Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Bypass rule PHP Script Uploads with id=933111 and id = 933110 #1386

Closed
lowk3v opened this issue May 4, 2019 · 2 comments · Fixed by #1391
Closed

Bypass rule PHP Script Uploads with id=933111 and id = 933110 #1386

lowk3v opened this issue May 4, 2019 · 2 comments · Fixed by #1391
Labels
False Negative - Evasion PR available this issue is referenced by an active pull request

Comments

@lowk3v
Copy link

lowk3v commented May 4, 2019

Type of Issue

incorrect bypass (false negative)

Description

I bypassed this pull issue #355

In rule id = 933110,
This behavior return true

[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][5] Rule 7f05037de688: SecRule "FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name" "@rx .*\\.(?:php\\d*|phtml)\\.*$" "phase:2,log,auditlog,id:933110,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-php,tag:platform-multi,tag:attack-injection-php,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:OWASP_TOP_10/A1,ctl:auditLogParts=+E,ver:OWASP_CRS/3.1.0,severity:CRITICAL,setvar:tx.msg=%{rule.msg},setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}"
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] T (0) lowercase: "test.php."
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Transformation completed in 2 usec.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Executing operator "rx" with param ".*\\.(?:php\\d*|phtml)\\.*$" against REQUEST_HEADERS:X_Filename.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Target value: "test.php."
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Added regex subexpression to TX.0: test.php.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Operator completed in 5 usec.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Ctl: Set auditLogParts to ABIJDEFHZE.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.msg=%{rule.msg}
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{rule.msg} to: PHP Injection Attack: PHP Script File Upload Found
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.msg" to "PHP Injection Attack: PHP Script File Upload Found".
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.php_injection_score=+%{tx.critical_anomaly_score}
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Recorded original collection variable: tx.php_injection_score = "0"
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Relative change: php_injection_score=0+
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.php_injection_score" to "0".
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Recorded original collection variable: tx.anomaly_score_pl1 = "0"
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Relative change: anomaly_score_pl1=0+
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.anomaly_score_pl1" to "0".
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{rule.id} to: 933110
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{MATCHED_VAR_NAME} to: REQUEST_HEADERS:X_Filename
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{tx.0} to: test.php.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.933110-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-REQUEST_HEADERS:X_Filename" to "test.php.".
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{TX.0} to: test.php.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{MATCHED_VAR_NAME} to: REQUEST_HEADERS:X_Filename
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{MATCHED_VAR} to: test.php.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][2] Warning. Pattern match ".*\\.(?:php\\d*|phtml)\\.*$" at REQUEST_HEADERS:X_Filename. [file "/etc/modsecurity/rules/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "111"] [id "933110"] [msg "PHP Injection Attack: PHP Script File Upload Found"] [data "Matched Data: test.php. found within REQUEST_HEADERS:X_Filename: test.php."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"]
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Rule returned 1.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Match -> mode NEXT_RULE.

But, by replacing X_Filename to X.Filename

[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8a90a0][/][5] Rule 7f05037de688: SecRule "FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name" "@rx .*\\.(?:php\\d*|phtml)\\.*$" "phase:2,log,auditlog,id:933110,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-php,tag:platform-multi,tag:attack-injection-php,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:OWASP_TOP_10/A1,ctl:auditLogParts=+E,ver:OWASP_CRS/3.1.0,severity:CRITICAL,setvar:tx.msg=%{rule.msg},setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}"
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8a90a0][/][4] Rule returned 0.
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8a90a0][/][9] No match, not chained -> mode NEXT_RULE.

in my php application, that understandingX.Filename is X_Filename

  • request:
GET /test.php HTTP/1.1
Host: localhost
Accept: */*
X.Filename: test.php.tmp
Connection: close
  • response:
    image

And a rule id = 933111 is the same

Your Environment

I tested my ubuntu 16.04, PHP version 7.3 and the latest version crs (v3.0.2)

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

@fgsch
Copy link
Contributor

fgsch commented May 4, 2019

I guess you meant false negative here.

Confirmed. Since dot is not valid in a variable in PHP it is transformed to underscore.

@lowk3v
Copy link
Author

lowk3v commented May 4, 2019

sorry, i edited

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
False Negative - Evasion PR available this issue is referenced by an active pull request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants