LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-22-2010, 11:59 AM   #1
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Rep: Reputation: 44
Question mod_security with CRS adjustments to capture php POST sql injection attempts


Greetings,

currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).

CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.

So far all's running mostly, logs/auditlogs etc.

For simple testing, I made a small php form as following:

Code:
<?php

$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
$dbsel = mysql_select_db($db);

if ($_REQUEST['meh'])
{
    $sql = "SELECT name FROM users WHERE id = ".$_POST['meh'];

    var_dump($sql);
    
    $res = mysql_query($sql);
    while ($row = mysql_fetch_array($res))
    {
        var_dump($row);
    }   
}

mysql_close($link);

?>

<form method="GET" action='wibble.php'>
<input type='text' name='meh' />
<input type='submit' value='submit' name='submit' />
</form>
so far so good. as soon as I enter in there e.g.
Code:
21832 OR 1=(SELECT COUNT(*) from users)
I'll get a mod_security log entry in the website's error log as well as in mod_security's audit logs, looking following:

website's error log file:
Code:
[Thu Jul 22 17:17:50 2010] [error] [client <IP>] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 6, SQLi=, XSS=): 900048-Detects chained SQL injection attempts 1/2"] [hostname "<WEBSITE>"] [uri "/wibble.php"] [unique_id "QnrIfgoYJQQAACE3HlUAAAAA"]
audit.log
Code:
URL IP - - [22/Jul/2010:17:17:50 +0100] "GET /wibble.php?meh=%2721832%27+OR+1%3D(SELECT+COUNT(*)+FROM+users)&submit=submit HTTP/1.1" 200 167 "-" "-" QnrIfgoYJQQAACE3HlUAAAAA "-" /20100722/20100722-1717/20100722-171750-QnrIfgoYJQQAACE3HlUAAAAA 0 2732 md5:a824ec2816b0c479db80bc91659e7eec
Code:
--38105e3c-A--
[22/Jul/2010:17:17:50 +0100] QnrIfgoYJQQAACE3HlUAAAAA <IP> 57085 10.24.37.4 443
--38105e3c-B--
GET /wibble.php?meh=%2721832%27+OR+1%3D(SELECT+COUNT(*)+FROM+users)&submit=submit HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: name=v2; SESSID=ghd7c2od5p594s4962so1j62o7

--38105e3c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 167
Connection: close
Content-Type: text/html; charset=UTF-8

--38105e3c-E--

--38105e3c-H--
Message: Pattern match "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])" at ARGS:meh. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "91"] [id "900048"] [msg "Detects chained SQL injection attempts 1/2"] [data "or 1=("] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"]
Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 6, SQLi=, XSS=): 900048-Detects chained SQL injection attempts 1/2"]
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP Warning:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/test/www/wibble.php on line 14
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP Stack trace:
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP   1. {main}() /home/test/www/wibble.php:0
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP   2. mysql_fetch_array() /home/test/www/wibble.php:14
Apache-Handler: php5-script
Stopwatch: 1279815470205054 413084 (919 9773 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.
Server: Apache

--38105e3c-Z--
this is all fine and works as expected (disregarding the malformed sql string anyway)

However as soon as I switch the form action from GET to POST, I don't get any log entries, nothing is checked, and the code's executed (as I do get the var_dump() output printed)

mod_security is set to allow the methods GET HEAD POST OPTIONS, stated in
/etc/httpd/modsecurity/modsecurity_crs_10_config.conf in the line
Code:
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
which as seen works. (removed POST once for testing from it, and the code wouldn't get that far)

Now, what I'm wondering is, why is the attempted POST sql injection not captured? Have I missed some default configuration in the CRS which lets it through, or does the CRS by default not deal with it (which would surprise me though)

Any information's greatly appreciated.
If further logs or conf printouts are needed, I can post those.

/edit: Reckon this belongs into the security forums, but if the server forum's the appropriate address, I'll be happy to report for move.

Last edited by rsciw; 07-22-2010 at 12:01 PM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 07-23-2010, 06:25 AM   #2
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Original Poster
Rep: Reputation: 44
Seems I've found it finally.
Apparently most tutorials available on the web are for older versions of mod_security, where the directive "SecFilterScanPOST" exists, which doesn't exist anymore in mod_security 2.5.x

Instead use
SecRequestBodyAccess On
SecResponseBodyAccess On

However I noticed following with my above test script:

executing an attempted injection via GET, the injection is filtered out and the var_dump prints out:
Code:
string(34) "SELECT name FROM users WHERE id = "
However attempting a POST injection, it is not filtered out and I'll get
Code:
string(70) "SELECT name FROM users WHERE id = '' OR 1=(SELECT COUNT(*) FROM users)"

regardless if the actual query string is formulated correct or not, it should be filtered out nonetheless due to the flagged words.

The logs show that it invokes this SecRule during the attempted injection:
Code:
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*[\"=(])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'900048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
What I did is replace the "capture" with "deny", and now any attempted injection will return a 403 error page, which is good.

Will probably replace all other captures in the ruleset with deny as well.

Hope this helps anyone else out there who runs into a similar prob.
If time, I might just write a newer tutorial

Last edited by rsciw; 07-23-2010 at 06:28 AM.
 
2 members found this post helpful.
  


Reply

Tags
modsecurity, sql


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Vulnerability in website with sql Injection tanveer Linux - Security 7 03-28-2009 08:28 AM
SQL Injection inaki Linux - Security 6 06-04-2007 06:42 AM
LXer: Sql Injection Vulnerability LXer Syndicated Linux News 0 01-24-2006 03:16 PM
sql injection inaki Linux - Security 8 12-22-2005 10:41 AM
php post data sql queries... bulliver Programming 2 01-03-2003 02:18 AM


All times are GMT -5. The time now is 07:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration