What CRS version are you using?
How do you have the SecRuleEngine configured? Unless it is set to On, you
can't rely upon returned status codes for detection.
How have you activated the rules? Are you sure you have the
modsecurity_crs_41_sql_injection_attacks.conf file activated?
I tested your first payload against the latest CRS version and it
triggered many SQLi alerts -
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|
isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+nu
ll)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rl
ike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "70"] [id "981319"] [rev "2.2.5"] [msg "SQL Injection
Attack: SQL Operator Detected"] [data "REGEXP"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:m(?:s(?:ysaccessobjects|msysaces|msysobjects|msysqueries|msysrelati
onships|msysaccessstorage|msysaccessxml|msysmodules|msysmodules2|db)|aster\
\\\.\\\\.sysdatabases|ysql\\\\.db)|s(?:ys(?:\\\\.database_name|aux)|chema(?
:\\\\W*\\\\(|_name)|qlite(_temp)?_master ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "84"] [id "981320"] [rev "2.2.5"] [msg "SQL Injection
Attack: Common DB Names Detected"] [data "information_schema"] [severity
"CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
[hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Operator GE matched 3 at TX:sqli_select_statement_count. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "108"] [id "981317"] [rev "2.2.5"] [msg "SQL SELECT
Statement Anomaly Detection Alert"] [data "4"] [tag
"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:\\\\b(?:(?:s(?:ys\\\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|ob
ject|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\\\b.{0,40}\\\\b(
?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|obje
ct)s|ysql\\\\.(db|user))|c(?:onstraint ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "116"] [id "950007"] [rev "2.2.5"] [msg "Blind SQL
Injection Attack"] [data "table_name"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:
ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_
user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4
_compat|ipv4_mapped|ipv4|ipv ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "125"] [id "950001"] [rev "2.2.5"] [msg "SQL Injection
Attack"] [data "SELECT 1 FROM information_schema.tables WHERE"] [severity
"CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
[hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"\\\\b(?i:having)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*[=<>]|(?i:\\\\b
execute(\\\\s{1,5}[\\\\w\\\\.$]{1,5}\\\\s{0,3})?\\\\()|\\\\bhaving\\\\b
?(?:\\\\d{1,10}|[\\\\'\\"][^=]{1,10}[\\\\'\\"])
?[=<>]+|(?i:\\\\bcreate\\\\s+?table.{0,20}?\\\\()|(?i:\\\\blike\\\\W*?char\
\\\W*?\\\\()|(?i:(?:(select(.*) ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "131"] [id "959070"] [rev "2.2.5"] [msg "SQL Injection
Attack"] [data "FROM information_schema.tables WHERE
TABLE_SCHEMA=\\x22blind_sqli\\x22 AND table_name REGEXP '^[a-z]' LIMIT"]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"] [hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i)\\\\b(?i:and)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*[=]|\\\\b(?i:a
nd)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*[<>]|\\\\band\\\\b
?(?:\\\\d{1,10}|[\\\\'\\"][^=]{1,10}[\\\\'\\"])
?[=<>]+|\\\\b(?i:and)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')" at ARGS:id.
[file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "137"] [id "959072"] [rev "2.2.5"] [msg "SQL Injection
Attack"] [data "and 1="] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:
ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_
user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4
_compat|ipv4_mapped|ipv4|ipv ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "144"] [id "959073"] [rev "2.2.5"] [msg "SQL Injection
Attack"] [data "SELECT 1 FROM information_schema.tables WHERE"] [severity
"CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
[hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\W{4,}" at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character
Anomaly Detection Alert - Repetative Non-Word Characters"] [data " '^["]
[hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\
\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\
\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){4,}" at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL
Character Anomaly Detection Alert - Total # of special characters
exceeded"] [data ")"] [hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:\\\\sexec\\\\s+xp_cmdshell)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2
\\x80\\x98]\\\\s*?!\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\
\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database
|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`\\xc2\\xb4\\xe2
..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "219"] [id "981255"] [msg "Detects MSSQL code execution
and information gathering attempts"] [data "FROM information_schema."]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:,.*[)\\\\da-f\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98][\\"'`\\
xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98](?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\
xe2\\x80\\x98].*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]|\\\\Z|[^\\
"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]+))|(?:\\\\Wselect.+\\\\W*from)
|((?:s ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "221"] [id "981257"] [msg "Detects MySQL
comment-/space-obfuscated injections and backtick termination"] [data
"(SELECT 1 FROM"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname
"localhost"] [uri "/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|betwe
en|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?
or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(
?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at
ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "223"] [id "981248"] [msg "Detects chained SQL injection
attempts 1/2"] [data "and 1=("] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQLI"] [hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?
:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:
like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\
\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\
\xe2 ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "235"] [id "981245"] [msg "Detects basic SQL
authentication bypass attempts 2/3"] [data "SELECT 1 FROM"] [severity
"CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?(x?or|div|lik
e|between|and)\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]?\\\\d)
|(?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\
\x98]$)|(?:(?:^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\\\\\]*?(?:
[\\\\ ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "249"] [id "981242"] [msg "Detects classic SQL injection
probings 1/2"] [data " information_schema"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQLI"] [hostname "localhost"] [uri "/index.php"] [unique_id
"T3MEX8CoqAEAAWNHI4gAAAAE"]
[Wed Mar 28 08:30:23 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?\\\\*.+(?:x?o
r|div|like|between|and|id)\\\\W*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\
\x98]\\\\d)|(?:\\\\^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:^[\
\\\w\\\\s\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98-]+(?<=and\\\\s)(?<=o
r|xor ..." at ARGS:id. [file
"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "257"] [id "981243"] [msg "Detects classic SQL injection
probings 2/2"] [data "\\x22 AND table_name REGEXP '^[a-z]' LIMIT 0,1"]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname "localhost"] [uri
"/index.php"] [unique_id "T3MEX8CoqAEAAWNHI4gAAAAE"]
On 3/28/12 2:18 AM, "Tzury Bar Yochay" <tzury...@reguluslabs.com> wrote:
>Hi,
>
>below is an output of a small program I wrote to test sites protected
>by modSecurity
>I tried pushing in some SQL injection tests and was surprised to find
>out the following just passed through and not being blocked despite
>having all default rules active)
>
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables+WHERE+TABLE
>_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[a-z]'+LIMIT+0,1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[a-n]'+LIMIT+0,1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[a-g]'+LIMIT+0,1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[h-n]'+LIMIT+0,1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^[h-l]'+LIMIT+0,1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^m'+LIMIT+0,1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^n'+LIMIT+0,1)+
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+information_schema.tables++WHERE+TABL
>E_SCHEMA="blind_sqli"+AND+table_name+REGEXP+'^n'+LIMIT+1,1)+
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+TOP+1+1+FROM+information_schema.tables+WHE
>RE+TABLE_SCHEMA="blind_sqli"+and+table_name+LIKE+'[a-z]%'+)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+TOP+1+1+FROM+information_schema.tables+WHE
>RE+TABLE_SCHEMA="blind_sqli"+and+table_name+NOT+IN+(+SELECT+TOP+1+table_na
>me+FROM+information_schema.tables)+and+table_name+LIKE+'[a-z]%'+)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[a-f]'+
>AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[0-9]'+
>AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[0-4]'+
>AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[5-9]'+
>AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^[5-7]'+
>AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/index.php?id=1+and+1=(SELECT+1+FROM+users+WHERE+password+REGEXP+'^5'+AND+
>ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[a-f]%'
>+AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[a-c]%'
>+AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[d-f]%'
>+AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5[d-e]%'
>+AND+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/default.asp?id=1+AND+1=(SELECT+1+FROM+users+WHERE+password+LIKE+'5f%'+AND
>+ID=1)
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET --
>/http://example/article.asp?ID=2+union+all+select+name+from+sysobjects
>{}. Expected: <class 'requests.exceptions.ConnectionError'>, got 200
>instead
>test failed: GET -- /article.asp?ID=2'+and+1=1 {}. Expected: <class
>'requests.exceptions.ConnectionError'>, got 200 instead
>test failed: GET -- /article.asp?ID=2'+and+1=0+ {}. Expected: <class
>'requests.exceptions.ConnectionError'>, got 200 instead
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set@lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
