Hi Denis,
when writing '('? do you mean
(?
right at the beginning of the RE and again 3 times more?
(? in RE means that the RE engine does not store the grouped match.
If a group is not stored, there is no backreference (i.e. $1).
This reults in less memory usage and speeds up processing.
Ciao
Achim
On 13.01.2016 23:58, Denis Kolegov wrote:
> Hi.
>
> It seems my question was not clear.
> I asked about logic of regular expression.
>
> What is a purpose of first part of RE where it checks string beginning with
> '('?
>
> (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\())
>
> Thanks.
> ---
> Denis Kolegov
> 14 Янв 2016 г. 3:18 пользователь "Achim" <ac...@owasp.org> написал:
>
>> Hi Denis,
>>
>> the round brackets in RE are used to group, in particular to group
>> variants.
>> If they should be a literal character, they need to be escaped with a
>> \ (backslash).
>>
>> Said this, you see both usages -- ( as grouping meta character, and \( as
>> literal character -- in your visualized picture. You see the literal \(
>> one only, but not the grouping ( in the picture.
>>
>> In LDAP round brackets are a core syntax element.
>>
>> Does this help?
>> Achim
>>
>>
>>
>> On 13.01.2016 12:21, Denis Kolegov wrote:
>>> Hello All.
>>>
>>> I am working on RE for LDAP injection.
>>> Could anybody explain the structure of the LDAP injection detection rule?
>>>
>>>
>> https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf
>>>
>>> Its regular expression is the following:
>>>
>>>
>> (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])
>>>
>>> See regular expression visualizer (https://jex.im/regulex) screenshot
>> in
>>> the attachment.
>>>
>>> My questions:
>>>
>>> 1. What is the purpose of RE after '(' character? Which context is
>>> supposed there?
>>>
>>> I found the following vectors:
>>>
>>> Alonso-Parada vectors:
>>>
>>> foo)(sn=100
>>> foo)(&)
>>> documents)(security_level=*))(&(directory=documents
>>> printer)(uid=*)
>>> printer)(department=fa*)
>>>
>>> printer)(department=*fa*)
>>> *)(objectClass=*))(&(objectClass=void
>>> *)(objectClass=users))(&(objectClass=foo
>>> void)(objectClass=users))(&(objectClass=void)
>>>
>>>
>>> Exploit DB:
>>>
>>> ka0x)(|(homedirectory=*)
>>> 5faa0382d747b754)(sn=*
>>> 5faa0382d747b754)!(sn=*
>>>
>>> Burp:
>>>
>>> eb9adbd87d)(sn=*
>>> eb9adbd87d)!(sn=*
>>> *)(sn=*
>>> *)!(sn=*
>>>
>>>
>>>
>>> 2. Some trivial LDAPi vectors are not detected. For example,
>>>
>>> printer)(uid=*)
>>>
>>> from Alonso-Parada slides
>>>
>> https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
>>>
>>> Thanks.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
