关于ModSecurity的妙用
2021-08-04 16:13:45 Author: www.secpulse.com(查看原文) 阅读量:87 收藏

自建规则

0x00 序言

前一段时间一直在整理ModSecurity的内容,然后也算是整理了一部分,关于ModSecurity的作用以及手册的话建议参考

http://modsecurity.cn/

Begin

先看一下Modsecurity的规则库生成的规则内容

SecRule REQUEST_FILENAME "@beginsWith /admin" "chain,msg:测试,phase:2,deny,nolog,auditlog,id:450003,t:lowercase"
SecRule REQUEST_METHOD "^(?:POST)$" "chain,t:none"
SecRule REQUEST_BODY "@containsWord  id" "t:lowercase"
  • 请求的URI为"/admin"

  • 描述为"测试"

  • 请求方式为POST

  • 请求体中的参数为"id"

0x01  Apache Cocoon Xml 注入 CVE-2020-11991

防御规则链如下:

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为“/v2/api/product/manger/getInfo"

  • 规则设置访问的数据传输的内容正则匹配是否存在system字段

    SecRule  REQUEST_METHOD "^POST$" "chain,msg: 'Apache Cocoon Xml Injection(CVE-2020-1191)',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/v2/api/product/manger/getInfo" "chain"
    SecRule REQUEST_BODY:data "@rx (?!)system"

0x02 Apache Solr任意文件读取漏洞

防御规则链如下:

  • 规则设置请求方式为GET,在使用规则之前验证有效请求GET

  • 规则设置访问路径为“/solr/admin/cores?indexInfo=false&wt=json"

  • 规则设置检测data字段中有无file参数

    SecRule REQUEST_METHOD "^GET$" "chain,msg: 'Apache Solr 任意文件读取',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/solr/admin/cores?indexInfo=false&wt=json" "chain"
    SecRule REQUEST_BODY:data "@rx /file\:/g"

0x03 ClusterEngineV4.0 RCE

防御规则链如下:

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为“/login"

  • 规则设置检测请求体中有无username字段,并且检测是否存在特殊字符"$"

    SecRule REQUEST_FILENAME "@beginWith /login""chain,msg: 'ClusterEngineV4.0 RCE Attack(CVE-2020-21224)',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_METHOD "^POST$" "chain"
    SecRule REQuest_BODY "@containsWord username" "chain"
    SecRule REQuest_BODY "@conatins \$"

0x04 Atlassian Jira 信息泄露漏洞 CVE-2020-14181

防御规则链如下:

  • 规则设置请求方式为GET,在使用规则之前验证有效请求GET

  • 规则设置访问路径为“/secure/ViewUserHover.jspa"

  • 规则设置检测请求体中有无username字段,以及匹配传入的参数username值

SecRule REQUEST_FILENAME "@beginWith /secure/ViewUserHover.jspa""chain,msg: 'Atlassian Jira information Link Attack(CVE-2020-14181)',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^GET$" "chain"
SecRule REQUEST_BODY "@containsWord username=[a-zA-Z_\-]+"

0x05 Elasticsearch Remote Code Execution CVE-2014-3120

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为“/_search?pretty"

  • 规则设置访问的数据传输的内容正则匹配是否存在system字段以及"command"等

SecRule REQUEST_FILENAME "@beginWith /_search?pretty""chain,msg: 'Elasticsearch Remote Code Execution RCE Attack(CVE-2020-14181)',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule REQUEST_BODY:data "@rx (?!)system|(?!)command|(?!)size|(?!)query"

Eyou Mail system RCE

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为“/webadm/?q=moni_detail.do&action=gragh"

  • 规则设置匹配data内容是否有linx的相关命令字符

SecRule  REQUEST_METHOD "^POST$" "chain,msg: 'Eyou Mail system RCE',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/webadm/?q=moni_detail.do&action=gragh" "chain"
SecRule REQUEST_BODY:data "@rx (?!)system|(?!)ls|(?!)cat|\{/"

F5 BIG-IP代码执行漏洞(CVE-2021-22986)

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为“/mgmt/tm/util/bash"

