Add rule 933200 PHP Wrappers

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -202,6 +202,36 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
 
 
+#
+# [ PHP Wrappers ]
+#
+# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem
+# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar://
+# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even
+# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://(?:[^/]+|/[^/]+)" \
+    "id:933200,\
+    phase:2,\
+    block,\
+    t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
+    msg:'PHP Injection Attack: Wrapper scheme detected',\
+    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
+    tag:'OWASP_TOP_10/A1',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+
+
 #
 # [ PHP Functions ]
 #