modsecurity设置规则防止SQL注入
来源:互联网 发布:centos修改主机名 编辑:程序博客网 时间:2024/06/05 14:44
防止SQL注入
1)cd /etc/httpd/modsecurity-crs/rules
2)vi REQUEST-SELF-101-HASH.conf
写入
#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
# For 3.0.0-rc1 rule, see FIXME.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\′\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'981173',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"
#
# -=[ SQL Function Names ]=-
#
# This is a paranoid sibling to 2.2.x Rule 950001.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 942150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \
"msg:'SQL Injection Attack',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/2.2.6',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
ctl:auditLogParts=+E,\
block,\
id:'950001',\
tag:'application-multi',\
tag:'language-mutli',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# OS Command Injection Attacks
#
# This is a paranoid sibling to 2.2.x Rule 950907.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 932100.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.data" \
"msg:'Remote Command Execution (RCE) Attempt',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'950907',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-remote code execution',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"
3)检查配置文件
service httpd configtest
4)重启apacher
service httpd restart
5)验证SQL注入
http://172.27.206.7/centreon/main.php?p=60801&o=c&command_id=7&type=2 and 1=1
a)cat /usr/local/apache/logs/audit.log
172.27.206.7 172.26.18.108 - - [17/Mar/2017:15:28:38 +0800] "GET /centreon/main.php?p=60801&o=c&command_id=7&type=2%20and%201=1 HTTP/1.1" 403 297 "-" "-" WMuQJqwbzgcAAB3XEVkAAAAE "-" /20170317/20170317-1528/20170317-152838-WMuQJqwbzgcAAB3XEVkAAAAE 0 3440 md5:a9ada547504383e33aac3d6f4f42ec13
b)cat /usr/local/apache/audit/logs/audit/20170317/20170317-1528/20170317-152838-WMuQJqwbzgcAAB3XEVkAAAAE
显示如下:
Content-Length: 297
Connection: close
Content-Type: text/html; charset=iso-8859-1
--7aced542-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /centreon/main.php
on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at 172.27.206.7 Port 80</address>
</body></html>
--7aced542-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "172.27.206.7"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. detected SQLi using libinjection with fingerprint '1&1' [file "/etc/httpd/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:type: 2 and 1=1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1489735718540743 2998 (- - -)
Stopwatch2: 1489735718540743 2998; combined=2437, p1=389, p2=1802, p3=0, p4=0, p5=184, sr=103, sw=62, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.2.15 (CentOS)
Engine-Mode: "ENABLED"
--7aced542-Z--
注意,看到有Message: Warning. detected SQLi using libinjection with fingerprint '1&1
看到采用了防止SQL注入的规则
1)cd /etc/httpd/modsecurity-crs/rules
2)vi REQUEST-SELF-101-HASH.conf
写入
#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
# For 3.0.0-rc1 rule, see FIXME.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\′\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'981173',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"
#
# -=[ SQL Function Names ]=-
#
# This is a paranoid sibling to 2.2.x Rule 950001.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 942150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \
"msg:'SQL Injection Attack',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/2.2.6',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
ctl:auditLogParts=+E,\
block,\
id:'950001',\
tag:'application-multi',\
tag:'language-mutli',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# OS Command Injection Attacks
#
# This is a paranoid sibling to 2.2.x Rule 950907.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 932100.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.data" \
"msg:'Remote Command Execution (RCE) Attempt',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'950907',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-remote code execution',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"
3)检查配置文件
service httpd configtest
4)重启apacher
service httpd restart
5)验证SQL注入
http://172.27.206.7/centreon/main.php?p=60801&o=c&command_id=7&type=2 and 1=1
a)cat /usr/local/apache/logs/audit.log
172.27.206.7 172.26.18.108 - - [17/Mar/2017:15:28:38 +0800] "GET /centreon/main.php?p=60801&o=c&command_id=7&type=2%20and%201=1 HTTP/1.1" 403 297 "-" "-" WMuQJqwbzgcAAB3XEVkAAAAE "-" /20170317/20170317-1528/20170317-152838-WMuQJqwbzgcAAB3XEVkAAAAE 0 3440 md5:a9ada547504383e33aac3d6f4f42ec13
b)cat /usr/local/apache/audit/logs/audit/20170317/20170317-1528/20170317-152838-WMuQJqwbzgcAAB3XEVkAAAAE
显示如下:
Content-Length: 297
Connection: close
Content-Type: text/html; charset=iso-8859-1
--7aced542-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /centreon/main.php
on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at 172.27.206.7 Port 80</address>
</body></html>
--7aced542-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "172.27.206.7"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. detected SQLi using libinjection with fingerprint '1&1' [file "/etc/httpd/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:type: 2 and 1=1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1489735718540743 2998 (- - -)
Stopwatch2: 1489735718540743 2998; combined=2437, p1=389, p2=1802, p3=0, p4=0, p5=184, sr=103, sw=62, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.2.15 (CentOS)
Engine-Mode: "ENABLED"
--7aced542-Z--
注意,看到有Message: Warning. detected SQLi using libinjection with fingerprint '1&1
看到采用了防止SQL注入的规则
0 0
- modsecurity设置规则防止SQL注入
- Centos7安装modsecurity验证防止SQL注入
- nginx中防止SQL注入规则(非常详细)
- ModSecurity SQL注入攻击 – 深度绕过技术挑战
- Asp.net中Global.asax设置防止Sql注入
- 防止sql注入
- asp 防止SQL注入
- sql注入防止办法
- sql注入防止办法
- 怎么防止[SQL注入
- 如何防止SQL注入
- 防止sql注入
- SQL注入防止攻击
- 防止sql注入攻击
- 防止SQL注入
- 如何防止SQL注入
- 防止SQL注入
- 防止SQL注入攻击
- 如何从正确的原理图生成PCB图
- [leetcode] 515. Find Largest Value in Each Tree Row
- Apache 文件下载
- 所谓ajax异步请求
- c++ <vector> push_back初始化问题
- modsecurity设置规则防止SQL注入
- 源代码加密软件
- ubuntu下snort的安装
- linux下的 /etc/resolv.conf ---DNS域名解析配置文件
- 【转载】透视“专利恶霸”系列之一 双重标准 吃相难看
- 多米诺骨牌
- 网络流24题之T5——圆桌问题
- apache2,设置non www和强制https
- 算法导论 练习题 2.3-6