  • 规则设置匹配data内容是否有linx的相关命令字符command以及run等字符串以及"|"特殊字符

    SecRule  REQUEST_METHOD "^POST$" "chain,msg: 'BIG-IP代码执行漏洞(CVE-2021-22986) Attack',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/mgmt/tm/util/bash" "chain"
    SecRule REQUEST_BODY:data "@rx (?!)command|(?!)run|\|/"

GitLab Graphql邮箱信息泄露漏洞(CVE-2020-26413)

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为“/api/graphql"

  • 规则设置匹配data内容username以及email等字符串以及"{"特殊字符

    SecRule  REQUEST_METHOD "^POST$" "chain,msg: 'GitLab Graphql information Link',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/api/graphql" "chain"
    SecRule REQUEST_BODY:data "@rx (?!)username&(?!)eamil&\{/"

H3C IMC远程命令执行

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为"imc/javax.faces.resource/dynamiccontent.properties.xhtml"

  • 规则设置匹配data内容cmd

    SecRule  REQUEST_METHOD "^POST$" "chain,msg: 'H3C IMC远程命令执行',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/imc/javax.faces.resource/dynamiccontent.properties.xhtml" "chain"
    SecRule REQUEST_BODY:data "@rx (?!)cmd"

JingHe OA C6 Default password

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为"/C6/Jhsoft.Web.login/AjaxForLogin.aspx"

  • 规则设置匹配data内容存在base64(000000)即MDAwMDAw(或者存在关键词type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw)或者正则匹配type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw

    SecRule  REQUEST_METHOD "^POST$" "chain,msg: 'JingHe OA C6 Default password',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/C6/Jhsoft.Web.login/AjaxForLogin.aspx" "chain"
    SecRule REQUEST_BODY "@containsWord type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw"

JingHe OA download.asp File read

  • 规则设置请求方式为GET,在使用规则之前验证有效请求GET

  • 规则设置访问路径为"/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config"

  • 规则设置访问的参数filename后面跟随的路径

  • 设置规则只要读取文件就存在"."

    SecRule  REQUEST_METHOD "^GET$" "chain,msg: 'JingHe OA download.asp File read',severity:ERROR,deny,status:404,id:xxx"
    SecRule REQUEST_URI "/C6/Jhsoft.Web.login/AjaxForLogin.aspx" "chain"
    SecRule REQUEST_BODY "@contains filename" "chain"
    SecRule REQUEST_LINE "@rx (?!)filename\=\[a-Z.]+/"

极通EWEBS任意文件读取

  • 规则设置请求方式为POST,在使用规则之前验证有效请求POST

  • 规则设置访问路径为"/casmain.xgi"

  • 规则设置匹配访问的data中参数Language_S的值匹配特殊字符"."

  • 规则设置匹配Language_S的值以../开头

SecRule  REQUEST_METHOD "^POST$" "chain,msg: '极通EWEBS任意文件读取',severity:ERROR,deny,status:404,id:xxx"
SecRule REQUEST_URI "/casmain.xgi" "chain"
SecRule REQUEST_BODY "@cantains Language_S" "chain"
SecRule ARGS:/^\.\.\// Language_S

极通EWEBS phpinfo泄露

  • 规则设置请求方式为GET,在使用规则之前验证有效请求GET

  • 规则设置访问路径为"/testweb.php"

SecRule REQUEST_FILENAME "@beginWith /testweb.php" "chain,msg: '极通EWEBS phpinfo Link',severity:ERROR,deny,status:404,id:xxx"
SecRule  REQUEST_METHOD "^GET$"

Kingsoft V8 Arbitrary file read

  • 规则设置请求方式为GET,在使用规则之前验证有效请求GET

  • 规则设置访问路径为"/htmltopdf/downfile.php?filename=downfile.php"

SecRule REQUEST_URI "/htmltopdf/downfile.php?filename=downfile.php" "chain,msg:'Kingsoft V8 Arbitrary file read',severity:ERROR,deny,status:404,id:xxx"
SecRule  REQUEST_METHOD "^GET$"

总结

这里只是一部分根据网上的POC自己根据规则自建的,当然,没有与之匹配的环境这个规则也是无法使用的,,,,。但是扩展的思路倒是很多,看自己怎么使用了!!!

本文作者:Am1azi3ng

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/163954.html


文章来源: https://www.secpulse.com/archives/163954.html
如有侵权请联系:admin#unsafe.sh