From b1ac61dc31a8e62750d92bd4a564d45603e712d3 Mon Sep 17 00:00:00 2001 From: franbuehler Date: Sun, 2 Feb 2020 17:32:03 +0100 Subject: [PATCH] Extend sql having in rule 942230 --- .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- .../942230.yaml | 146 +++++++++++++++++- 2 files changed, 146 insertions(+), 2 deletions(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 725e21847..0cb9d1f2d 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -218,7 +218,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|select.*?having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])" \ "id:942230,\ phase:2,\ block,\ diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml index b09c46b9b..06b4b83f9 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml @@ -1,6 +1,6 @@ --- meta: - author: "Christian S.J. Peron" + author: "Christian S.J. Peron, Franziska Buehler" description: None enabled: true name: 942230.yaml @@ -21,3 +21,147 @@ version: HTTP/1.0 output: log_contains: id "942230" + - + test_title: 942230-2 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=%29like%28" + version: HTTP/1.0 + output: + log_contains: id "942230" + - + test_title: 942230-3 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=I%20like%20you%21" + version: HTTP/1.0 + output: + no_log_contains: id "942230" + - + test_title: 942230-4 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=%20case%20%28" + version: HTTP/1.0 + output: + log_contains: id "942230" + - + test_title: 942230-5 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=having%20pain%21" + version: HTTP/1.0 + output: + no_log_contains: id "942230" + - + test_title: 942230-6 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=SELECT%20x%20GROUP%20BY%20SOMETHING%20HAVING%20COUNT%28Id%29%20%3E%3D%209" + version: HTTP/1.0 + output: + log_contains: id "942230" + - + test_title: 942230-7 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=SELECT%20%2A%20FROM%20%60movies%60%20GROUP%20BY%20%60category_id%60%2C%60year_released%60%20HAVING%20%60category_id%60%20%3D%208%3B" + version: HTTP/1.0 + output: + log_contains: id "942230" + - + test_title: 942230-8 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=behaving%20badly%2F" + version: HTTP/1.0 + output: + no_log_contains: id "942230" + - + test_title: 942230-9 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=o.havingu%40gmail.com" + version: HTTP/1.0 + output: + no_log_contains: id "942230" + - + test_title: 942230-10 + desc: "conditional SQL injection attempts" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + method: GET + port: 80 + uri: "/?var=if%282%3D" + version: HTTP/1.0 + output: + log_contains: id "942230"