fzipi
commented
1 year ago The first example is being detected at PL2 now:
curl -i -H "x-crs-paranoia-level: 4" -H "x-format-output: txt-matched-rules" -H "x-backend: apache" -H "x-crs-version: nightly" "https://sandbox.coreruleset.org" --data 'cmd=z%27%60x%3Bid%60x%27x'
HTTP/1.1 200 OK
Date: Mon, 12 Dec 2022 12:05:30 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
X-Unique-ID: Y5cZCqMnNxbipjNWmTDa2AAAAEc
x-backend: apache-nightly
920273 PL4 Invalid character in request (outside of very strict set)
920273 PL4 Invalid character in request (outside of very strict set)
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 18)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=18, detection=18, per_pl=0-5-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=3, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0)And the second at PL1:
curl -i -H "x-crs-paranoia-level: 4" -H "x-format-output: txt-matched-rules" -H "x-backend: apache" -H "x-crs-version: nightly" "https://sandbox.coreruleset.org" --data 'cmd=s.%60%24_GET%5Bx%5D%60.s'
HTTP/1.1 200 OK
Date: Mon, 12 Dec 2022 12:06:33 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
X-Unique-ID: Y5cZSbx06b6RERMaQbGyVgAAAJE
x-backend: apache-nightly
920273 PL4 Invalid character in request (outside of very strict set)
920273 PL4 Invalid character in request (outside of very strict set)
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
933130 PL1 PHP Injection Attack: Variables Found
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=5-5-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=3, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=5, HTTP=0, SESS=0)@dune73 @theMiddleBlue is that enough for our purposes?
theMiddleBlue
Description
Backticks can be used in shell, perl and/or php execution. We are not covering all cases for double backticks right now, we need to craft or extend an existing regexp to match them.
Some examples:
z'`x;id`x'xs.`$_GET[x]`.sWe need to review also https://github.com/coreruleset/coreruleset/pull/2583 that has some generic backsticks coverage, but we might want some specific rule for it.
⚠️ we need to be aware that valid markdown uses three backticks very often