Current File : //22_SQL_SQLi.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule &REQUEST_COOKIES:/^WHMCS/|&REQUEST_COOKIES:phpMyAdmin|TX:CWAF_modsec "!@eq 0" \
	"id:211500,msg:'COMODO WAF: Ignore WHMCS, phpMyAdmin and CWAF from base SQLi Attack Detection||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,skipAfter:'IGNORE_CRS_SQLi',rev:2,severity:2,tag:'CWAF',tag:'SQLi'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:customized|!ARGS_NAMES:dynamic_object[object_type]|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS_NAMES:object_id|!ARGS_POST:object_id|!ARGS:/password/|!ARGS_NAMES:/password/|!ARGS_NAMES:/product_main_image_data\[\d+]\[object_id]/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS_NAMES:column_name|!ARGS_NAMES:object_type "(?i:\b(?:t(?:able_name\b|extpos[^a-zA-Z0-9_]{1,}\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|object|(?:process|tabl)e)s))|user_(?:group|password|(?:ind_column|tab(?:_column|le)|user|(?:constrain|objec)t)s)|xtype[^a-zA-Z0-9_]{1,}\bchar)\b)|(?:\b(?:(?:instr|locate)[^a-zA-Z0-9_]{1,}\(|(?:attnotnull|c(?:harindex|onstraint_type)|m(?:sys(?:column|object|relationship|(?:ac|queri)e)s|ysql\.(db|user))|s(?:elect\b.{0,40}\b(?:ascii|substring|users{0,1})|ys\.(?:all_tables|tab|user_(?:c(?:atalog|onstraints)|(?:object|t(?:ab(?:_column|le)|rigger)|view)s)))|waitfor\b[^a-zA-Z0-9_]{0,}?\bdelay)\b)|@@spid\b))" \
	"id:211540,chain,msg:'COMODO WAF: Blind SQL Injection Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,rev:14,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule REQUEST_URI "!@contains /wp-json/yoast/" \
	"t:none,t:normalizePath"

SecRule REQUEST_URI|ARGS_POST|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|XML:/*|!REQUEST_COOKIES:/__utm/ "@rx \s(sleep|benchmark|if)\s?\(" \
	"id:211630,chain,msg:'COMODO WAF: Detects blind sqli tests using sleep() or benchmark().||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,rev:5,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?:(?:select|;)?(?:benchmark|if|sleep)\(.)" \
	"setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:emailMsg|!ARGS:/message/|!ARGS:/tx_lang_tools_langlanguage/|!ARGS:Post|!ARGS:desc|!ARGS:nav-menu-data|!ARGS:selectedItemsJson|!ARGS:text|!ARGS:accommodations|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:/^et_pb_contact_email_fields_/|!ARGS:tm_pb_contact_email_fields_0|!ARGS:search "@pm exec user database schema connection_id select union having iif into" \
	"id:211650,chain,msg:'COMODO WAF: Detects MSSQL code execution and information gathering attempts||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,rev:12,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?i:(?:[\x22'`](?:;? ?\b(?:having|select|union)\b ?[^\s]| ?! ?[\x22'`\w])|\b(?:c(?:onnection_id|urrent_user)|database)\b ?\(|\bunion\b[\w(\s]*?select\b|\buser ?\(|\bschema ?\(|\bselect.{0,399}?\w?\buser ?\(|\binto[\s+]+(?:dump|out)file ?[\x22'`]|\bexec(?:ute)?.{0,399}?\Wxp_cmdshell\b|\bfrom\W+information_schema\W|exec(?:ute)? ?master\.|\wiif ?\())" \
	"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:compressWhitespace"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:^(-0000023456|-2147483648|-2147483649|0000012345|0000023456|1e309|2147483648|2147483647|2.2.90738585072007e-308|4294967295|4294967296)$))" \
	"id:211680,msg:'COMODO WAF: Looking for integer overflow attacks||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,rev:2,severity:2,tag:'CWAF',tag:'SQLi'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/input/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword|!ARGS:fiets "@pm case like if" \
	"id:211700,chain,msg:'COMODO WAF: Detects conditional SQL injection attempts||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:removeComments,t:removeNulls,rev:10,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?i:[ ()]case ?\(|\) ?like ?\(|\bhaving ?[^\s]+ ?[^\w ]|\bif ?\([\d\w] ?[=<>~])" \
	"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:compressWhitespace"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm alter waitfor goto" \
	"id:211710,chain,msg:'COMODO WAF: Detects MySQL charset switch and MSSQL DoS attempts||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',t:none,rev:6,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?i:(?:[\x22'`](?:;*? ?waitfor (?:delay|time) [\x22'`]|;.{0,399}?: ?goto)|\balter ?\w+.{0,399}?\bcha(?:racte)?r set \w+))" \
