Closed filoips closed 2 weeks ago
Hi @filoips,
thanks for report.
Yes, it seems like your request bypasses the rule 942500, but I'm afraid your suggested solution causes too much false positives (especially because it's a PL1 rule).
Please note that your request is blocked on PL2 by rule 942300 - see this Sandbox test:
$ curl -X POST -d "username=admin' #" -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/"
920273 PL4 Invalid character in request (outside of very strict set)
920273 PL4 Invalid character in request (outside of very strict set)
942180 PL2 Detects basic SQL authentication bypass attempts 1/3
942300 PL2 Detects MySQL comments, conditions and ch(a)r injections
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=0-10-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=13, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=23)
Btw. I've added this issue to our next monthly chat.
OK thank you, I'll check my setup.
on github repository pattern is : (?i))[\s\x0b]?when[\s\x0b]?[0-9]+[\s\x0b]?then|[\"'`][\s\x0b]?(?:[#{]|--)|/*![\s\x0b]?[0-9]+|\b(?:(?:binary|cha?r)[\s\x0b]?([\s\x0b]?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\x0b]+[0-9A-Z_a-z]+()|(?:|||&&)[\s\x0b]*?[0-9A-Z_a-z]+(
but it contains an error
[image: image.png]
I'm going to test in next days
On Fri, Jun 7, 2024 at 2:50 PM Ervin Hegedus @.***> wrote:
Hi @filoips https://github.com/filoips,
thanks for report.
Yes, it seems like your request bypasses the rule 942500 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L490-L530, but I'm afraid your suggested solution causes too much false positives (especially because it's a PL1 rule).
Please note that your request is blocked on PL2 by rule 942300 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L907-L931
- see this Sandbox https://coreruleset.org/docs/development/sandbox/ test:
$ curl -X POST -d "username=admin' #" -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/" 920273 PL4 Invalid character in request (outside of very strict set) 920273 PL4 Invalid character in request (outside of very strict set) 942180 PL2 Detects basic SQL authentication bypass attempts 1/3 942300 PL2 Detects MySQL comments, conditions and ch(a)r injections 942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) 949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23) 980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=0-10-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=13, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=23)
Btw. I've added this issue to our next monthly chat https://github.com/coreruleset/coreruleset/issues/3728.
— Reply to this email directly, view it on GitHub https://github.com/coreruleset/coreruleset/issues/3733#issuecomment-2154771179, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRFWQBG6UM6XZNOADUAL4LZGGT77AVCNFSM6AAAAABI6S3KWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJUG43TCMJXHE . You are receiving this because you were mentioned.Message ID: @.***>
Hello, I Found the problem on my setup , I'm using old crs setup with new rules where some variables have different name.
Sorry for the misunderstood.
Regards
On Fri, Jun 7, 2024 at 3:22 PM Filippo Gentili @.***> wrote:
on github repository pattern is :
(?i))[\s\x0b]?when[\s\x0b]?[0-9]+[\s\x0b]?then|[\"'`][\s\x0b]?(?:[#{]|--)|/*![\s\x0b]?[0-9]+|\b(?:(?:binary|cha?r)[\s\x0b]?([\s\x0b]?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\x0b]+[0-9A-Z_a-z]+()|(?:|||&&)[\s\x0b]*?[0-9A-Z_a-z]+(
but it contains an error
[image: image.png]
I'm going to test in next days
On Fri, Jun 7, 2024 at 2:50 PM Ervin Hegedus @.***> wrote:
Hi @filoips https://github.com/filoips,
thanks for report.
Yes, it seems like your request bypasses the rule 942500 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L490-L530, but I'm afraid your suggested solution causes too much false positives (especially because it's a PL1 rule).
Please note that your request is blocked on PL2 by rule 942300 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L907-L931
- see this Sandbox https://coreruleset.org/docs/development/sandbox/ test:
$ curl -X POST -d "username=admin' #" -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/" 920273 PL4 Invalid character in request (outside of very strict set) 920273 PL4 Invalid character in request (outside of very strict set) 942180 PL2 Detects basic SQL authentication bypass attempts 1/3 942300 PL2 Detects MySQL comments, conditions and ch(a)r injections 942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) 949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23) 980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=0-10-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=13, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=23)
Btw. I've added this issue to our next monthly chat https://github.com/coreruleset/coreruleset/issues/3728.
— Reply to this email directly, view it on GitHub https://github.com/coreruleset/coreruleset/issues/3733#issuecomment-2154771179, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRFWQBG6UM6XZNOADUAL4LZGGT77AVCNFSM6AAAAABI6S3KWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJUG43TCMJXHE . You are receiving this because you were mentioned.Message ID: @.***>
Glad to see you could solve the problem - can we close this issue?
Yes, everything is fine.
Il Lun 10 Giu 2024, 13:19 Ervin Hegedus @.***> ha scritto:
Glad to see you could solve the problem - can we close this issue?
— Reply to this email directly, view it on GitHub https://github.com/coreruleset/coreruleset/issues/3733#issuecomment-2158069697, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRFWQAI65D7RFILJZRBTRTZGWDTRAVCNFSM6AAAAABI6S3KWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJYGA3DSNRZG4 . You are receiving this because you were mentioned.Message ID: @.***>
Description
mysql use # as comment markup
How to reproduce the misbehavior (-> curl call)
on mutillidae buggy application on login screen insert as username : admin' # it will bypass rule : 942500
Logs
Your Environment
Mutillidae running on linux server reverse proxy nginx with modsecurity
Workaround
Confirmation
[ X ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.