From 73f764647baa7cdfb66eb6bf4b2feb96e190ef88 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 1 May 2021 17:50:32 +0200
Subject: Improve our SQLI-related documentation and remove some useless rules

---
 config/default.rules      | 29 +----------------------------
 config/default_php8.rules | 29 +----------------------------
 doc/source/features.rst   | 12 +++---------
 3 files changed, 5 insertions(+), 65 deletions(-)

diff --git a/config/default.rules b/config/default.rules
index 05dd91d..74e1edb 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -96,34 +96,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro
 sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
 sp.disable_function.function("is_callable").param("var").value("passthru").drop();
 
-# Commenting sqli related stuff to improve performance.
-# TODO figure out why these functions can't be hooked at startup
-# Ghetto sqli hardening
-# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
-
-# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
-
-# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
-
-# Ghetto sqli detection
+# Ghetto error-based sqli detection
 # sp.disable_function.function("mysql_query").ret("FALSE").drop();
 # sp.disable_function.function("mysqli_query").ret("FALSE").drop();
 # sp.disable_function.function("PDO::query").ret("FALSE").drop();
diff --git a/config/default_php8.rules b/config/default_php8.rules
index fa3120e..427dcaf 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -97,34 +97,7 @@ sp.disable_function.function("is_callable").param("value").value("shell_exec").d
 sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
 sp.disable_function.function("is_callable").param("value").value("passthru").drop();
 
-# Commenting sqli related stuff to improve performance.
-# TODO figure out why these functions can't be hooked at startup
-# Ghetto sqli hardening
-# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
-
-# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
-
-# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
-
-# Ghetto sqli detection
+# Ghetto error-based sqli detection
 # sp.disable_function.function("mysql_query").ret("FALSE").drop();
 # sp.disable_function.function("mysqli_query").ret("FALSE").drop();
 # sp.disable_function.function("PDO::query").ret("FALSE").drop();
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 2eebc88..25fd62d 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -480,15 +480,9 @@ to see that people are disabling it on production too.
 We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
 ``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
 
-*Cheap* SQL injections detection
-""""""""""""""""""""""""""""""""
+*Cheap* error-based SQL injections detection
+""""""""""""""""""""""""""""""""""""""""""""
 
-In some SQL injections, attackers might need to use comments, a feature that is
-often not used in production system, so it might be a good idea to filter
-queries that contains some. The same filtering idea can be used against
-SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark``
-or strings like ``version_info``.
-
-On the topic of SQL injections, if a function performing a query returns ``FALSE``
+If a function performing a SQL query returns ``FALSE``
 (indicating an error), it might be useful to dump the request for further analysis.
 
-- 
cgit v1.3