From 11d0beaf16f12f5319cc236baba59c1be1ab0a70 Mon Sep 17 00:00:00 2001 From: Allan Boll Date: Wed, 4 Mar 2020 08:31:20 +0000 Subject: [PATCH 1/2] Add word boundaries around values in SQL tautologies (942130) --- .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 4 +- .../942130.yaml | 92 ++++++++++++++++++- util/regexp-assemble/regexp-942130.data | 32 +++---- 3 files changed, 109 insertions(+), 19 deletions(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 776cd205d..504c826ce 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -616,9 +616,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\ # to the Regexp::Assemble output: # (?i:ASSEMBLE_OUTPUT) # -# Not supported by re2 (++, ?!re). +# Not supported by re2 (backreferences, lookaheads). # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\1)[\d\w]+|>[\s'\"`()]*?(?:\1))|>?[\s'\"`()]*?(?!\1)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\1)[\d\w]+|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)[\s'\"`()]*?(?:\1)))" \ +SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\b\1\b)[\d\w]+|>[\s'\"`()]*?(?:\b\1\b))|>?[\s'\"`()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\b\1\b)[\d\w]+|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)[\s'\"`()]*?(?:\b\1\b)))" \ "id:942130,\ phase:2,\ block,\ diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml index 220fa27b4..246862158 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml @@ -1,6 +1,6 @@ --- meta: - author: "Christian S.J. Peron" + author: "Christian S.J. Peron and Allan Boll" description: None enabled: true name: 942130.yaml @@ -19,5 +19,95 @@ port: 80 data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" version: HTTP/1.0 + output: + no_log_contains: id "942130" + - + test_title: 942130-2 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - + test_title: 942130-3 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11=1" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - + test_title: 942130-4 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - + test_title: 942130-5 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11!=1" + version: HTTP/1.1 output: log_contains: id "942130" + - + test_title: 942130-6 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=1!=11" + version: HTTP/1.1 + output: + log_contains: id "942130" + - + test_title: 942130-7 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" diff --git a/util/regexp-assemble/regexp-942130.data b/util/regexp-assemble/regexp-942130.data index a8e06a6d7..432281104 100644 --- a/util/regexp-assemble/regexp-942130.data +++ b/util/regexp-assemble/regexp-942130.data @@ -1,16 +1,16 @@ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?=[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<=>[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?like[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?rlike[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?regexp[\s'\"`()]*?(?:\1) -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?!=[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<=[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?>=[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<>[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?<[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?>[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?\^[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\1)[\d\w]+ -[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\1)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?=[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=>[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?like[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?rlike[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?regexp[\s'\"`()]*?(?:\b\1\b) +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?!=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?\^[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\b\1\b)[\d\w]+ +[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\b\1\b)[\d\w]+ From 023ce59268b308a8f89a202fb02af50d7debc006 Mon Sep 17 00:00:00 2001 From: Allan Boll Date: Wed, 11 Mar 2020 01:35:34 +0000 Subject: [PATCH 2/2] another test --- .../942130.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml index 246862158..9debe118c 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml @@ -111,3 +111,18 @@ version: HTTP/1.1 output: no_log_contains: id "942130" + - + test_title: 942130-8 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + uri: "/?a=b,1=1" + version: HTTP/1.1 + output: + log_contains: id "942130"