coreruleset: Simple request header SQL injection not triggered untill paranoia level 3

Description

There is a simple request header injection that’s being run in the wild that doesn’t trigger any detection rules: https://domain/if(now()=sysdate(),sleep(12),0) curl -sSL “https://domain/if(now()=sysdate(),sleep(12),0)”

  • CRS version: v3.3.0
  • Paranoia level setting: 1
  • ModSecurity version: 2.9.3-2
  • Web Server and version: 2.4.46
  • Operating System and version: Debian testing

With paranoia 1:

--1d033529-A--
[13/Oct/2020:15:56:56 +0200] X4WyKPjwCBvyuKKDiXdhsQAABA4 <attackerip> 62291 <serverip> 80
--1d033529-B--
GET /if(now()=sysdate(),sleep(12),0) HTTP/1.1
Host: www.url.nl
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: url=6kc1vl5kvlnnhbdq194gfr5j7r

--1d033529-F--
HTTP/1.1 404 Not Found
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: private, no-cache, no-store, must-revalidate, proxy-revalidate, no-transform
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

--1d033529-H--
Apache-Handler: proxy:fcgi://php-fpm-other
Stopwatch: 1602597416274606 19010 (- - -)
Stopwatch2: 1602597416274606 19010; combined=1789, p1=537, p2=1081, p3=0, p4=0, p5=170, sr=126, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "ENABLED"

--1d033529-Z--

With paranoia 3:

--90d33f15-A--
[13/Oct/2020:16:46:07 +0200] X4W9r6Nq-5paM8MCAWK0AwAEDSk <attackerip> 65130 <serverip> 443
--90d33f15-B--
GET /if(now()=sysdate(),sleep(12),0) HTTP/2.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,nl;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Dnt: 1
Cookie: _pk_id.11551.3e83=22aa487d73c0d6fd.1600181509.2.1602599827.1600181509.; cookie=; url=srb4amso0slc1v61uliqf8rh8i; PHPSESSID=39ndb9dpa303ns275g04i86a5q; bicycle-attack-token=NTI0NTI5NDc0MTIzMjIxNjYyMTE3NjA1NTE3NTU3MzQ0NjEyNjM1MTYxMzQ3MzYxMjA5NTEzMDI2NTIxNjQ3MzcxMTQ0MjAxMDMwNDkzNTYxMTI2MjM4MTMxMTEzMTY2OTk0OTE3MTUzMTQ1; csrf-token=7d0eb62a9e654b78779f9c85201c40afaad468919e8af6157cc7fac6a9e60ddfbe92b2d7f233cff245399514a60cb22657fdb450c46e0c7492d07d4f8fa67a32; _pk_testcookie..undefined=1; _pk_testcookie.11551.3e83=1; _pk_ses.11551.3e83=1
Cache-Control: max-age=0
Te: trailers
Host: url.nl

--90d33f15-F--
HTTP/1.1 403 Forbidden
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Expect-CT: max-age=300, report-uri="https://cthost"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1

--90d33f15-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache Server at <a href="mailto:webmaster@url.nl">url.nl</a> Port 443</address>
</body></html>

--90d33f15-H--
Message: Warning. Pattern match "(?i)\\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n| ..." at REQUEST_FILENAME. [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "646"] [id "933161"] [msg "PHP Injection Attack: Low-Value PHP Function Call Found"] [data "Matched Data: sleep(12),0) found within REQUEST_FILENAME: /if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/3"]
Message: Warning. detected SQLi using libinjection with fingerprint 'f(f()' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1477"] [id "942101"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(f() found within REQUEST_BASENAME: if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 10, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Warning. Pattern match "(?i)\\\\\\\\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n| ..." at REQUEST_FILENAME. [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "646"] [id "933161"] [msg "PHP Injection Attack: Low-Value PHP Function Call Found"] [data "Matched Data: sleep(12),0) found within REQUEST_FILENAME: /if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/3"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(f()' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1477"] [id "942101"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(f() found within REQUEST_BASENAME: if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 10, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Action: Intercepted (phase 2)
Stopwatch: 1602600367265625 12979 (- - -)
Stopwatch2: 1602600367265625 12979; combined=7561, p1=743, p2=6629, p3=0, p4=0, p5=189, sr=151, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: Apache
Engine-Mode: "ENABLED"

--90d33f15-Z--

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (14 by maintainers)

Most upvoted comments

Great! Thank you very much for your opinions! Very helpful! I will provide a PR today.

+1
franbuehler on Dec 14, 2020

Agreed, i’m quoting myself:

Anyway, we are adding a rule to block it in PL1, so it will be blocked no matter what.

+1
azurit on Dec 13, 2020

True, also, if this command succeeds to make the server sleep, it indicates a SQL injection vulnerability in the app, so it’s useful to log and block the attempt.

+1
lifeforms on Dec 13, 2020
Read more comments on GitHub
← coreruleset: Rule Id: 932150 false positive on time keyword
coreruleset: SQLi id:942100, false positive on combination of two chars →