search

coreruleset / coreruleset

OWASP CRS (Official Repository)
https://coreruleset.org
Apache License 2.0
2.05k stars 351 forks source link

mysql injection easy bypass with # #3733

Closed filoips closed 2 weeks ago

filoips commented 3 weeks ago

Description

mysql use # as comment markup

How to reproduce the misbehavior (-> curl call)

on mutillidae buggy application on login screen insert as username : admin' # it will bypass rule : 942500

Logs

---qTKOePCH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `172.30.1.25:8080' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "772"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "172.30.1.25:8080"] [severity "4"] [ver "OWASP_CRS/4.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.30.1.25"] [uri "/index.php"] [unique_id "171776332725.473114"] [ref "o0,16o0,11o11,5v56,16"]

Your Environment

Mutillidae running on linux server reverse proxy nginx with modsecurity

Workaround

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:'\s*(?:#\s*|--\s*))" \
    "id:942501,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'MySQL in-line comment detected',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Confirmation

[ X ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

airween commented 3 weeks ago

Hi @filoips,

thanks for report.

Yes, it seems like your request bypasses the rule 942500, but I'm afraid your suggested solution causes too much false positives (especially because it's a PL1 rule).

Please note that your request is blocked on PL2 by rule 942300 - see this Sandbox test:

$ curl -X POST -d "username=admin' #" -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/" 
920273 PL4 Invalid character in request (outside of very strict set)
920273 PL4 Invalid character in request (outside of very strict set)
942180 PL2 Detects basic SQL authentication bypass attempts 1/3
942300 PL2 Detects MySQL comments, conditions and ch(a)r injections
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=0-10-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=13, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=23)

Btw. I've added this issue to our next monthly chat.

filoips commented 3 weeks ago

OK thank you, I'll check my setup.

filoips commented 3 weeks ago

on github repository pattern is : (?i))[\s\x0b]?when[\s\x0b]?[0-9]+[\s\x0b]?then|[\"'`][\s\x0b]?(?:[#{]|--)|/*![\s\x0b]?[0-9]+|\b(?:(?:binary|cha?r)[\s\x0b]?([\s\x0b]?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\x0b]+[0-9A-Z_a-z]+()|(?:|||&&)[\s\x0b]*?[0-9A-Z_a-z]+(

but it contains an error

[image: image.png]

I'm going to test in next days

On Fri, Jun 7, 2024 at 2:50 PM Ervin Hegedus @.***> wrote:

Hi @filoips https://github.com/filoips,

thanks for report.

Yes, it seems like your request bypasses the rule 942500 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L490-L530, but I'm afraid your suggested solution causes too much false positives (especially because it's a PL1 rule).

Please note that your request is blocked on PL2 by rule 942300 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L907-L931

$ curl -X POST -d "username=admin' #" -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/" 920273 PL4 Invalid character in request (outside of very strict set) 920273 PL4 Invalid character in request (outside of very strict set) 942180 PL2 Detects basic SQL authentication bypass attempts 1/3 942300 PL2 Detects MySQL comments, conditions and ch(a)r injections 942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) 949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23) 980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=0-10-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=13, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=23)

Btw. I've added this issue to our next monthly chat https://github.com/coreruleset/coreruleset/issues/3728.

— Reply to this email directly, view it on GitHub https://github.com/coreruleset/coreruleset/issues/3733#issuecomment-2154771179, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRFWQBG6UM6XZNOADUAL4LZGGT77AVCNFSM6AAAAABI6S3KWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJUG43TCMJXHE . You are receiving this because you were mentioned.Message ID: @.***>

filoips commented 2 weeks ago

Hello, I Found the problem on my setup , I'm using old crs setup with new rules where some variables have different name.

Sorry for the misunderstood.

Regards

On Fri, Jun 7, 2024 at 3:22 PM Filippo Gentili @.***> wrote:

on github repository pattern is :

(?i))[\s\x0b]?when[\s\x0b]?[0-9]+[\s\x0b]?then|[\"'`][\s\x0b]?(?:[#{]|--)|/*![\s\x0b]?[0-9]+|\b(?:(?:binary|cha?r)[\s\x0b]?([\s\x0b]?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\x0b]+[0-9A-Z_a-z]+()|(?:|||&&)[\s\x0b]*?[0-9A-Z_a-z]+(

but it contains an error

[image: image.png]

I'm going to test in next days

On Fri, Jun 7, 2024 at 2:50 PM Ervin Hegedus @.***> wrote:

Hi @filoips https://github.com/filoips,

thanks for report.

Yes, it seems like your request bypasses the rule 942500 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L490-L530, but I'm afraid your suggested solution causes too much false positives (especially because it's a PL1 rule).

Please note that your request is blocked on PL2 by rule 942300 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L907-L931

$ curl -X POST -d "username=admin' #" -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/" 920273 PL4 Invalid character in request (outside of very strict set) 920273 PL4 Invalid character in request (outside of very strict set) 942180 PL2 Detects basic SQL authentication bypass attempts 1/3 942300 PL2 Detects MySQL comments, conditions and ch(a)r injections 942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) 949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 23) 980170 PL1 Anomaly Scores: (Inbound Scores: blocking=23, detection=23, per_pl=0-10-0-13, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=13, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=23)

Btw. I've added this issue to our next monthly chat https://github.com/coreruleset/coreruleset/issues/3728.

— Reply to this email directly, view it on GitHub https://github.com/coreruleset/coreruleset/issues/3733#issuecomment-2154771179, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRFWQBG6UM6XZNOADUAL4LZGGT77AVCNFSM6AAAAABI6S3KWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJUG43TCMJXHE . You are receiving this because you were mentioned.Message ID: @.***>

airween commented 2 weeks ago

Glad to see you could solve the problem - can we close this issue?

filoips commented 2 weeks ago

Yes, everything is fine.

Il Lun 10 Giu 2024, 13:19 Ervin Hegedus @.***> ha scritto:

Glad to see you could solve the problem - can we close this issue?

— Reply to this email directly, view it on GitHub https://github.com/coreruleset/coreruleset/issues/3733#issuecomment-2158069697, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRFWQAI65D7RFILJZRBTRTZGWDTRAVCNFSM6AAAAABI6S3KWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJYGA3DSNRZG4 . You are receiving this because you were mentioned.Message ID: @.***>