Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SQLi bypass detection: MySQL comments #1326

Merged
merged 1 commit into from Mar 29, 2019

Conversation

Projects
None yet
4 participants
@franbuehler
Copy link
Collaborator

commented Mar 12, 2019

This PR partially resolves issue #1167.
The new SQLi rule 942500 detects in-line MySQL comments, that can be used to bypass SQLi detection.
I have placed the new rule at PL1, because it will come with a new release 3.2.
I can also move this rule to PL2. But then we would still have no detection at PL1.

@franbuehler franbuehler changed the title Add SQLi bypass: MySQL comments Add SQLi bypass detection: MySQL comments Mar 12, 2019

@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Mar 21, 2019

this looks good. i will test it.
i'm also not sure if PL1 or PL2.

@franbuehler

This comment has been minimized.

Copy link
Collaborator Author

commented Mar 21, 2019

Many thanks @emphazer!

@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Mar 26, 2019

@franbuehler
i checked the rule against a 20GB modsec_audit_log file
i had 18 matches.
they looked like that

GET /wp-content/plugins/AzonPop/files/view/showpopup.php?popid=null%2520/*!00000union*/%2520select%25201,2,/*!00000gRoup_ConCat(unhex(hex(Md5(1234))),0x3c2f62723e,unhex(hex(Md5(1234))))*/,4,5%2520/*!00000from*/%2520wp_users HTTP/1.1
GET /plus/recommend.php?aid=1&_FILES%255Btype%255D%255Bname%255D&_FILES%255Btype%255D%255Bsize%255D&_FILES%255Btype%255D%255Btype%255D&_FILES%255Btype%255D%255Btmp_name%255D=aa%255C%2527and+char%2528@%2560%2527%2560%2529+/*!50000Union*/+/*!50000SeLect*/+1,2,3,group_concat%2528userid,0x23,pwd%2529,5,6,7,8,9%2520from%2520%2560%2523@__admin%2560%2523 HTTP/1.1

it should be absolutly no problem to run this in PL1 i think

@theMiddleBlue

This comment has been minimized.

Copy link
Collaborator

commented Mar 26, 2019

@franbuehler same for me!

from my logs:

GET /plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa\'and+char(@`'`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,concat(0x3C6162633E,group_concat(0x7C,userid,0x3a,pwd,0x7C),0x3C2F6162633E),5,6,7,8,9%20from%20`%23@__admin`%23")

GET //plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294

GET /wp-content/plugins/AzonPop/files/view/showpopup.php?popid=null%20/*!00000union*/%20select%201,2,/*!00000gRoup_ConCat(unhex(hex(Md5(1234))),0x3c2f62723e,unhex(hex(Md5(1234))))*/,4,5%20/*!00000from*/%20wp_users

👍

@spartantri

This comment has been minimized.

Copy link
Collaborator

commented Mar 26, 2019

I vote PL1 let's kill those stinky automated sqli payloads, have you tested on a vulnerable app what happens if \n , \0 or other non-word characters are added?

@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Mar 28, 2019

I think this PR is rdy to be merged!
any objections?

@emphazer emphazer merged commit 313ae7d into SpiderLabs:v3.2/dev Mar 29, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@emphazer

This comment has been minimized.

Copy link
Collaborator

commented Mar 29, 2019

Merged ;-)

@franbuehler

This comment has been minimized.

Copy link
Collaborator Author

commented Mar 29, 2019

Many thanks, @emphazer, @theMiddleBlue and @spartantri!

@franbuehler franbuehler deleted the franbuehler:sqli-bypass-comments-1167 branch Mar 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.