Comments (14)
What version of CRS are you using? With the current version, our demo catches this easily -
http://www.modsecurity.org/demo/phpids?test=a%27%2F**%2F%2F*!unIoN*%2F%2F**%2F%2F*!SelEct*%2F%2F**%2F1%2C%2F*!table_name*%2F%2Cdatabase%28%29%2F**%2Ffrom%2F**%2Finformation_schema.tables%2F**%2FWheRe%2F**%2FtablE_SchEma%3DdaTabase%28%29--%2B-
from owasp-modsecurity-crs.
hai rcbarnett,
Core ModSecurity Rule Set ver.2.2.7
Thanks for the report btw. am i missing something????
from owasp-modsecurity-crs.
I guess so... can you post an audit log file of the transaction?
from owasp-modsecurity-crs.
log : modsec_audit.log
--8a424c11-A--
[29/May/2013:08:11:11 --0500] UaX@b63HudQAADViPYwAAAAA xxxx.xxxx.xxxx xxxx xxxx xxxx.xxxx.xxxx
--8a424c11-B--
€e���
--8a424c11-F--
--8a424c11-H--
Message: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf.default"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /usr/local/apache/htdocs/501.shtml
Action: Intercepted (phase 2)
Stopwatch: 1369833071826341 982 (- - -)
Stopwatch2: 1369833071826341 982; combined=51, p1=6, p2=40, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
--8a424c11-Z--
from owasp-modsecurity-crs.
Hello,
i have posted the log by updating my previous post.
from owasp-modsecurity-crs.
Hello! Any solution to my problem?
from owasp-modsecurity-crs.
you have posted the audit log from a request which where denied but you said the request is not blocked.
So thats the wrong entry.
from owasp-modsecurity-crs.
now rcburnett is asking a log which i could not generate.
because if i enter below sql in question (see below), it bypasses the rule. so there is no log is recorded at /usr/local/apache/logs>modsec_audit.log
a'///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe/**/tablE_SchEma=daTabase()--+-
but as mentioned in question, if if enter below sql, it gets blocked successfully and a log is recorded.
a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -
part of Log:
--5c6ba669-H--
Message: Access denied with code 406 (phase 2). Pattern match "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object(?:(?:nam|typ)e|id) ..." at ARGS:model. [file "/usr/local/apache/conf/modsec2.user.conf.default"] [line "77"] [id "1234123453"] [msg "Blind SQL Injection Attack"] [data "table_name"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /home/xxxxx/public_html/406.shtml, referer: http://xxxx.xx/xxxx.php
Action: Intercepted (phase 2)
Stopwatch: 1369930625927307 2901 (- - -)
Stopwatch2: 1369930625927307 2901; combined=1695, p1=52, p2=1635, p3=0, p4=0, p5=8, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
--5c6ba669-Z--
from owasp-modsecurity-crs.
You can force audit logging by changing SecAuditEngine to On.
from owasp-modsecurity-crs.
Hai rcbarnett,
i manage to get the log for the sql query in question.
[01/Jun/2013:00:12:35 --0500] UamCw63HudQAAE8DbrsAAAAK 188.xxx.xxx.178 56868 173.xxx.xxx.212 80
--f589083e-B--
GET /xxxx.php?model=a%27///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe//tablE_SchEma=daTabase()--+- HTTP/1.1
Host: xxxxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: http://xxxxx.xxx/drivers.php
Cookie: __utma=134992097.763232256.1366540208.1369826818.1370062820.15; __utmz=134992097.1366540208.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=503de5fba13fe44f382b4321aeab472f; __utmb=134992097.1.10.1370062820; __utmc=134992097
Connection: keep-alive
--f589083e-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 982
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Content-Type: text/html
--f589083e-H--
Stopwatch: 1370063555308752 61800 (- - -)
Stopwatch2: 1370063555308752 61800; combined=2010, p1=51, p2=1949, p3=2, p4=0, p5=8, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
from owasp-modsecurity-crs.
Hello! do you have any updates for me? Thank you.
from owasp-modsecurity-crs.
This request is caught by my system fine. I am running Apache 2.4.4 and ModSecurity 2.7.4. Can you upgrade ModSecurity?
from owasp-modsecurity-crs.
Hai rcbarnett,
just updated the modesecurity to 2.7.4 and unfortunately problem remain same.
we have Apache/2.2.24 installed.
from owasp-modsecurity-crs.
Hello,
i am happy to say after reinstalling the rule set solved the issue addressed in this thread.
Thank you for all you support.
now i have one more problem with another test.
' or 'a'='a'-- -
the above sql injection dost not get blocked by the rule set.
can you kindly review this pattern against your rule sets?
from owasp-modsecurity-crs.
Related Issues (20)
- SOAPUI SOAP Tx multipart/related call False Positive id: 920470 HOT 4
- DOS protection is invalid
- Crazy Long Processing time of XML of a certain kinda payload body. HOT 2
- Easy to trigger these rule id blocks just with keywords [932115, 942360]
- DoS rule triggering with static (png) file
- SQLi bypass at PL1(CRS 3.2.0) HOT 1
- JSON Payloads process significantly slower (600%) than XML Payloads of a similar size and format HOT 9
- XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie HOT 4
- Block QQGameHall in UA HOT 4
- Monthly Chat Agenda April (2020-04-06) HOT 1
- NextCloud False Positive HOT 9
- WordPress JetPack False Positive
- Rule 920450 and modsec 3x HOT 4
- Password Scrubbing within the libinjection rule HOT 1
- Monthly Chat Agenda May (2020-05-04) HOT 1
- rule 920300 title / details mismatch HOT 1
- Note config change of tx.allowed_request_content_type in the v3.3 release notes
- false positive on rule 932110
- Incompatible with ModSecurity 3.x? HOT 1
- False positive with WordPress when hosted from http://example.com/update-prefix HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-modsecurity-crs.