Hi Denis, the round brackets in RE are used to group, in particular to group variants. If they should be a literal character, they need to be escaped with a \ (backslash).
Said this, you see both usages -- ( as grouping meta character, and \( as literal character -- in your visualized picture. You see the literal \( one only, but not the grouping ( in the picture. In LDAP round brackets are a core syntax element. Does this help? Achim On 13.01.2016 12:21, Denis Kolegov wrote: > Hello All. > > I am working on RE for LDAP injection. > Could anybody explain the structure of the LDAP injection detection rule? > > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf > > Its regular expression is the following: > > (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|]) > > See regular expression visualizer (https://jex.im/regulex) screenshot in > the attachment. > > My questions: > > 1. What is the purpose of RE after '(' character? Which context is > supposed there? > > I found the following vectors: > > Alonso-Parada vectors: > > foo)(sn=100 > foo)(&) > documents)(security_level=*))(&(directory=documents > printer)(uid=*) > printer)(department=fa*) > > printer)(department=*fa*) > *)(objectClass=*))(&(objectClass=void > *)(objectClass=users))(&(objectClass=foo > void)(objectClass=users))(&(objectClass=void) > > > Exploit DB: > > ka0x)(|(homedirectory=*) > 5faa0382d747b754)(sn=* > 5faa0382d747b754)!(sn=* > > Burp: > > eb9adbd87d)(sn=* > eb9adbd87d)!(sn=* > *)(sn=* > *)!(sn=* > > > > 2. Some trivial LDAPi vectors are not detected. For example, > > printer)(uid=*) > > from Alonso-Parada slides > https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf > > Thanks. > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
