例
- 例子匹配的变量是post提交的参数(ARGS),参数名称是
1
Matched Data: union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from found within ARGS:_FILES[type][tmp_name]: \x5c' or mid=@`\x5c'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from `#@__admin` limit 0,1),5,6,7,8,9#@`\x5c'`
_FILES[type][tmp_name],匹配到规则的数据是union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from。
命中了规则:(?i)union.*?select.*?from
总结
这条规则相对简单。
