我有一个 PHP
脚本处理的回调从付款处理器。
如果查询字符串'结果'包含双破折号后面一个,我们得到一个403,如:
/index.php?result=A--B-(返回403)
/index.php?result=A-B-(正常)
/index.php?result=A-B--(正常)
/index.php?result=A--B(正常)
/index.php?result=A---B(返回403)
/index.php?result=A-B-C-(正常)
有关这个网站,也有的.htaccess
没有重写规则或 Apache的配置
。
加载的模块如下:
核心prefork http_core mod_so mod_auth_basic
mod_auth_digest的mod_authn_file模块mod_authn_alias
mod_authn_anon mod_authn_dbm mod_authn_default
mod_authz_host mod_authz_user mod_authz_owner
mod_authz_groupfile
mod_authz_dbm mod_authz_default util_ldap
mod_authnz_ldap模块mod_include负责mod_log_config mod_logio
mod_env mod_ext_filter mod_mime_magic模块mod_expires
mod_deflate模块mod_headers中mod_usertrack mod_setenvif
mod_mime mod_dav的mod_status模块mod_autoindex mod_info
mod_dav_fs mod_vhost_alias mod_negotiation模块
mod_dir mod_actions mod_speling mod_userdir mod_alias中
mod_rewrite的mod_cache的mod_suexec mod_disk_cache
mod_file_cache提供mod_mem_cache mod_cgi一样mod_version
mod_security2 mod_unique_id mod_php5了mod_ssl
解决方案
当然,它已被封锁的mod_security。
- 通常是在SQL一行注释的开始标志。有时,程序员使用用户输入(如$ _GET []数组)直接建立一个SQL查询,从而导致漏洞被称为SQL注入。
那么的mod_security会检查这样的字符串中的cookies,查询字符串和张贴的形式。一旦非法串发现,它会显示一个403 Forbidden错误。
如果您确实需要 - 在你的查询字符串,你确信你已经处理查询字符串正确(或你实际上并没有执行SQL查询),你可以从mod_security的删除该规则。
您可能会发现,在规则
MOD_SRCURITY_INSTALLATION_PATH / base_rules / modsecurity_crs_41_sql_injection_attacks.conf
MOD_SRCURITY_INSTALLATION_PATH取决于您的服务器环境。
您可能会发现不久
这样的规则 #
# - = [检测SQL注释序列] = -
#
和
#
# - = [PHPIDS - 转换SQLI过滤器] = -
#
#https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
#
并对其进行修改 -
这包含字符串搜索规则。
因为它们都写在正则表达式,你应该先了解它。
I have a PHP
script which handles callbacks from a payment processor.
If the querystring 'result' contains double dashes followed by a single, we are getting a 403, e.g.
/index.php?result=A--B- (returns 403)
/index.php?result=A-B- (is OK)
/index.php?result=A-B-- (is OK)
/index.php?result=A--B (is OK)
/index.php?result=A---B (returns 403)
/index.php?result=A-B-C- (is OK)
For this site, there are no rewrite rules in .htaccess
or apache config
.
Loaded modules are as follows:
core prefork http_core mod_so mod_auth_basic
mod_auth_digest mod_authn_file mod_authn_alias
mod_authn_anon mod_authn_dbm mod_authn_default
mod_authz_host mod_authz_user mod_authz_owner
mod_authz_groupfile
mod_authz_dbm mod_authz_default util_ldap
mod_authnz_ldap mod_include mod_log_config mod_logio
mod_env mod_ext_filter mod_mime_magic mod_expires
mod_deflate mod_headers mod_usertrack mod_setenvif
mod_mime mod_dav mod_status mod_autoindex mod_info
mod_dav_fs mod_vhost_alias mod_negotiation
mod_dir mod_actions mod_speling mod_userdir mod_alias
mod_rewrite mod_cache mod_suexec mod_disk_cache
mod_file_cache mod_mem_cache mod_cgi mod_version
mod_security2 mod_unique_id mod_php5 mod_ssl
解决方案
Of course it has been blocked by mod_security.
"--" is usually the beginning flag of a line comment in SQL. Sometimes programmers use user input (like $_GET[] array) directly to build a SQL query, which leads to a vulnerability called SQL Injection.
So mod_security will check such string in cookies, querystring and posted form. Once illegal string found, it will display a 403 Forbidden error.
If you do need "--" in your querystring and you are sure that you have handle querystring properly (or you don't actually execute SQL queries) you can remove this rule from mod_security.
You may find the rule in
MOD_SRCURITY_INSTALLATION_PATH/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
MOD_SRCURITY_INSTALLATION_PATH depends on your server environment.
You may find such rules near
#
# -=[ Detect SQL Comment Sequences ]=-
#
and
#
# -=[ PHPIDS - Converted SQLI Filters ]=-
#
# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
#
Search rules that contain string --
and modify them.
Since they are all written in RegExp you should learn it first.
相关推荐
最新文章