search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.44k stars 725 forks source link

FP 942100 MySQLi rule triggered? #1711

Open jeremyjpj0916 opened 4 years ago

jeremyjpj0916 commented 4 years ago

Description

I am guessing this fires on just some keywords to trip a MySQLi?

Audit Logs / Triggered Rule Numbers

---XdNJFxoh---B--
POST /F5/status HTTP/1.1
content-length: 212
accept-encoding: gzip, deflate
Host: gateway-dev.company.com
Accept: */*
Postman-Token: 44007447-9226-4bf1-8c65-fe5e9febc882
cache-control: no-cache
User-Agent: PostmanRuntime/7.6.1
Connection: keep-alive
Content-Type: application/json

---XdNJFxoh---C--
{
        "address": [
          {
            "addr1": "2104 GRANT AVE #A",
            "addr2": "",
            "addr3": "",
            "city": "",
            "state": "",
            "zip": "",
            "county": "",
            "countryCode": " ",
            "type": ""
          }
        ]
}

---XdNJFxoh---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1knc found within ARGS:json.address.array_0.addr1: 2104 GRANT AVE #A"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/F5/status"] [unique_id "158339080551.721980"] [ref "v27,17"]

Linked my issue w dependency here: https://github.com/client9/libinjection/issues/149

Your Environment

dune73 commented 4 years ago

Confirm. I can trigger this on 942100 as follows:

$> curl localhost -d "foo=2104 GRANT AVE #A"
jeremyjpj0916 commented 4 years ago

UNION AVE on the other hand did not match a fingerprint. GRANT AVE citizens get rekt I suppose.

jeremyjpj0916 commented 4 years ago

@dune73 another one strikes again!

[id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nok1o found within ARGS:json.billingPreferenceList.array_0.billingPrefSourceInfo.billingPreferenceDescription: CLOSED - OPTION 1 / OPTION 3"]

Not sure what a nok1o is but it reminds me of the word Tokyo for some reason.