( neutrino | 2024. 03. 01., p – 13:20 )

Ez az egyik, később még kikeresek pár tipikusat

# [ PHP Functions: Variable Function Prevent Bypass ]
#
# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
# the rule 933180 could be bypassed by using the following payloads:
#
# - (system)('uname')
# - (sy.(st).em)('uname')
# - (string)"system"('uname')
# - define('x', 'sys' . 'tem');(x)/* comment */('uname')
# - $y = 'sys'.'tem';($y)('uname')
# - define('z', [['sys' .'tem']]);(z)[0][0]('uname');
# - (system)(ls)
# - (/**/system)(ls/**/);
# - (['system'])[0]('uname');
# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++);
#
# This rule blocks all payloads above and avoids to block values like:
#
# - [ACME] this is a test (just a test)
# - Test (with two) rounded (brackets)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:$|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:$|\])[0-9_.$\"'\[\](){}/*\s]*$[a-zA-Z0-9_.$\"'\[\](){}/*\s].*$|$[\s]*string[\s]*$[\s]*(?:\"|'))" \
"id:933210,\
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
msg:'PHP Injection Attack: Variable Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"