diff --git a/CHANGES b/CHANGES index 365edc0d4db..66df3c53499 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +7.1.0-dev.430 | 2024-10-29 14:08:25 +0100 + + * account for spaces encoding to plus signs in sqli regex detection (Cooper Grill) + 7.1.0-dev.428 | 2024-10-29 13:50:05 +0100 * fixed "-O gen-C++" naming of "when" captures to avoid ambiguities due to inlining (Vern Paxson, Corelight) diff --git a/VERSION b/VERSION index cef8d462ce3..716c313f7c9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-dev.428 +7.1.0-dev.430 diff --git a/scripts/policy/protocols/http/detect-sqli.zeek b/scripts/policy/protocols/http/detect-sqli.zeek index 1a62c552fb5..ed1a687f29b 100644 --- a/scripts/policy/protocols/http/detect-sqli.zeek +++ b/scripts/policy/protocols/http/detect-sqli.zeek @@ -46,11 +46,11 @@ export { ## Regular expression is used to match URI based SQL injections. const match_sql_injection_uri = - /[\?&][^[:blank:]\x00-\x1f\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+/ - | /[\?&][^[:blank:]\x00-\x1f\|]+?=[\-0-9%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ - | /[\?&][^[:blank:]\x00-\x1f]+?=[\-0-9%]*([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ - | /[\?&][^[:blank:]\x00-\x1f\|]+?=([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ - | /[\?&][^[:blank:]\x00-\x1f]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ + /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+/ + | /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ + | /[\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ + | /[\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ + | /[\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ | /\/\*![[:digit:]]{5}.*?\*\// &redef; ## A hook that can be used to prevent specific requests from being counted diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut new file mode 100644 index 00000000000..345a4837e7f --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid method host uri tags +ClEkJM2Vm5giqnMf4h GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+OR+'1'='1&Submit=Submit HTTP::URI_SQLI +C4J4Th3PJpwUYZZ6gc GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+UNION+SELECT+NULL,+version()+#&Submit=Submit HTTP::URI_SQLI +CtPZjS20MLrsMUOJi2 GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=2'+OR+'2'='2&Submit=Submit HTTP::URI_SQLI diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output new file mode 100644 index 00000000000..06c5829847f --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ClEkJM2Vm5giqnMf4h, [orig_h=192.168.111.148, orig_p=53796/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a} +C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.111.148, orig_p=57524/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a} +CtPZjS20MLrsMUOJi2, [orig_h=192.168.111.148, orig_p=40112/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a} diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 41c796d0df6..401a9063491 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -32,3 +32,6 @@ Trace Index/Sources: - pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com https://tranalyzer.com/tutorial/pop https://tranalyzer.com/download/data/pop3.pcap +- http/cooper-grill-dvwa.pcapng + Provided by cooper-grill on #3995 + https://github.com/zeek/zeek/pull/3995 diff --git a/testing/btest/Traces/http/cooper-grill-dvwa.pcapng b/testing/btest/Traces/http/cooper-grill-dvwa.pcapng new file mode 100644 index 00000000000..b68eb250efb Binary files /dev/null and b/testing/btest/Traces/http/cooper-grill-dvwa.pcapng differ diff --git a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek index eccb7a45c60..9e6f708260a 100644 --- a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek +++ b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek @@ -37,6 +37,8 @@ event zeek_init() add positive_matches["/index.php?id=22 /*!49999 and 1=2*/-- and 1=1"]; add positive_matches["/index.php?ID=59 and (select count(table_name) from user_tables)>0 and 1=1"]; add positive_matches["/index.php?ID=60 and exists (select * from [news])"]; + add positive_matches["?id=1'+OR+'1'='1"]; + add positive_matches["?id=1'+UNION+SELECT+NULL,+version()+#"]; # These are not detected currently. #add positive_matches["/index.asp?ARF_ID=(1/(1-(asc(mid(now(),18,1))\(2^7) mod 2)))"];