[Owasp-modsecurity-core-rule-set] about one rule of SQL injection

Tue Sep 22 11:00:30 EDT 2009

Getting warmer but you need to look at the debug log. It shows the transformation changes to the data for each rule.

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett at Breach.com
www.Breach.com

________________________________
From: Junyong Jiang
To: Ryan Barnett
Cc: owasp-modsecurity-core-rule-set at lists.owasp.org
Sent: Tue Sep 22 10:57:24 2009
Subject: Re: [Owasp-modsecurity-core-rule-set] about one rule of SQL injection

Thanks Ryan!
My request is:http://192.168.3.144/show.asp?id=0+0+0+1299
My debug log has been modified of the coding, so I past the audit log here. I think this is more detaild.
--9cddd82d-A--
["2009-09-22 22:54:04"] SrjlDH8AAAEAAEzOOaEAAAAA 192.168.3.12 63822 192.168.3.144 80
--9cddd82d-B--
GET /show.asp?id=0+0+0+1299 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 192.168.3.144
Connection: Keep-Alive
Cookie: ASPSESSIONIDQATCQSCQ=MLHDBIGANDOGNEILOKBJEMCD
--9cddd82d-F--
HTTP/1.1 403 Forbidden
Keep-Alive: timeout=5
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--9cddd82d-E--
 <font face="▒▒▒▒" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="▒▒▒▒" size=2>▒▒▒▒ '80040e14'</font>
<p>
??????2009/9/22 Ryan Barnett ?<Ryan.Ba<font face="▒▒▒▒" size=2>▒▒ 1 ▒▒: '0' ▒▒▒▒▒▒▒?▒▒▒▒</font>
<p>
<font face="▒▒▒▒" size=2>/show.asp</font><font face="▒▒▒▒" size=2>▒▒▒▒ 6</font>
--9cddd82d-H--
Message: Access denied",500009,"61",NULL,"ERROR",3,"31",NULL,NULL,403
Action: Intercepted (phase 4)
Apache-Handler: proxy-server
Stopwatch: 1253631244583806 129146 (1662 117667 -)
Response-Body-Transformed: Dechunked
Producer: Security for Apache/2.5.7 (http://www.dbappsecurity.com.cn/); core ruleset/2.0.1.<http://2.0.1.>
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b
--9cddd82d-K--
SecAction "phase:1,auditlog,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecRule "REQUEST_METHOD" "@rx<mailto:"REQUEST_METHOD"%20"@rx> ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:3,severity:2,id:200004,tag:2"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq<mailto:"&REQUEST_HEADERS:Content-Type"%20"@eq> 0" "phase:2,chain,t:none,log,deny,auditlog,msg:19,id:210008,tag:4,severity:4"
SecRule "ARGS_NAMES" "@rx<mailto:"ARGS_NAMES"%20"@rx> .*" "phase:2,auditlog,chain,t:none,nolog,pass,capture,setvar:tx.%{matched_var_name}=+1"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pmFromFile<mailto:"REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"%20"@pmFromFile> dbapp_40_generic_attacks.data" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pmFromFile<mailto:"REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"%20"@pmFromFile> dbapp_40_generic_attacks.data" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "&TX:/SQL_INJECTION/" "@eq<mailto:"&TX:/SQL_INJECTION/"%20"@eq> 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm<mailto:"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"%20"@pm> insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1"
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"
SecRule "RESPONSE_STATUS" "@rx<mailto:"RESPONSE_STATUS"%20"@rx> ^5\\d{2}$" "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,msg:61,id:500009,tag:31,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id<http://rule.id>}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
--9cddd82d-Z--

breach.com<http://breach.com>>????You needto look at the modsecurit
bug log (modsec_debug.log).?????Ryan C. Barnett??Director of Appl

on Security Res
rch??Breach Security, Inc.??Ryan.Barnett@
each.com???www.Breach<http://each.com???www.Breach>
om?????________________
___________??_<http://www.breach.com/>

rom: Junyong Jiang??To: Ryan Bne
?Cc: ?owasp-modsecu
ty-core-rule-??s
@liss.owasp.org???Sent: Tue Sep 10:49:50 2009??Sub<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>
t: Re: [Owasp-modsecurity-core
ule-??set] about one rule of SQL injection???This is my accesss log:??192.168.

- - [22/Sep/2009:22:47:
+0800] "GET product.asp?tp=0+0+0+1234 HTTP/1.1" .....??192.168.3.12 - - [22/Sep/2009:22:47:
+0800] "GET product.asp?tp=0+0+0+1234 HTTP/1.1" ....."-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"?????http://www.example.com/??product.

p=0+0+0+1234????2009/9/ Ryan Barnett <?Ryan.Barn<http://www.example.com/product.asp?tp=0+0+0+1234>
breach.com<http://breach.com>?<??mailto:?Ryn.Barnett at breach.com???<mailto:Ryan.Barnett at breach.com>>?Did yo look at the debug log <mailto:Ryan.Barnett at breach.com> ve
)? It will show you how the data looks after the transformation functions when the operator is applied.??????Ryan C. Barnett??Director of App

on Security Res
rch??Breach Security, Inc.??Ryan.Barnett@
each.com????www.Breac<http://each.com????www.Breac>
com?<?http://www.??brea
om/?>????_____<http://www.breach.com/>_____________________??<http://www.breach.com/>_

om: ?owasp-modsecurity-core-ru-?
et-bouces at lists.owasp.org?<??mailt?owasp-modsecurity-core-??r<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org>lset-bouces at lists.owasp.??org?>To: ?owasp-modsecurity-core-re-?<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org>s
@liss.owasp.org?<mailto:?owa??spodsecurity-core-rul<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>-set@??lstswasp.org?>??????Sent: Tue Sep2 10:34:32 2009<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>?
t: [Owasp-modsecurity-core-rul
??set] about one rule of SQL injection??Dear all,????I want write a modsec

y rule to

ect such SQL injection like:???http://www.example.com/??product.as
p=0+0+0+1234???the corrt request is: ?http://www<http://www.example.com/product.asp?tp=0+0+0+1234>
ample.com/??product.asp<http://ample.com/??product.asp>?p=1234???I write the ru as:??SecRule QUERY<http://www.example.com/product.asp?tp=1234>
RING|ARGS|ARGS_NAMES
?REQUEST_FILENAME "0\+0" \??      "phe:2,capture,t:none,t:??ur
ecodeUni,t:??htmlEntityDecode,t:replaceComments:??compressWhiteSpa,t:??lowercase,ctluditLogParts=+??E,denlog,auditlog,msg:'sql injecti',id:'410135',tag:'??SQL_INJECTION',logdata:'%{TX.??0}',serity:'2'"????But it does notork. Could you ex

n that what is wrong with my rule?????Thanks in advance.?????????????

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 12958 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090922/1e94c342/attachment-0001.bin 