Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Simple request header SQL injection not triggered untill paranoia level 3

See original GitHub issue

Description

There is a simple request header injection that’s being run in the wild that doesn’t trigger any detection rules: https://domain/if(now()=sysdate(),sleep(12),0) curl -sSL “https://domain/if(now()=sysdate(),sleep(12),0)”

  • CRS version: v3.3.0
  • Paranoia level setting: 1
  • ModSecurity version: 2.9.3-2
  • Web Server and version: 2.4.46
  • Operating System and version: Debian testing

With paranoia 1:

--1d033529-A--
[13/Oct/2020:15:56:56 +0200] X4WyKPjwCBvyuKKDiXdhsQAABA4 <attackerip> 62291 <serverip> 80
--1d033529-B--
GET /if(now()=sysdate(),sleep(12),0) HTTP/1.1
Host: www.url.nl
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: url=6kc1vl5kvlnnhbdq194gfr5j7r

--1d033529-F--
HTTP/1.1 404 Not Found
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: private, no-cache, no-store, must-revalidate, proxy-revalidate, no-transform
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

--1d033529-H--
Apache-Handler: proxy:fcgi://php-fpm-other
Stopwatch: 1602597416274606 19010 (- - -)
Stopwatch2: 1602597416274606 19010; combined=1789, p1=537, p2=1081, p3=0, p4=0, p5=170, sr=126, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "ENABLED"

--1d033529-Z--

With paranoia 3:

--90d33f15-A--
[13/Oct/2020:16:46:07 +0200] X4W9r6Nq-5paM8MCAWK0AwAEDSk <attackerip> 65130 <serverip> 443
--90d33f15-B--
GET /if(now()=sysdate(),sleep(12),0) HTTP/2.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,nl;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Dnt: 1
Cookie: _pk_id.11551.3e83=22aa487d73c0d6fd.1600181509.2.1602599827.1600181509.; cookie=; url=srb4amso0slc1v61uliqf8rh8i; PHPSESSID=39ndb9dpa303ns275g04i86a5q; bicycle-attack-token=NTI0NTI5NDc0MTIzMjIxNjYyMTE3NjA1NTE3NTU3MzQ0NjEyNjM1MTYxMzQ3MzYxMjA5NTEzMDI2NTIxNjQ3MzcxMTQ0MjAxMDMwNDkzNTYxMTI2MjM4MTMxMTEzMTY2OTk0OTE3MTUzMTQ1; csrf-token=7d0eb62a9e654b78779f9c85201c40afaad468919e8af6157cc7fac6a9e60ddfbe92b2d7f233cff245399514a60cb22657fdb450c46e0c7492d07d4f8fa67a32; _pk_testcookie..undefined=1; _pk_testcookie.11551.3e83=1; _pk_ses.11551.3e83=1
Cache-Control: max-age=0
Te: trailers
Host: url.nl

--90d33f15-F--
HTTP/1.1 403 Forbidden
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Expect-CT: max-age=300, report-uri="https://cthost"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1

--90d33f15-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache Server at <a href="mailto:webmaster@url.nl">url.nl</a> Port 443</address>
</body></html>

--90d33f15-H--
Message: Warning. Pattern match "(?i)\\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n| ..." at REQUEST_FILENAME. [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "646"] [id "933161"] [msg "PHP Injection Attack: Low-Value PHP Function Call Found"] [data "Matched Data: sleep(12),0) found within REQUEST_FILENAME: /if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/3"]
Message: Warning. detected SQLi using libinjection with fingerprint 'f(f()' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1477"] [id "942101"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(f() found within REQUEST_BASENAME: if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 10, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Warning. Pattern match "(?i)\\\\\\\\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n| ..." at REQUEST_FILENAME. [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "646"] [id "933161"] [msg "PHP Injection Attack: Low-Value PHP Function Call Found"] [data "Matched Data: sleep(12),0) found within REQUEST_FILENAME: /if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/3"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(f()' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1477"] [id "942101"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(f() found within REQUEST_BASENAME: if(now()=sysdate(),sleep(12),0)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <attackerip>] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 10, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "url.nl"] [uri "/if(now()=sysdate(),sleep(12),0)"] [unique_id "X4W9r6Nq-5paM8MCAWK0AwAEDSk"]
Action: Intercepted (phase 2)
Stopwatch: 1602600367265625 12979 (- - -)
Stopwatch2: 1602600367265625 12979; combined=7561, p1=743, p2=6629, p3=0, p4=0, p5=189, sr=151, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: Apache
Engine-Mode: "ENABLED"

--90d33f15-Z--

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:17 (14 by maintainers)

github_iconTop GitHub Comments

1reaction
franbuehlercommented, Dec 14, 2020

Great! Thank you very much for your opinions! Very helpful! I will provide a PR today.

1reaction
azuritcommented, Dec 13, 2020

Agreed, i’m quoting myself:

Anyway, we are adding a rule to block it in PL1, so it will be blocked no matter what.

Read more comments on GitHub >

github_iconTop Results From Across the Web

SQL injection through HTTP headers | Infosec Resources
By default sqlmap tests all GET parameters and POST parameters. When the value of –level is set to 2 or above it tests...
Read more >
How to tune your WAF installation to reduce false positives
This article will help you reduce false positives on NGINX, leaving you with a clean installation that allows legitimate requests to pass and ......
Read more >
How do you run OWASP CRS on LoadMaster - Load Balancers
This blog describes how to run OWASP CRS Open Web Application Security Project on Kemp LoadMaster load balancer.
Read more >
Paranoia Levels - Loadbalancer.org
Paranoia Levels. 1. 2. 3. 4. 911100. HTTP request method not allowed ... a backup or 'working' file. Phase 2. 920450. Restricted HTTP...
Read more >
SQL Injection Cheat Sheet - Invicti
Normally MySQL supports stacked queries but because of database layer in most of the configurations it's not possible to execute a second query...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Rule 951260

Next page

Tags truncated on some error log entries.