Skip to content

SQL Injection Attack - encoding issue #2173

New issue
New issue
Closed
Closed
SQL Injection Attack - encoding issue#2173
@ccsalway

Description

@ccsalway
ccsalway
opened on Sep 27, 2019

I have modsecurity/2.9.3 running on apache/2.4.39 in front of gitlab/12.3.1.

When I try to set the admin password, I get an SQL Injection Attack, which doesn't make any sense.

--2ab6393d-A--
[27/Sep/2019:13:17:28 +0000] XY4L6GcGx@9lbabVDq546wAAAAM xx.xx.xx.xx 61414 10.0.202.67 80
--2ab6393d-B--
POST /users/password HTTP/1.1
Host: gitlab.xx.xx.xx.xx
Connection: keep-alive
Content-Length: 285
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Origin: https://gitlab.xx.xx.xx.xx
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Referer: https://gitlab.xx.xx.xx.xx/users/password/edit?reset_password_token=o6-cuz45Xmz_dyr8sDzy
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: sidebar_collapsed=false; event_filter=all; _gitlab_session=d39dd732a4ca01c92e2ec5ab9a75f4d1

--2ab6393d-C--
utf8=%E2%9C%93&_method=put&authenticity_token=CQTjDI8Z1x%2B1efEGBA6cox4ExbO%2BPsF7Qa4xDPIR%2FwW6CvFXIC7AXaN4BIk1cRzkCJizdsRKcjKmr913qGS8Bg%3D%3D&user%5Breset_password_token%5D=o6-cuz45Xmz_dyr8sDzy&user%5Bpassword%5D=UXiB18yPfVmkqw9Lqo&user%5Bpassword_confirmation%5D=UXiB18yPfVmkqw9Lqo
--2ab6393d-F--
HTTP/1.1 403 Forbidden
Content-Length: 223
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--2ab6393d-E--

--2ab6393d-H--
Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:utf8. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \xe2 found within ARGS:utf8: \xe2\x9c\x93"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(^[\\\\"'`\\\\xc2\\\\xb4\\\\xe2\\\\x80\\\\x99\\\\xe2\\\\x80\\\\x98;]+|[\\\\"'`\\\\xc2\\\\xb4\\\\xe2\\\\x80\\\\x99\\\\xe2\\\\x80\\\\x98;]+$)" at ARGS:utf8. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\\\xe2 found within ARGS:utf8: \\\\xe2\\\\x9c\\\\x93"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "gitlab.xx.xx.xx.xx"] [uri "/users/password"] [unique_id "XY4L6GcGx@9lbabVDq546wAAAAM"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1569590248807024 3243 (- - -)
Stopwatch2: 1569590248807024 3243; combined=2039, p1=435, p2=1560, p3=0, p4=0, p5=44, sr=176, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.39 ()
Engine-Mode: "ENABLED"

--2ab6393d-Z--

From the file modsecurity_crs_41_sql_injection_attacks.conf, the rule looks like the following:

#
# -=[ String Termination/Statement Ending Injection Testing ]=-
#
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´’‘;]+|[\"'`´’‘;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

You will notice the regex shows (^[\"'`´’‘;]+|[\"'`´’‘;]+$) not (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$) which makes me think some encoding issue?

Running the content through a URL decoder gives

utf8=✓&_method=put&authenticity_token=CQTjDI8Z1x+1efEGBA6cox4ExbO+PsF7Qa4xDPIR/wW6CvFXIC7AXaN4BIk1cRzkCJizdsRKcjKmr913qGS8Bg==&user[reset_password_token]=o6-cuz45Xmz_dyr8sDzy&user[password]=UXiB18yPfVmkqw9Lqo&user[password_confirmation]=UXiB18yPfVmkqw9Lqo

UPDATE

Done some more research and it turns out the "tick" on UTF8 translates to \xe2\x9c\x8 and it seems modsecurity has encoded the unicode character ` to \xe2 and matches the tick.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions