--1c560000-C--
sql_query=DELETE+FROM+%60wp_eum_logs%60+WHERE+%60date%60+%3C%3D+now()-INTERVAl+3+month&server=1&options%5BeventEditor%5D=true&no_history=true&_nocache=1723919121659353928&token=x
--1c560000-F--
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Vary: User-Agent
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Sat, 17 Aug 2024 18:25:26 GMT
Server: Apache

--1c560000-H--
Message: Warning. Pattern match "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:.*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:a[\"\\^]*(?:s[\"\\^]*s[\"\\^]*o[\"\\^]*c|t[\"\\^]*(?:m[\"\\^]*a[\"\\^]*d[ ..." at ARGS:sql_query. [file "C:/xampp/apache/conf/extra/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "834"] [id "932380"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ` WHERE found within ARGS:sql_query: DELETE FROM `wp_eum_logs` WHERE `date` <= now()-INTERVAl 3 month"] [severity "CRITICAL"] [ver "OWASP_CRS/4.4.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "C:/xampp/apache/conf/extra/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [ver "OWASP_CRS/4.4.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]
Message: Warning. Unconditional match in SecAction. [file "C:/xampp/apache/conf/extra/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)"] [ver "OWASP_CRS/4.4.0"] [tag "reporting"] [tag "OWASP_CRS"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 10.100.100.1] ModSecurity: Warning. Pattern match "(?i)(?:[\\\\\\\\n\\\\\\\\r;`\\\\\\\\{]|\\\\\\\\|\\\\\\\\|?|&&?)[\\\\\\\\s\\\\\\\\x0b]*[\\\\\\\\s\\\\\\\\x0b\\\\"'\\\\\\\\(,@]*(?:[\\\\"'\\\\\\\\.-9A-Z_a-z]+/|(?:[\\\\"'\\\\\\\\x5c\\\\\\\\^]*[0-9A-Z_a-z][\\\\"'\\\\\\\\x5c\\\\\\\\^]*:.*|[ \\\\"'\\\\\\\\.-9A-Z\\\\\\\\x5c\\\\\\\\^_a-z]*)\\\\\\\\x5c)?[\\\\"\\\\\\\\^]*(?:a[\\\\"\\\\\\\\^]*(?:s[\\\\"\\\\\\\\^]*s[\\\\"\\\\\\\\^]*o[\\\\"\\\\\\\\^]*c|t[\\\\"\\\\\\\\^]*(?:m[\\\\"\\\\\\\\^]*a[\\\\"\\\\\\\\^]*d[ ..." at ARGS:sql_query. [file "C:/xampp/apache/conf/extra/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "834"] [id "932380"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ` WHERE found within ARGS:sql_query: DELETE FROM `wp_eum_logs` WHERE `date` <= now()-INTERVAl 3 month"] [severity "CRITICAL"] [ver "OWASP_CRS/4.4.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "x.com"] [uri "/phpmyadmin/index.php"] [unique_id "ZsDrFmhqskiKQ5maiJOipwAAkTM"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 10.100.100.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "C:/xampp/apache/conf/extra/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [ver "OWASP_CRS/4.4.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "x.com"] [uri "/phpmyadmin/index.php"] [unique_id "ZsDrFmhqskiKQ5maiJOipwAAkTM"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 10.100.100.1] ModSecurity: Warning. Unconditional match in SecAction. [file "C:/xampp/apache/conf/extra/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)"] [ver "OWASP_CRS/4.4.0"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "x.com"] [uri "/errordocs/403.php"] [unique_id "ZsDrFmhqskiKQ5maiJOipwAAkTM"]
Action: Intercepted (phase 2)
Apache-Handler: fcgid-script
Stopwatch: 1723919126529889 77912 (- - -)
Stopwatch2: 1723919126529889 77912; combined=74958, p1=2998, p2=71960, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/4.4.0.
Server: Apache
Engine-Mode: "ENABLED"

--1c560000-Z--

POST /index.php?route=/import HTTP/2.0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
sec-fetch-site: same-origin
sec-ch-ua-mobile: ?0
origin: https://pma.local.host
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-requested-with: XMLHttpRequest
accept: */*
cache-control: no-cache
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-platform: "Windows"
pragma: no-cache
content-length: 287
priority: u=1, i
host: pma.local.host
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
cookie: XXXXXXXXX
accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7

---jcsW8Jkk---D--

---jcsW8Jkk---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---jcsW8Jkk---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 28 Aug 2024 08:12:37 GMT
Content-Length: 548
Content-Type: text/html
Connection: close

---jcsW8Jkk---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\" (7602 characters omitted)' against variable `ARGS:sql_query' (Value: `SELECT * FROM `xxx` WHERE ID = 6' ) [file "/etc/nginx/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "855"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ` WHERE found within ARGS:sql_query: SELECT * FROM `xxxx` WHERE ID = 6"] [severity "2"] [ver "OWASP_CRS/4.6.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "XXX.XXX.XXX"] [uri "/index.php"] [unique_id "172483275773.534947"] [ref "o29,7v1152,43"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.6.0-dev"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "XXX.XXX.XXX"] [uri "/index.php"] [unique_id "172483275773.534947"] [ref ""]

---jcsW8Jkk---I--

---jcsW8Jkk---J--

---jcsW8Jkk---Z--