Thread: [mod-security-users] SQL Injection / Rules Help
Brought to you by:
victorhora,
zimmerletw
From: lwoodtri <lwo...@gm...> - 2010-10-26 18:25:51
|
Hello, *** Sorry if this is a repeat, I had to join with my correct email! We have found in our logs, some interesting formed .xml requests that are not normal to our system, and our system responded with SQL errors based the xml requests being wrong. My question is, should Mod-Security caught these sort of parameters being passed, and if so how can it be made to do such. This time, there was some malicious attempts against a resource that doesn't really contain sensitive data, but the next time it might, so we want to be able to use whatever is at our disposal to be sure we are safe. I am also trying to learn more about the usage of mod security and how to update and account for issues like this with custom rule sets, is there a doc or guide that would be helpful in learning how to manage the mod-security rules and custom rules. below are some of the xml examples that we saw in our logs from our web servers to our logic servers: <SERVICE request_type="OrderStatus" session_id="qdgr.032206.901"><ORDER_STATUS_REPLY customer_name="1" error_msg="Exception encountered in addChildOrders: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' /*!and 1=0 union select 1,2,3,4,5,6,7,unhex(hex(CONCAT_WS(CHAR(32,58,32),user(' at line 1" master_merchant_id="9" master_merchant_name="10" merchant_id="7" merchant_name="xxxxx@<IP Address Masked> : <customer name here> : 5.1.47-rel11.2-log" merchant_uid="20" order_date="3" order_id="230053354' /*!and 1=0 union select 1,2,3,4,5,6,7,unhex(hex(CONCAT_WS(CHAR(32,58,32),user(),database(),version()))),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23*/-- -" order_status="2" order_status_category_id="18" order_status_id="11" parent_econsignment_merchant_id="23" parent_master_ticket_id="22" receipt_add_text="21" receipt_url="19" sales_agent_id="12" sales_agent_name="13" sales_machine_id="15" sales_machine_name="16" ship_date="4" ship_method="14" ship_method_desc="5" status="OK" tracking_number="6"></ORDER_STATUS_REPLY></SERVICE> <SERVICE error_msg="Exception: Incorrect key file for table '/tmp/#sql_749d_1.MYI'; try to repair it" request_type="OrderStatus" session_id="fkpm.031904.304"><ORDER_STATUS_REPLY error_msg="Exception: Incorrect key file for table '/tmp/#sql_749d_1.MYI'; try to repair it" status="FAILED"></ORDER_STATUS_REPLY></SERVICE> <SERVICE __source="113.22.65.34" __ts="1288077513919" request_type="OrderStatus" session_id="mcea.031833.959" source_id="/ 192.168.16.103:52313"><ORDER_STATUS order_id="230053354' /*!order by 1000*/-- -"></ORDER_STATUS></SERVICE> Thanks for any help in advanced! CMB |
From: Jamuse <ja...@gm...> - 2010-10-26 18:41:47
|
On Tue, Oct 26, 2010 at 8:25 PM, lwoodtri <lwo...@gm...> wrote: > Hello, > > *** Sorry if this is a repeat, I had to join with my correct email! > > We have found in our logs, some interesting formed .xml requests that are > not normal to our system, and our system responded with SQL errors based the > xml requests being wrong. My question is, should Mod-Security caught these > sort of parameters being passed, and if so how can it be made to do such. Hi, You need to enable SecResponseBodyAccess to allow ModSecurity access to the response bodies. Once that's enabled you need a rule/s (such as the ones in the CRS modsecurity_crs_50_outbound.conf file) to catch your default error messages. [...snip] > > I am also trying to learn more about the usage of mod security and how to > update and account for issues like this with custom rule sets, is there a > doc or guide that would be helpful in learning how to manage the > mod-security rules and custom rules. The best guide available today is Ivan Ristic's ModSecurity Handbook. I highly recommend it. -- - Josh |
From: Ryan B. <RBa...@tr...> - 2010-10-26 19:23:50
|
On 10/26/10 2:25 PM, "lwoodtri" <lwo...@gm...> wrote: > Hello, > > > *** Sorry if this is a repeat, I had to join with my correct email! > > > > We have found in our logs, some interesting formed .xml requests that are not > normal to our system, and our system responded with SQL errors based the xml > requests being wrong. My question is, should Mod-Security caught these sort > of parameters being passed, and if so how can it be made to do such. Do you have ModSecurity installed currently or are you asking *if* you installed ModSecurity, would it identify these attacks? If you install ModSecurity and set the SecAuditEngine to On, then you would get a complete audit log of the http transactions (including all inbound/outbound data). This would help in these scenarios where you might have a bypass problem but at least if you are audit logging all transactions, you can then go back and review what happened... -Ryan > This > time, there was some malicious attempts against a resource that doesn't really > contain sensitive data, but the next time it might, so we want to be able to > use whatever is at our disposal to be sure we are safe. > > I am also trying to learn more about the usage of mod security and how to > update and account for issues like this with custom rule sets, is there a doc > or guide that would be helpful in learning how to manage the mod-security > rules and custom rules. > > below are some of the xml examples that we saw in our logs from our web > servers to our logic servers: > > <SERVICE request_type="OrderStatus" > session_id="qdgr.032206.901"><ORDER_STATUS_REPLY customer_name="1" > error_msg="Exception encountered in addChildOrders: You have an error in your > SQL syntax; check the manual that corresponds to your MySQL server version for > the right syntax to use near '' /*!and 1=0 union select > 1,2,3,4,5,6,7,unhex(hex(CONCAT_WS(CHAR(32,58,32),user(' at line 1" > master_merchant_id="9" master_merchant_name="10" merchant_id="7" > merchant_name="xxxxx@<IP Address Masked> : <customer name here> : > 5.1.47-rel11.2-log" merchant_uid="20" order_date="3" order_id="230053354' > /*!and 1=0 union select > 1,2,3,4,5,6,7,unhex(hex(CONCAT_WS(CHAR(32,58,32),user(),database(),version())) > ),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23*/-- -" order_status="2" > order_status_category_id="18" order_status_id="11" > parent_econsignment_merchant_id="23" parent_master_ticket_id="22" > receipt_add_text="21" receipt_url="19" sales_agent_id="12" > sales_agent_name="13" sales_machine_id="15" sales_machine_name="16" > ship_date="4" ship_method="14" ship_method_desc="5" status="OK" > tracking_number="6"></ORDER_STATUS_REPLY></SERVICE> > > <SERVICE error_msg="Exception: Incorrect key file for table > '/tmp/#sql_749d_1.MYI'; try to repair it" request_type="OrderStatus" > session_id="fkpm.031904.304"><ORDER_STATUS_REPLY error_msg="Exception: > Incorrect key file for table '/tmp/#sql_749d_1.MYI'; try to repair > it" status="FAILED"></ORDER_STATUS_REPLY></SERVICE> > > > <SERVICE __source="113.22.65.34" __ts="1288077513919" > request_type="OrderStatus" session_id="mcea.031833.959" > source_id="/192.168.16.103:52313 <http://192.168.16.103:52313/> > "><ORDER_STATUS order_id="230053354' /*!order by 1000*/-- > -"></ORDER_STATUS></SERVICE> > > > Thanks for any help in advanced! > > CMB |