diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf index b438b6bc5..c9cfac36c 100644 --- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # false positives in natural language or other contexts. # Examples: 'chr', 'eval'. # To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. -# Regexp is generated from function names in util/regexp-assemble/data/933160.data +# Regexp is generated from function names in util/regexp-assemble/data/933160.ra # # - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. # Examples: 'addslashes', 'array_diff'. @@ -264,7 +264,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Examples: 'abs', 'cos'. # To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. # This rule only runs in paranoia level 3 or higher. -# Regexp is generated from function names in util/regexp-assemble/data/933161.data +# Regexp is generated from function names in util/regexp-assemble/data/933161.ra # @@ -318,7 +318,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # system //comment \n (...) # system #comment \n (...) # -# This rule is also triggered by the following exploit(s): +# This rule is triggered by the following exploits as well, +# as they include the string 'exec(...)': +# # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml index dc2ab42d8..84559bbfe 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml @@ -525,3 +525,37 @@ tests: uri: /?a=exploration output: no_log_contains: id "933150" + - test_title: 933150-35 + desc: | + PHP mixed case function call with space, LF between (). + payload: file_ExistS (\n\n) + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=file_ExistS%20%28%0A%0A%29 + output: + log_contains: id "933150" + - test_title: 933150-36 + desc: | + PHP function call with multiple whitespaces. + payload: fopen (blah) + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=fopen%20%20%28blah%29 + output: + log_contains: id "933150" diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml index 4796026f8..39089f54d 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml @@ -6,23 +6,26 @@ meta: name: 933160.yaml tests: - test_title: 933160-1 - desc: function call regexp + desc: | + PHP function call in query. + payload: chr(123) stages: - stage: input: - data: Shell%5fexec=bla dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=chr%28123%29 + uri: /get?foo=chr%28123%29 output: log_contains: id "933160" - test_title: 933160-2 - desc: function call regexp + desc: | + PHP function call in body (mixed case). + payload: curl_iNit() stages: - stage: input: @@ -34,11 +37,13 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: / + uri: /post output: log_contains: id "933160" - test_title: 933160-3 - desc: function call regexp + desc: | + PHP function call with variable as parameter. + payload: eval($foo) stages: - stage: input: @@ -50,11 +55,13 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: / + uri: /post output: log_contains: id "933160" - test_title: 933160-4 - desc: function call regexp + desc: | + PHP function call, CR, ($variable). + payload: eval\r($foo) stages: - stage: input: @@ -66,187 +73,200 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: /?foo=exec%0A%28%27bar%27%29 + uri: /post output: log_contains: id "933160" - test_title: 933160-5 - desc: function call regexp + desc: | + PHP function call, LF, ('value'). + payload: exec\n('bar') stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=FILE%0D%0A%28%29 + uri: /get?foo=exec%0A%28%27bar%27%29 output: log_contains: id "933160" - test_title: 933160-6 - desc: function call regexp + desc: | + PHP uppercase function call, CR, LF, (). + payload: FILE\r\n() stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=file_ExistS%20%28%0A%0A%29 + uri: /get?foo=FILE%0D%0A%28%29 output: log_contains: id "933160" - test_title: 933160-7 - desc: function call regexp + desc: | + PHP mixed case function call with space, LF between (). + payload: assert_OptionS (\n\n) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=assert_OptionS%20%28%0A%0A%29 output: log_contains: id "933160" - test_title: 933160-8 - desc: '@ operator' + desc: | + PHP function call with multiple whitespaces. + payload: filegroup (blah) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%20%20%28blah%29 output: log_contains: id "933160" - test_title: 933160-9 - desc: func\t() + desc: | + PHP function call using Error Control Operator. + payload: @filegroup('test') stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=%40filegroup%28%27test%27%29 output: log_contains: id "933160" - test_title: 933160-10 - desc: func//comment\r\n () + desc: | + PHP function call with vertical tab. + payload: filegroup (blah) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%09%28blah%29 output: log_contains: id "933160" - test_title: 933160-11 - desc: 'func #comment\n ()' + desc: | + PHP function call with comment and newline. + payload: filegroup //comment\r\n (blah) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%20%2f%2fcomment%0d%0a%20%28blah%29 output: log_contains: id "933160" - test_title: 933160-12 - desc: func#\n () + desc: | + PHP function call with comment and newline. + payload: filegroup #comment\r\n (blah) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%20%23comment%0d%0a%20%28blah%29 output: log_contains: id "933160" - test_title: 933160-13 - desc: 'func \t #\n ()' + desc: | + PHP function call with comment and newline. + payload: filegroup#\n () stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%23%0a%20%28blah%29 output: log_contains: id "933160" - test_title: 933160-14 - desc: func/*comment*/() + desc: | + PHP function call with comment, newline, and vertical tab. + payload: filegroup \t #\n () stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%20%09%20%23%0a%20%28%29 output: log_contains: id "933160" - test_title: 933160-15 - desc: func /*com*/ () + desc: | + PHP function call with c-style comment syntax. + payload: filegroup/*comment*/() stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%2f%2acomment%2a%2f%28%29 output: log_contains: id "933160" - test_title: 933160-16 - desc: func \t/**/\t () + desc: | + PHP function call with c-style comment syntax and whitespaces. + payload: filegroup /*comment*/ () stages: - stage: input: @@ -258,23 +278,24 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%20%2f%2acomment%2a%2f%20%28%29 output: log_contains: id "933160" - test_title: 933160-17 - desc: func\t/*foo\r\nbar*/\t ( + desc: | + PHP function call with empry c-style comment syntax, whitespaces, and vertical tab. + payload: filegroup \t/**/\t () stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?foo=fopen%20%20%28blah%29 + uri: /get?foo=filegroup%20%09%2f%2a%2a%2f%09%20%28%29 output: log_contains: id "933160" - test_title: 933160-18 @@ -290,47 +311,50 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: /strrev() + uri: /?foo=filegroup%20%20%28blah%29 output: log_contains: id "933160" - test_title: 933160-19 - desc: func\t/*foo\r\nbar*/\t ( + desc: | + PHP function call with c-style comment syntax containing newline, whitespaces and vertical tab. + payload: filegroup\t/*foo\r\nbar*/\t () stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /strREV%28%24x%29 + uri: /get?foo=filegroup%09%2f%2afoo%0d%0abar%2a%2f%09%20%28%29 output: log_contains: id "933160" - test_title: 933160-20 - desc: func\t/*foo\r\nbar*/\t ( + desc: | + PHP function call in URI + payload: unpack() stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /?x=eval%28chr%28112%29.chr%28104%29.chr%28112%29 + uri: /get/unpack() output: log_contains: id "933160" - test_title: 933160-21 - desc: func\t/*foo\r\nbar*/\t ( + desc: | + PHP function call in URI, using mixed case + payload: unPACK($x) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost @@ -338,43 +362,47 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: /eval(gzinflate(str_rot13(base64_decode("") + uri: /get/unPACK%28%24x%29 output: log_contains: id "933160" - test_title: 933160-22 - desc: func\t/*foo\r\nbar*/\t ( + desc: | + PHP function call in URI with concatenated string/functions + payload: eval(chr(112).chr(104).chr(112)) stages: - stage: input: - data: eval%0D%28%24foo%29 dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: /eval%28base64_decode%28%27JGNoZWNrID... + uri: /get?x=eval%28chr%28112%29.chr%28104%29.chr%28112%29 output: log_contains: id "933160" - test_title: 933160-23 - desc: func\t/*foo\r\nbar*/\t ( + desc: | + PHP function call in URI + payload: eval(gzinflate(str_rot13(base64_decode("") stages: - stage: input: - data: yt=eval%28%22echo+10000000000%2d245205634%3b%22%29%3b dest_addr: 127.0.0.1 headers: Host: localhost User-Agent: "OWASP CRS test agent" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST + method: GET port: 80 - uri: / + uri: /get/eval(gzinflate(str_rot13(base64_decode("") output: log_contains: id "933160" - test_title: 933160-24 - desc: string function call + desc: | + PHP function call in URI, base64 encoded payload: + payload: /eval(base64_decode('JGNoZWNrID... stages: - stage: input: @@ -385,15 +413,17 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: /?foo=return%22system%22%28xyz%29.s + uri: /get/eval%28base64_decode%28%27cGFwYWRhcHVwaSwK%27%29 output: log_contains: id "933160" - test_title: 933160-25 - desc: system - whoami in braces + desc: | + PHP function call in body + payload: eval("echo 10000000000-245205634;") stages: - stage: input: - data: cmd=system(whoami) + data: yt=eval%28%22echo+10000000000%2d245205634%3b%22%29%3b dest_addr: 127.0.0.1 headers: Host: localhost @@ -401,15 +431,17 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: / + uri: /post output: log_contains: id "933160" - test_title: 933160-26 - desc: system in braces - whoami in parentheses + desc: | + PHP function call