我继承了一个旧网站,没人愿意对其进行大的更改,例如重新安装所有内容,升级到较新的PHP / Apache等。
直到最近才实施了唯一的Web表单,供用户提交数据。每次输入中文字符时,Web服务器都会发生403错误。经检查,问题出在阻止HTTP发布的mod_security规则。
错误如下:
[2018年12月26日星期三15:02:51] [错误] [客户端x.x.x.x] ModSecurity:使用代码403(阶段2)拒绝访问。模式垫 h“(^ [\”'
\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'
\ xc2 \ xb4 \ xe2 \ x80 \ x99 \ xe2 \ x80 \ x98;] + $)“ at ARGS:txt_name 。 [文件“ /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [第64行] [id“ 981318”] [rev“ 2”] [msg“ SQL注入攻击:检测到通用注入测试”] [数据“在ARGS:txt_name中找到匹配的数据:': '“] [严重性” CRITICAL“] [ver” OWASP_CRS / 2.2.8“] [成熟度” 9“] [准确性” 8“] [标签” OWASP_CRS / WEB_ATTACK / SQL_INJECTION“] [标签“ WASCTC / WASC-19”] [标签“ OWASP_TOP_10 / A1”] [标签“ OWASP_AppSensor / CIE1”] [标签“ PCI / 6.5.2”] [主机名“ dev.worldpeace.org。 tw“] [uri” /light/light_step1.php“] [unique_id” XCOYG38AAAEAAAw-FoQAAAAA“]
我们尝试了几种方法:
“(^ [\”'
´’‘;]+|[\"'
´’;;] + $)“
到
(^ [\“'
\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'
\ xc2 \ xb4 \ xe2 \ x80 \ x99 \ xe2 \ x80 \ x98;] + $)
然后使用
更新配置(modsecurity_crs_10_config.conf)SecUnicodeMapFile /path/to/unicode.mapping 20127
或
SecUnicodeMapFile /path/to/unicode.mapping 950
来自
t:urlDecodeUni
到
t:utf8toUnicode,t:urlDecodeUni
来源:[https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/21]
该修补程序在一定程度上有效,例如,使用1.修补程序后,某些字符可以执行HTTP发布。但是随后其他一些汉字不起作用。
我倾向于关闭整个SQL注入检查,但是还有什么我可以尝试的吗?
服务器上的某些信息
操作系统:
Linux ip-172-31-38-4 4.14.72-68.55.amzn1.x86_64 #1 SMP Fri Sep 28 21:14:54 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
已安装的软件包:
httpd.x86_64 2.2.34-1.16.amzn1 @amzn-updates
httpd-tools.x86_64 2.2.34-1.16.amzn1 @amzn-updates
mod_security.x86_64 2.8.0-5.27.amzn1 @amzn-main
mod_security_crs.noarch 2.2.8-2.5.amzn1 @amzn-main
原始规则之一:
#
# -=[ String Termination/Statement Ending Injection Testing ]=-
#
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´’‘;]+|[\"'`´’‘;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
更新的规则:
#
# -=[ String Termination/Statement Ending Injection Testing ]=-
#
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:utf8toUnicode,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"