Merge pull request PHPIDS#62 from Awnage/master

lstrojny · lstrojny · commit c7b48e17b347 · 2014-05-31T13:41:19.000+02:00
Add converter and filter to fix sqli bypass
diff --git a/lib/IDS/Converter.php b/lib/IDS/Converter.php
@@ -662,6 +662,26 @@ public static function convertFromProprietaryEncodings($value)
         return $value;
     }
 
+  /**
+   * This method removes encoded sql # comments
+   *
+   * @param string $value the value to convert
+   *
+   * @static
+   * @return string
+   */
+    public static function convertFromUrlencodeSqlComment($value)
+    {
+        if (preg_match_all('/(?:\%23.*?\%0a)/im',$value,$matches)){
+            $converted = $value;
+            foreach($matches[0] as $match){
+                $converted = str_replace($match,' ',$converted);
+            }
+            $value .= "\n" . $converted;
+        }
+        return $value;
+    }
+
     /**
      * This method is the centrifuge prototype
      *
diff --git a/lib/IDS/default_filter.json b/lib/IDS/default_filter.json
@@ -916,6 +916,17 @@
           ]
         },
         "impact":"3"
+      },
+      {
+        "id":"78",
+        "rule":"(?:%23.*?%0a)",
+        "description":"Detects SQL comment filter evasion",
+        "tags":{
+          "tag":[
+            "format string"
+          ]
+        },
+        "impact":"4"
       }
     ]
   }
diff --git a/lib/IDS/default_filter.xml b/lib/IDS/default_filter.xml
@@ -2,7 +2,7 @@
     <filter>
         <id>1</id>
         <rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
-        <description>finds html breaking injections including whitespace attacks</description>
+        <description>Finds html breaking injections including whitespace attacks</description>
         <tags>
             <tag>xss</tag>
             <tag>csrf</tag>
@@ -12,7 +12,7 @@
     <filter>
         <id>2</id>
         <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\s*\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule>
-        <description>finds attribute breaking injections including whitespace attacks</description>
+        <description>Finds attribute breaking injections including whitespace attacks</description>
         <tags>
             <tag>xss</tag>
             <tag>csrf</tag>
@@ -22,7 +22,7 @@
     <filter>
         <id>3</id>
         <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule>
-        <description>finds unquoted attribute breaking injections</description>
+        <description>Finds unquoted attribute breaking injections</description>
         <tags>
             <tag>xss</tag>
             <tag>csrf</tag>
@@ -719,7 +719,7 @@
     <filter>
         <id>71</id>
         <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])|(?:-type\s*:\s*multipart)]]></rule>
-        <description>finds malicious attribute injection attempts and MHTML attacks</description>
+        <description>Finds malicious attribute injection attempts and MHTML attacks</description>
         <tags>
             <tag>xss</tag>
             <tag>csrf</tag>
@@ -768,11 +768,20 @@
     <filter>
         <id>77</id>
         <rule><![CDATA[(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)]]></rule>
-        <description>Looking for intiger overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the "magic number" crash</description>
+        <description>Looking for integer overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the "magic number" crash</description>
         <tags>
             <tag>sqli</tag>
             <tag>id</tag>
         </tags>
         <impact>3</impact>
     </filter>
+    <filter>
+        <id>78</id>
+        <rule><![CDATA[(?:%23.*?%0a)]]></rule>
+        <description>Detects SQL comment filter evasion</description>
+        <tags>
+            <tag>format string</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
 </filters>
diff --git a/tests/IDS/Tests/MonitorTest.php b/tests/IDS/Tests/MonitorTest.php
@@ -1041,14 +1041,15 @@ public function testSQLIList6()
                         select (select `user` from#
                         #cc
                         mysql.user limit 1)\'';
+        $exploits[] = 'id=(1 )and(0)union%23xDxD%0%23xDxD%0%23xDxD%0%23xDxD%0Aselect 1,database%23xDxD%0%23xDxD%0%23xDxD%0%23xDxD%0A(),3';
 
         $this->_testForPlainEvent($exploits);
 
         $test = new Monitor(
             $this->init
         );
         $result = $test->run($exploits);
-        $this->assertEquals(876, $result->getImpact());
+        $this->assertEquals(899, $result->getImpact());
     }
 
     public function testDTList()
@@ -1257,7 +1258,12 @@ public function testOctalCCConverter()
             $this->init
         );
         $result = $test->run($exploits);
-        $this->assertEquals(48, $result->getImpact());
+        if (function_exists('get_magic_quotes_gpc') and @get_magic_quotes_gpc()) {
+            $this->assertEquals(62, $result->getImpact());
+        }
+        else {
+            $this->assertEquals(48, $result->getImpact());
+        }
     }
 
     public function testHexCCConverter()

Original file line number	Diff line number	Diff line change
`@@ -916,6 +916,17 @@`
`916`	`916`	`]`
`917`	`917`	`},`
`918`	`918`	`"impact":"3"`
	`919`	`+ },`
	`920`	`+ {`
	`921`	`+ "id":"78",`
	`922`	`+ "rule":"(?:%23.*?%0a)",`
	`923`	`+ "description":"Detects SQL comment filter evasion",`
	`924`	`+ "tags":{`
	`925`	`+ "tag":[`
	`926`	`+ "format string"`
	`927`	`+ ]`
	`928`	`+ },`
	`929`	`+ "impact":"4"`
`919`	`930`	`}`
`920`	`931`	`]`
`921`	`932`	`}`