modsecurity防护crs规则学习之SQL注入-ruleid=942280

防护规则学习之SQL注入

• 攻击类型：注入攻击
• ruleid: 942280

规则配置文件

我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于：F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf

点击展开ruleid=942280的配置内容

# Regexp generated from util/regexp-assemble/regexp-942280.data using Regexp::Assemble.
# To rebuild the regexp:
#   cd util/regexp-assemble
#   ./regexp-assemble.pl regexp-942280.data
# Note that after assemble an outer bracket with an ignore case flag is added
# to the Regexp::Assemble output:
#   (?i:ASSEMBLE_OUTPUT)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:;\s*?shutdown\s*?(?:[#;]|\/\*|--|\{)|waitfor\s*?delay\s?[\"'`]+\s?\d|select\s*?pg_sleep))" \
    "id:942280,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

这条规则的正则表达式是由F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\util\regexp-assemble\regexp-942280.data生成的。

点击展开regexp-942280.data

select\s*?pg_sleep
waitfor\s*?delay\s?[\"'`]+\s?\d
;\s*?shutdown\s*?;
;\s*?shutdown\s*?--
;\s*?shutdown\s*?#
;\s*?shutdown\s*?\/\*
;\s*?shutdown\s*?{

msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts'这条规则是检测Postgres pg_sleep注入，waitfor延迟攻击以及关闭数据库的尝试。

实例

Matched Data: waitfor delay'0 found within ARGS_NAMES:1,0)waitfor delay'0:0:20'--: 1,0)waitfor delay'0:0:20'--

匹配的变量是参数名称（ARGS_NAMES），匹配的数据是waitfor delay'0。

总结

也是简单的关键字匹配。