Hi,
below is an output of a small program I wrote to test sites protected
by modSecurity
I tried pushing in some SQL injection tests and was surprised to find
out the following just passed through and not being blocked despite
having all default rules active)
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables+WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[a-z]'+LIMIT+0,1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[a-n]'+LIMIT+0,1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[a-g]'+LIMIT+0,1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[h-n]'+LIMIT+0,1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[h-l]'+LIMIT+0,1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^m'+LIMIT+0,1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^n'+LIMIT+0,1)+
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABLE_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^n'+LIMIT+1,1)+
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+TOP+1+1+FROM+information_schema.tables+WHERE+TABLE_SCHEMA="blind_sqli"+and+table_name+LIKE+'[a-z]%'+)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+TOP+1+1+FROM+information_schema.tables+WHERE+TABLE_SCHEMA="blind_sqli"+and+table_name+NOT+IN+(+SELECT+TOP+1+table_name+FROM+information_schema.tables)+and+table_name+LIKE+'[a-z]%'+)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[a-f]'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[0-9]'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[0-4]'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[5-9]'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[5-7]'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^5'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[a-f]%'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[a-c]%'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[d-f]%'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[d-e]%'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5f%'+AND+ID=1)
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET --
/http://example/article.asp?ID=2+union+all+select+name+from+sysobjects
{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
instead
test failed: GET -- /article.asp?ID=2'+and+1=1 {}. Expected: <class
'requests.exceptions.ConnectionError'>, got 200 instead
test failed: GET -- /article.asp?ID=2'+and+1=0+ {}. Expected: <class
'requests.exceptions.ConnectionError'>, got 200 instead
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
