Improve our SQLI-related documentation and remove some useless rules

author: jvoisin 2021-05-01 17:50:32 +0200
committer: jvoisin 2021-05-01 17:51:48 +0200
commit: 73f764647baa7cdfb66eb6bf4b2feb96e190ef88 (patch)
tree: 9761a2569ea32c0a47063da67f089669e25c9f65
parent: 006026b492b119319219cd0e6eb2a6cbdb77c4e6 (diff)
3 files changed, 5 insertions, 65 deletions
diff --git a/config/default.rules b/config/default.rules
index 05dd91d..74e1edb 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -96,34 +96,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro
 sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
 sp.disable_function.function("is_callable").param("var").value("passthru").drop();
-# Commenting sqli related stuff to improve performance.
+# Ghetto error-based sqli detection
-# TODO figure out why these functions can't be hooked at startup
-# Ghetto sqli hardening
-# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
-# Ghetto sqli detection
 # sp.disable_function.function("mysql_query").ret("FALSE").drop();
 # sp.disable_function.function("mysqli_query").ret("FALSE").drop();
 # sp.disable_function.function("PDO::query").ret("FALSE").drop();
diff --git a/config/default_php8.rules b/config/default_php8.rules
index fa3120e..427dcaf 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -97,34 +97,7 @@ sp.disable_function.function("is_callable").param("value").value("shell_exec").d
 sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
 sp.disable_function.function("is_callable").param("value").value("passthru").drop();
-# Commenting sqli related stuff to improve performance.
+# Ghetto error-based sqli detection
-# TODO figure out why these functions can't be hooked at startup
-# Ghetto sqli hardening
-# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
-# Ghetto sqli detection
 # sp.disable_function.function("mysql_query").ret("FALSE").drop();
 # sp.disable_function.function("mysqli_query").ret("FALSE").drop();
 # sp.disable_function.function("PDO::query").ret("FALSE").drop();
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 2eebc88..25fd62d 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -480,15 +480,9 @@ to see that people are disabling it on production too.
 We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
 ``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
-*Cheap* SQL injections detection
+*Cheap* error-based SQL injections detection
-""""""""""""""""""""""""""""""""
+""""""""""""""""""""""""""""""""""""""""""""
-In some SQL injections, attackers might need to use comments, a feature that is
+If a function performing a SQL query returns ``FALSE``
-often not used in production system, so it might be a good idea to filter
-queries that contains some. The same filtering idea can be used against
-SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark``
-or strings like ``version_info``.
-On the topic of SQL injections, if a function performing a query returns ``FALSE``
 (indicating an error), it might be useful to dump the request for further analysis.
author	jvoisin	2021-05-01 17:50:32 +0200
committer	jvoisin	2021-05-01 17:51:48 +0200
commit	73f764647baa7cdfb66eb6bf4b2feb96e190ef88 (patch)
tree	9761a2569ea32c0a47063da67f089669e25c9f65
parent	006026b492b119319219cd0e6eb2a6cbdb77c4e6 (diff)

diff --git a/config/default.rules b/config/default.rules index 05dd91d..74e1edb 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -96,34 +96,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro
96	sp.disable_function.function("is_callable").param("var").value("proc_open").drop();	96	sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
97	sp.disable_function.function("is_callable").param("var").value("passthru").drop();	97	sp.disable_function.function("is_callable").param("var").value("passthru").drop();
98		98
99	# Commenting sqli related stuff to improve performance.	99	# Ghetto error-based sqli detection
100	# TODO figure out why these functions can't be hooked at startup
101	# Ghetto sqli hardening
102	# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
103	# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
104	# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
105	# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
106	# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
107	# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
108	# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
109
110	# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
111	# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
112	# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
113	# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
114	# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
115	# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
116	# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
117
118	# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
119	# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
120	# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
121	# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
122	# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
123	# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
124	# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
125
126	# Ghetto sqli detection
127	# sp.disable_function.function("mysql_query").ret("FALSE").drop();	100	# sp.disable_function.function("mysql_query").ret("FALSE").drop();
128	# sp.disable_function.function("mysqli_query").ret("FALSE").drop();	101	# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
129	# sp.disable_function.function("PDO::query").ret("FALSE").drop();	102	# sp.disable_function.function("PDO::query").ret("FALSE").drop();


diff --git a/config/default_php8.rules b/config/default_php8.rules index fa3120e..427dcaf 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules
@@ -97,34 +97,7 @@ sp.disable_function.function("is_callable").param("value").value("shell_exec").d
97	sp.disable_function.function("is_callable").param("value").value("proc_open").drop();	97	sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
98	sp.disable_function.function("is_callable").param("value").value("passthru").drop();	98	sp.disable_function.function("is_callable").param("value").value("passthru").drop();
99		99
100	# Commenting sqli related stuff to improve performance.	100	# Ghetto error-based sqli detection
101	# TODO figure out why these functions can't be hooked at startup
102	# Ghetto sqli hardening
103	# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
104	# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
105	# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
106	# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
107	# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
108	# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
109	# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
110
111	# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
112	# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
113	# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
114	# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
115	# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
116	# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
117	# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
118
119	# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
120	# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
121	# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
122	# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
123	# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
124	# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
125	# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
126
127	# Ghetto sqli detection
128	# sp.disable_function.function("mysql_query").ret("FALSE").drop();	101	# sp.disable_function.function("mysql_query").ret("FALSE").drop();
129	# sp.disable_function.function("mysqli_query").ret("FALSE").drop();	102	# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
130	# sp.disable_function.function("PDO::query").ret("FALSE").drop();	103	# sp.disable_function.function("PDO::query").ret("FALSE").drop();


diff --git a/doc/source/features.rst b/doc/source/features.rst index 2eebc88..25fd62d 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -480,15 +480,9 @@ to see that people are disabling it on production too.
480	We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and	480	We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
481	``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.	481	``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
482		482
483	Cheap SQL injections detection	483	Cheap error-based SQL injections detection
484	""""""""""""""""""""""""""""""""	484	""""""""""""""""""""""""""""""""""""""""""""
485		485
486	In some SQL injections, attackers might need to use comments, a feature that is	486	If a function performing a SQL query returns ``FALSE``
487	often not used in production system, so it might be a good idea to filter
488	queries that contains some. The same filtering idea can be used against
489	SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark``
490	or strings like ``version_info``.
491
492	On the topic of SQL injections, if a function performing a query returns ``FALSE``
493	(indicating an error), it might be useful to dump the request for further analysis.	487	(indicating an error), it might be useful to dump the request for further analysis.
494		488