mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
40 lines
8.1 KiB
Plaintext
40 lines
8.1 KiB
Plaintext
# Apache ModSecurity rules for SQLI
|
||
SecRuleEngine On
|
||
|
||
SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1232,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1238,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1239,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "';" "id:1262,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "@detectSQLi" "id:1229,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1230,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1240,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1242,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1247,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "@detectSQLi" "id:1256,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1245,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{8\}\)" "id:1259,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1248,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1251,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1253,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1255,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1250,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1233,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "W\{4\}" "id:1261,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1243,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1254,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1246,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1231,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{3\}\)" "id:1263,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1241,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1235,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1237,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1252,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{12\}\)" "id:1249,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1236,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1234,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{6\}\)" "id:1260,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1258,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{2\}\)" "id:1264,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1257,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1244,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|