自建规则
0x00 序言
前一段时间一直在整理ModSecurity的内容,然后也算是整理了一部分,关于ModSecurity的作用以及手册的话建议参考
Begin
先看一下Modsecurity的规则库生成的规则内容
SecRule REQUEST_FILENAME "@beginsWith /admin" "chain,msg:测试,phase:2,deny,nolog,auditlog,id:450003,t:lowercase"
SecRule REQUEST_METHOD "^(?:POST)$" "chain,t:none"
SecRule REQUEST_BODY "@containsWord id" "t:lowercase"
-
请求的URI为"/admin"
-
描述为"测试"
-
请求方式为POST
-
请求体中的参数为"id"
0x01 Apache Cocoon Xml 注入 CVE-2020-11991
防御规则链如下:
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为“/v2/api/product/manger/getInfo"
-
规则设置访问的数据传输的内容正则匹配是否存在system字段
SecRule REQUEST_METHOD "^POST$" "chain,msg: 'Apache Cocoon Xml Injection(CVE-2020-1191)',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/v2/api/product/manger/getInfo" "chain"
SecRule REQUEST_BODY:data "@rx (?!)system"
0x02 Apache Solr任意文件读取漏洞
防御规则链如下:
-
规则设置请求方式为GET,在使用规则之前验证有效请求GET
-
规则设置访问路径为“/solr/admin/cores?indexInfo=false&wt=json"
-
规则设置检测data字段中有无file参数
SecRule REQUEST_METHOD "^GET$" "chain,msg: 'Apache Solr 任意文件读取',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/solr/admin/cores?indexInfo=false&wt=json" "chain"
SecRule REQUEST_BODY:data "@rx /file\:/g"
0x03 ClusterEngineV4.0 RCE
防御规则链如下:
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为“/login"
-
规则设置检测请求体中有无username字段,并且检测是否存在特殊字符"$"
SecRule REQUEST_FILENAME "@beginWith /login""chain,msg: 'ClusterEngineV4.0 RCE Attack(CVE-2020-21224)',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule REQuest_BODY "@containsWord username" "chain"
SecRule REQuest_BODY "@conatins \$"
0x04 Atlassian Jira 信息泄露漏洞 CVE-2020-14181
防御规则链如下:
-
规则设置请求方式为GET,在使用规则之前验证有效请求GET
-
规则设置访问路径为“/secure/ViewUserHover.jspa"
-
规则设置检测请求体中有无username字段,以及匹配传入的参数username值
SecRule REQUEST_FILENAME "@beginWith /secure/ViewUserHover.jspa""chain,msg: 'Atlassian Jira information Link Attack(CVE-2020-14181)',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^GET$" "chain"
SecRule REQUEST_BODY "@containsWord username=[a-zA-Z_\-]+"
0x05 Elasticsearch Remote Code Execution CVE-2014-3120
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为“/_search?pretty"
-
规则设置访问的数据传输的内容正则匹配是否存在system字段以及"command"等
SecRule REQUEST_FILENAME "@beginWith /_search?pretty""chain,msg: 'Elasticsearch Remote Code Execution RCE Attack(CVE-2020-14181)',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule REQUEST_BODY:data "@rx (?!)system|(?!)command|(?!)size|(?!)query"
Eyou Mail system RCE
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为“/webadm/?q=moni_detail.do&action=gragh"
-
规则设置匹配data内容是否有linx的相关命令字符
SecRule REQUEST_METHOD "^POST$" "chain,msg: 'Eyou Mail system RCE',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/webadm/?q=moni_detail.do&action=gragh" "chain"
SecRule REQUEST_BODY:data "@rx (?!)system|(?!)ls|(?!)cat|\{/"
F5 BIG-IP代码执行漏洞(CVE-2021-22986)
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为“/mgmt/tm/util/bash"
-
规则设置匹配data内容是否有linx的相关命令字符command以及run等字符串以及"|"特殊字符
SecRule REQUEST_METHOD "^POST$" "chain,msg: 'BIG-IP代码执行漏洞(CVE-2021-22986) Attack',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/mgmt/tm/util/bash" "chain"
SecRule REQUEST_BODY:data "@rx (?!)command|(?!)run|\|/"
GitLab Graphql邮箱信息泄露漏洞(CVE-2020-26413)
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为“/api/graphql"
-
规则设置匹配data内容username以及email等字符串以及"{"特殊字符
SecRule REQUEST_METHOD "^POST$" "chain,msg: 'GitLab Graphql information Link',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/api/graphql" "chain"
SecRule REQUEST_BODY:data "@rx (?!)username&(?!)eamil&\{/"
H3C IMC远程命令执行
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为"imc/javax.faces.resource/dynamiccontent.properties.xhtml"
-
规则设置匹配data内容cmd
SecRule REQUEST_METHOD "^POST$" "chain,msg: 'H3C IMC远程命令执行',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/imc/javax.faces.resource/dynamiccontent.properties.xhtml" "chain"
SecRule REQUEST_BODY:data "@rx (?!)cmd"
JingHe OA C6 Default password
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为"/C6/Jhsoft.Web.login/AjaxForLogin.aspx"
-
规则设置匹配data内容存在base64(000000)即MDAwMDAw(或者存在关键词type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw)或者正则匹配type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw
SecRule REQUEST_METHOD "^POST$" "chain,msg: 'JingHe OA C6 Default password',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/C6/Jhsoft.Web.login/AjaxForLogin.aspx" "chain"
SecRule REQUEST_BODY "@containsWord type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw"
JingHe OA download.asp File read
-
规则设置请求方式为GET,在使用规则之前验证有效请求GET
-
规则设置访问路径为"/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config"
-
规则设置访问的参数filename后面跟随的路径
-
设置规则只要读取文件就存在"."
SecRule REQUEST_METHOD "^GET$" "chain,msg: 'JingHe OA download.asp File read',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/C6/Jhsoft.Web.login/AjaxForLogin.aspx" "chain"
SecRule REQUEST_BODY "@contains filename" "chain"
SecRule REQUEST_LINE "@rx (?!)filename\=\[a-Z.]+/"
极通EWEBS任意文件读取
-
规则设置请求方式为POST,在使用规则之前验证有效请求POST
-
规则设置访问路径为"/casmain.xgi"
-
规则设置匹配访问的data中参数Language_S的值匹配特殊字符"."
-
规则设置匹配Language_S的值以../开头
SecRule REQUEST_METHOD "^POST$" "chain,msg: '极通EWEBS任意文件读取',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/casmain.xgi" "chain"
SecRule REQUEST_BODY "@cantains Language_S" "chain"
SecRule ARGS:/^\.\.\// Language_S
极通EWEBS phpinfo泄露
-
规则设置请求方式为GET,在使用规则之前验证有效请求GET
-
规则设置访问路径为"/testweb.php"
SecRule REQUEST_FILENAME "@beginWith /testweb.php" "chain,msg: '极通EWEBS phpinfo Link',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^GET$"
Kingsoft V8 Arbitrary file read
-
规则设置请求方式为GET,在使用规则之前验证有效请求GET
-
规则设置访问路径为"/htmltopdf/downfile.php?filename=downfile.php"
SecRule REQUEST_URI "/htmltopdf/downfile.php?filename=downfile.php" "chain,msg:'Kingsoft V8 Arbitrary file read',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^GET$"
总结
这里只是一部分根据网上的POC自己根据规则自建的,当然,没有与之匹配的环境这个规则也是无法使用的,,,,。但是扩展的思路倒是很多,看自己怎么使用了!!!
本文作者:Am1azi3ng
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/163954.html
如有侵权请联系:admin#unsafe.sh