Comments (14)
User rcbarnett-zz commented on date 2013-05-29 11:10:42:
What version of CRS are you using? With the current version, our demo catches this easily -
http://www.modsecurity.org/demo/phpids?test=a%27%2F**%2F%2F*!unIoN*%2F%2F**%2F%2F*!SelEct*%2F%2F**%2F1%2C%2F*!table_name*%2F%2Cdatabase%28%29%2F**%2Ffrom%2F**%2Finformation_schema.tables%2F**%2FWheRe%2F**%2FtablE_SchEma%3DdaTabase%28%29--%2B-
from coreruleset.
User kandyjet commented on date 2013-05-29 11:31:14:
hai rcbarnett,
Core ModSecurity Rule Set ver.2.2.7
Thanks for the report btw. am i missing something????
from coreruleset.
User rcbarnett-zz commented on date 2013-05-29 11:33:32:
I guess so... can you post an audit log file of the transaction?
from coreruleset.
User kandyjet commented on date 2013-05-29 11:45:06:
log : modsec_audit.log
--8a424c11-A--
[29/May/2013:08:11:11 --0500] UaXb63HudQAADViPYwAAAAA xxxx.xxxx.xxxx xxxx xxxx xxxx.xxxx.xxxx
--8a424c11-B--
€e���
--8a424c11-F--
--8a424c11-H--
Message: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf.default"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /usr/local/apache/htdocs/501.shtml
Action: Intercepted (phase 2)
Stopwatch: 1369833071826341 982 (- - -)
Stopwatch2: 1369833071826341 982; combined=51, p1=6, p2=40, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
--8a424c11-Z--
from coreruleset.
User kandyjet commented on date 2013-05-29 13:14:18:
Hello,
i have posted the log by updating my previous post.
from coreruleset.
User kandyjet commented on date 2013-05-30 05:21:07:
Hello! Any solution to my problem?
from coreruleset.
User MichaelHaas commented on date 2013-05-30 11:26:30:
you have posted the audit log from a request which where denied but you said the request is not blocked.
So thats the wrong entry.
from coreruleset.
User kandyjet commented on date 2013-05-30 16:45:17:
now rcburnett is asking a log which i could not generate.
because if i enter below sql in question (see below), it bypasses the rule. so there is no log is recorded at /usr/local/apache/logs>modsec_audit.log
a'///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe/**/tablE_SchEma=daTabase()--+-
but as mentioned in question, if if enter below sql, it gets blocked successfully and a log is recorded.
a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -
part of Log:
--5c6ba669-H--
Message: Access denied with code 406 (phase 2). Pattern match "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object(?:(?:nam|typ)e|id) ..." at ARGS:model. [file "/usr/local/apache/conf/modsec2.user.conf.default"] [line "77"] [id "1234123453"] [msg "Blind SQL Injection Attack"] [data "table_name"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /home/xxxxx/public_html/406.shtml, referer: http://xxxx.xx/xxxx.php
Action: Intercepted (phase 2)
Stopwatch: 1369930625927307 2901 (- - -)
Stopwatch2: 1369930625927307 2901; combined=1695, p1=52, p2=1635, p3=0, p4=0, p5=8, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
--5c6ba669-Z--
from coreruleset.
User rcbarnett-zz commented on date 2013-05-31 13:11:11:
You can force audit logging by changing SecAuditEngine to On.
from coreruleset.
User kandyjet commented on date 2013-06-01 05:16:14:
Hai rcbarnett,
i manage to get the log for the sql query in question.
[01/Jun/2013:00:12:35 --0500] UamCw63HudQAAE8DbrsAAAAK 188.xxx.xxx.178 56868 173.xxx.xxx.212 80
--f589083e-B--
GET /xxxx.php?model=a%27///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe//tablE_SchEma=daTabase()--+- HTTP/1.1
Host: xxxxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: http://xxxxx.xxx/drivers.php
Cookie: __utma=134992097.763232256.1366540208.1369826818.1370062820.15; __utmz=134992097.1366540208.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=503de5fba13fe44f382b4321aeab472f; __utmb=134992097.1.10.1370062820; __utmc=134992097
Connection: keep-alive
--f589083e-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 982
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Content-Type: text/html
--f589083e-H--
Stopwatch: 1370063555308752 61800 (- - -)
Stopwatch2: 1370063555308752 61800; combined=2010, p1=51, p2=1949, p3=2, p4=0, p5=8, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
from coreruleset.
User kandyjet commented on date 2013-06-03 10:45:37:
Hello! do you have any updates for me? Thank you.
from coreruleset.
User rcbarnett-zz commented on date 2013-06-03 17:31:25:
This request is caught by my system fine. I am running Apache 2.4.4 and ModSecurity 2.7.4. Can you upgrade ModSecurity?
from coreruleset.
User kandyjet commented on date 2013-06-04 06:17:28:
Hai rcbarnett,
just updated the modesecurity to 2.7.4 and unfortunately problem remain same.
we have Apache/2.2.24 installed.
from coreruleset.
User kandyjet commented on date 2013-06-17 10:46:13:
Hello,
i am happy to say after reinstalling the rule set solved the issue addressed in this thread.
Thank you for all you support.
now i have one more problem with another test.
' or 'a'='a'-- -
the above sql injection dost not get blocked by the rule set.
can you kindly review this pattern against your rule sets?
from coreruleset.
Related Issues (20)
- Rule 920100 Fails Due to PCRE Limits Error HOT 24
- Rule 933150 Has False Positive for URLs HOT 6
- Initialization of collection does not work HOT 13
- Rule 932235 FP: Unix Command Injection HOT 2
- FP 932260: Name of "Axel" HOT 5
- Simple false positive on live website mcmo.xyz, cannot find proper rule exclusion in CRS4. HOT 3
- False Positive when using passwords (Numbers Letters Special Characters, etc.) in account registration page. Help? HOT 9
- How to build rule exclusions for specific sites on a Multisite server? HOT 17
- FP 932380: Windows Command Injection for "If" HOT 5
- FP 932260: "Chef" triggers rule HOT 6
- Rule #942100 PL1 SQL Injection Attack Detected via libinjection HOT 3
- Rule #920350 Host header is a numeric IP address HOT 5
- Apache 403 Forbidden error handling and duplicate HTTP response headers HOT 13
- Monthly Chat Agenda May 2024 (2024-05-06 and 2024-05-20) HOT 1
- Catch double charset evasion
- Decide what to do about test 933161-4 HOT 2
- Monthly Chat Agenda May 2024 (2024-05-06 and 2024-05-20) HOT 2
- Changed behavior with httpd/mod_security due outbound anomaly score resetting in v4.2.0 HOT 8
- Since 4.2.0 many Fediverse ActivityPub pushes to /inbox fail with rule 941100, 932130, 932260 and others HOT 16
- False positive response when usting Prestashop HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coreruleset.