	"setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:compressWhitespace"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm merge execute match" \
	"id:211720,chain,msg:'COMODO WAF: Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE injections||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',t:none,rev:6,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?i:(?:merge.{0,256}?using\s*?\()|(execute\s*?immediate\s*?[\x22'`])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" \
	"setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select waitfor shutdown" \
	"id:211750,chain,msg:'COMODO WAF: Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',t:none,rev:4,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\x22'`]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" \
	"setvar:'tx.points=+%{tx.points_limit4}',setvar:'tx.sqli_points=+1',t:none,t:urlDecodeUni"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@rx (?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" \
	"id:211760,msg:'COMODO WAF: Finds basic MongoDB SQL injection attempts||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:removeWhitespace,rev:4,severity:2,tag:'CWAF',tag:'SQLi'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@pm procedure function declare open exec" \
	"id:211790,chain,msg:'COMODO WAF: Detects MySQL and PostgreSQL stored procedure/function injections||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,rev:3,severity:2,tag:'CWAF',tag:'SQLi'"
SecRule MATCHED_VAR "@rx (?i:(?:create (?:procedure|function) ?\w+ ?\( ?\) ?-|; ?(?:declare|open) [\w-]+|procedure analyse ?\(|declare[^\w]+[@#] ?\w+|exec ?\( ?\@))" \
	"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:compressWhitespace"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@rx (?i:(?:; ?(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load) ?[\[(]?\b\w{2,}|\bcreate function .+ returns\b))" \
	"id:211820,msg:'COMODO WAF: Detects MySQL UDF injection and other data/structure manipulation attempts||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:compressWhitespace,rev:4,severity:2,tag:'CWAF',tag:'SQLi'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/fl_builder_data\[node_preview\]\[text\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:text_message|!ARGS:yoast_wpseo_keywordsynonyms|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:site_coordenacao|!REQUEST_COOKIES:sbjs_current "@rx [\[\]\x22',()\.]{10}$|\b(?:union\sall\sselect\s(?:(?:null|\d+),?)+|order\sby\s\d{1,4}|(?:and|or)\s\d{4}=\d{4}|waitfor\sdelay\s'\d+:\d+:\d+'|(?:select|and|or)\s(?:(?:pg_)?sleep\(\d+\)|\d+\s?=\s?(?:dbms_pipe\.receive_message\((?:chr\(\d+\)(?:\s?\|\|\s?)?)*,\d+\)|\(select\s\d+\sfrom\spg_sleep\(\d+\)\))))(?:\s?\b(?:and|or)\s\(?(?:(\d{4})=\1|'(\w{4})'='\2|'%'=')|--\s?\w*|#)$|\(select\s?\(case\swhen\s?\(\d+\s?=\s?\d+\)\sthen\s\d+\selse\s(?:0x[\0-9a-h]+|\d+)\send\)\)|(?:(?:\b(?:and|or)|&&|\|\|)\W+\(?'?(?:\w{1,4}|%)'?\)?(?:!?(?:=|<|>))\(?'?\w{0,4}'?\)?|\border\W+by\s\d+)(?:#|--\s?\w{0,4})?$|(\'\s?(?:or|and)\squarter\(null\)\s?is\snull;)" \
	"id:218500,msg:'COMODO WAF: SQLmap attack detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalizePath,t:compressWhiteSpace,t:lowercase,rev:18,severity:2,tag:'CWAF',tag:'SQLi'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!ARGS:db "(?i:\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(?:ys(?:\.database_name|aux)\b|chema(?:\W*\(|_name\b)|qlite(_temp)?_master\b)|d(?:atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))" \
	"id:218530,msg:'COMODO WAF: SQL Injection Attack: Common DB Names Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',setvar:'tx.sqli_points=+1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,rev:3,severity:2,tag:'CWAF',tag:'SQLi'"

SecMarker IGNORE_CRS_SQLi
SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword "@rx '(?:AND|OR)\d+?(?:\*\d+?){0,4}=\d+?(?:AND|OR)(\d+?)=\1" \
	"id:218570,msg:'COMODO WAF: SQLi vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,rev:3,severity:2,tag:'CWAF',tag:'SQLi'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@rx (?i:\/\*[!+](?:[\w\s=_\-()]+)?\*\/)" \
	"id:218580,msg:'COMODO WAF: MySQL in-line comment detected.||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'SQLi'"