比如:在用户名输入框中输入:'or 1=1#,密码随便输入,这时候的合成后的SQL查询语句为:
select * from users where username='' or 1=1#' and password=md5('')
就可以直接实现登录了。这就是SQL注入。
但是安装后发现,并没有阻止SQL注入进攻,也没有在日志中记录任何日志。查阅书籍,发现要寻找旧版本的SQL规则脚本。modsecurity_crs_41_sql_injection_attacks.conf。然后安装到指定位置,重启Apache就可以了。
重新发起SQL注入进攻,发现依旧没有阻止进攻。不过在日志中发现完整记录了这次进攻。
结论是:升级了规则库 发现可以在日志中完整记录发现的SQL注入进攻 并不能阻止SQL注入进攻。阻止SQL注入进攻 还是要在开发代码中予以防范。但是可以结合目前日志监控脚本,一旦发现有SQL注入的进攻 可以立即发出报警 并保存证据。
当然,我也可以考虑修改规则,一旦发现有SQL注入进攻,则立即让该页面跳转到一个假的提醒页面。
在modsecurity_crs_41_sql_injection_attacks.conf
加入如下规则,就可以实现阻止SQL注入进攻了。直接跳转到403页面。从而弥补程序没有写防止SQL注入缺陷的问题。
SecDefaultAction log,auditlog,deny,status:403,phase:2查阅日志:
--c4ea7e6f-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "172.26.18.112"] [severity "EMERGENCY"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:username. [file "/etc/httpd/modsecurity-crs/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:username: 'or 1=1#"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Pattern match "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not ..." at ARGS:username. [file "/etc/httpd/modsecurity-crs/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:username: 'or 1=1#"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Pattern match "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" at ARGS:username. [file "/etc/httpd/modsecurity-crs/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "133"] [id "959071"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: or 1= found within ARGS:username: 'or 1=1#"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\ ..." at ARGS:username. [file "/etc/httpd/modsecurity-crs/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "237"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"] [data "Matched Data: 'or 1 found within ARGS:username: 'or 1=1#"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1506493991045636 5049 (- - -)
Stopwatch2: 1506493991045636 5049; combined=3257, p1=488, p2=2453, p3=85, p4=158, p5=72, sr=74, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Engine-Mode: "ENABLED"
--c4ea7e6f-Z--
参考URL:
http://www.cnblogs.com/sdya/p/4568548.html
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v2.2/master/base_rules