in body + payload: imagexbm() stages: - stage: input: - data: cmd=(system)(whoami) + data: imagexbm%28%29 dest_addr: 127.0.0.1 headers: Host: localhost @@ -417,15 +449,17 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: / + uri: /post output: log_contains: id "933160" - test_title: 933160-27 - desc: system call in single quotes and parentheses - whoami command in single quotes and parentheses + desc: | + PHP function call in body, mixed case + payload: ImaGeXbM() stages: - stage: input: - data: cmd=('system')('whoami') + data: x=ImaGeXbM%28%20%29 dest_addr: 127.0.0.1 headers: Host: localhost @@ -433,15 +467,17 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: / + uri: /post output: log_contains: id "933160" - test_title: 933160-28 - desc: system call in double quotes and parentheses - whoami command in double quotes and parentheses + desc: | + PHP function call in body. + payload: unpack() stages: - stage: input: - data: cmd=("system")("whoami") + data: x=unpack%28%20%29 dest_addr: 127.0.0.1 headers: Host: localhost @@ -449,10 +485,286 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: POST port: 80 - uri: / + uri: /post output: log_contains: id "933160" - test_title: 933160-29 + desc: | + False Positive test, missing mandatory parenthesis + payload: /strrev( + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get/strrev( + output: + no_log_contains: id "933160" + - test_title: 933160-30 + desc: | + False Positive test, missing mandatory parenthesis + payload: eval + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=eval + output: + no_log_contains: id "933160" + - test_title: 933160-31 + desc: | + False Positive test + payload: the files (yep) + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=the%20files%20%28yep%29 + output: + no_log_contains: id "933160" + - test_title: 933160-32 + desc: | + False Positive test, missing mandatory parenthesis + payload: exec ( + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=exec%20%28 + output: + no_log_contains: id "933160" + - test_title: 933160-33 + desc: | + False Positive test + payload: executor() + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /get?foo=executor%28%29 + output: + no_log_contains: id "933160" + - test_title: 933160-34 + desc: | + False Positive test + payload: cheval($foo) + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=cheval%28%24foo%29 + output: + no_log_contains: id "933160" + - test_title: 933160-35 + desc: | + False Positive test + payload: audiofile($foo) + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=audi%6ffile%28%24foo%29 + output: + no_log_contains: id "933160" + - test_title: 933160-36 + desc: | + False Positive test + payload: the system is down() + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=the%20system%20is%20down%28%29 + output: + no_log_contains: id "933160" + - test_title: 933160-37 + desc: | + False Positive test + payload: ecosystem() + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=ecosystem%28%29 + output: + no_log_contains: id "933160" + - test_title: 933160-38 + desc: | + False Positive test, function doesn't exist + payload: systems() + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=systems%28%29 + output: + no_log_contains: id "933160" + - test_title: 933160-39 + desc: | + False Positive test, function doesn't exist + payload: system something() + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=system%20something%28%29 + output: + no_log_contains: id "933160" + - test_title: 933160-40 + desc: | + PHP string function call + payload: return"system"(xyz).s + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: /get?foo=return%22system%22%28xyz%29.s + output: + log_contains: id "933160" + - test_title: 933160-41 + desc: | + PHP function call + payload: system(whoami) + stages: + - stage: + input: + data: cmd=system(whoami) + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /post + output: + log_contains: id "933160" + - test_title: 933160-42 + desc: | + PHP function call + payload: (system)(whoami) + stages: + - stage: + input: + data: cmd=(system)(whoami) + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /post + output: + log_contains: id "933160" + - test_title: 933160-43 + desc: | + PHP function system call in single quotes and parentheses + payload: ('system')('whoami') + stages: + - stage: + input: + data: cmd=('system')('whoami') + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /post + output: + log_contains: id "933160" + - test_title: 933160-44 + desc: | + PHP system call in double quotes and parentheses + payload: ("system")("whoami") + stages: + - stage: + input: + data: cmd=("system")("whoami") + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /post + output: + log_contains: id "933160" + - test_title: 933160-45 desc: system call in double quotes and parentheses, multiple spaces after command stages: - stage: