diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 776cd205d..504c826ce 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -616,9 +616,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\ # to the Regexp::Assemble output: # (?i:ASSEMBLE_OUTPUT) # -# Not supported by re2 (++, ?!re). +# Not supported by re2 (backreferences, lookaheads). # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\1)[\d\w]+|>[\s'\"`()]*?(?:\1))|>?[\s'\"`()]*?(?!\1)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\1)[\d\w]+|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)[\s'\"`()]*?(?:\1)))" \ +SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\b\1\b)[\d\w]+|>[\s'\"`()]*?(?:\b\1\b))|>?[\s'\"`()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\b\1\b)[\d\w]+|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)[\s'\"`()]*?(?:\b\1\b)))" \ "id:942130,\ phase:2,\ block,\ diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml index 220fa27b4..9debe118c 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml @@ -1,6 +1,6 @@ --- meta: - author: "Christian S.J. Peron" + author: "Christian S.J. Peron and Allan Boll" description: None enabled: true name: 942130.yaml @@ -19,5 +19,110 @@ port: 80 data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" version: HTTP/1.0 + output: + no_log_contains: id "942130" + - + test_title: 942130-2 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - + test_title: 942130-3 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11=1" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - + test_title: 942130-4 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - + test_title: 942130-5 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11!=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - + test_title: 942130-6 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1!=11" + version: HTTP/1.1 + output: + log_contains: id "942130" + - + test_title: 942130-7 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - + test_title: 942130-8 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=b,1=1" + version: HTTP/1.1 output: log_contains: id "942130" diff --git a/util/regexp-assemble/regexp-942130.data b/util/regexp-assemble/regexp-942130.data index a8e06a6d7..432281104 100644 --- a/util/regexp-assemble/regexp-942130.data +++ b/util/regexp-assemble/regexp-942130.data @@ -1,16 +1,16 @@ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?=[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<=>[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?like[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?rlike[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?regexp[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?!=[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<=[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?>=[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<>[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?>[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?\^[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\1)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?=[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=>[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?like[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?rlike[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?regexp[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?!=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?\^[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\b\1\b)[\d\w]+