浮雲雅築: [研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)

[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)

2022-05-16

簡介

[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html

軟體或套件，需要3個

1.Apache HTTP Server (httpd) for Windows

本篇使用XAMPP，7.4.29 或 8.0.18 都可，8.1.5 不要，之前測試 Apache HTTP Server 無法於安裝後直接使用。

[研究]XAMPP 8.1.5 安裝
https://shaurong.blogspot.com/2022/05/xampp-815.html

XAMPP
https://www.apachefriends.org/zh_tw/download.html
下載 xampp-windows-x64-7.4.29-0-VC15-installer.exe

2.WAF Modules for Apache HTTP Server for Windows

官方沒有現成可用的

Release v2.9.5 · SpiderLabs/ModSecurity · GitHub
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.5

可到 Apache Lounge 網站下載
https://www.apachelounge.com/
下載 mod_security-2.9.5-win64-VS16.zip

3.WAF Rules

OWASP ModSecurity Core Rule Set (CRS)
https://coreruleset.org/
下載coreruleset-3.3.2.zip

********************************************************************************

1.安裝 Apache Web Server for Windows

下載 xampp-windows-x64-7.4.29-0-VC15-installer.exe 於 Windows Server 2019 上安裝

檢查 C:\xampp\apache\modules 目錄，沒有 mod_security2.so

另外用 VM 安裝 Windows 10 測試安裝 XAMPP 7.4.29.0，也是沒有 mod_security2.so

********************************************************************************

2.安裝 ModSecurity 2.9.5

解壓mod_security-2.9.5-win64-VS16.zip，參考ReadMe.txt內容安裝。

把mod_security2.so拷貝到修改apache/modules目錄 (也就是 C:\xampp\apache\modules 目錄)。

把yajl.dll複製到apache/bin目錄。( 也就是 C:\xampp\apache\bin 目錄)。

修改Apache httpd.conf 設定檔，於LoadModule中新增

LoadModule security2_module modules/mod_security2.so

LoadModule unique_id_module modules/mod_unique_id.so

修改完畢後要記得重新啟動Apache HTTPD

(下圖)驗證一下有成功啟動 ( 不是 HTTPS )

http://localhost/

會自動轉址到

http://localhost/dashboard/

(下圖) 如果啟動失敗，可檢視問題

********************************************************************************

3.安裝 WAF Rules

解壓 coreruleset-3.3.2.zip，參考 INSTALL 檔案。

建立 C:\xampp\apache\conf\crs 目錄。( 在 apache\conf 目錄中新增 crs 目錄)

把 crs-setup.conf.example 拷貝到 C:\xampp\apache\conf\crs 目錄，改名為 crs-setup.conf

把 rules 目錄拷貝到 C:\xampp\apache\conf\crs\rules 目錄

把 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 改名為

RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

把 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 改名為

RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

( 就是把副檔名 .example 拿掉 )

參考

https://github.com/SpiderLabs/ModSecurity/wiki

修改 httpd.conf，最後加上

<IfModule mod_security2.c>
    SecRuleEngine On
    SecDataDir logs
    Include conf/crs/crs-setup.conf    
    Include conf/crs/rules/*.conf
</IfModule>

存檔，關閉，重新啟動 Apache Web Server。

********************************************************************************

4.測試

網站根目錄是 C:\xampp\htdocs，裡面有 index.php

http://localhost:/index.php 是可以正常顯示的 ( 上面測過，就是 http://localhost:/ )

嘗試連

http://localhost/index.php?id=<script>alert(%27Hello%27);</script>

或

http://localhost/?abc=../../

檢視 C:\xampp\apache\logs\error.log 內容

[Mon May 16 11:07:43.972487 2022] [ssl:warn] [pid 3392:tid 536] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/) configured.
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: PCRE compiled version="8.45 "; loaded version="8.45 2021-06-15"
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: LUA compiled version="Lua 5.2"
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: YAJL compiled version="2.1.0"
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: LIBXML compiled version="2.9.12"
[Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Mon May 16 11:07:44.066296 2022] [ssl:warn] [pid 3392:tid 536] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon May 16 11:07:44.097033 2022] [mpm_winnt:notice] [pid 3392:tid 536] AH00354: Child: Starting 150 worker threads.
[Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. detected XSS using libinjection. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"]
[Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"]
[Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"]
[Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"]
[Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"]
[Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. detected XSS using libinjection. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"]
[Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"]
[Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"]
[Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"]
[Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"]
[Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. detected XSS using libinjection. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"]
[Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"]
[Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"]
[Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"]
[Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_URI_RAW. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 30)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 30 - SQLI=0,XSS=0,RFI=0,LFI=30,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 30, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_URI_RAW. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 30)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]
[Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 30 - SQLI=0,XSS=0,RFI=0,LFI=30,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 30, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"]

(完)

相關

[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html

[研究]IIS 安裝 ModSecurity 2.9.5 (Windows 2019)
https://shaurong.blogspot.com/2022/05/iis-modsecurity-295-windows-2019.html

[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)
https://shaurong.blogspot.com/2022/05/xampp-74290-modsecurity-295-waf-windows.html

[研究]XAMPP 7.4.29.0 安裝
https://shaurong.blogspot.com/2022/05/xampp-74290.html

[研究]XAMPP 8.1.5 安裝
https://shaurong.blogspot.com/2022/05/xampp-815.html

[研究] XAMPP win32-7.3.1-0-VC15安裝(Windows 2019)
https://shaurong.blogspot.com/2019/02/xampp-win32-731-0-vc15windows-2019.html

[研究] XAMPP for Windows 7.1.7 + HTTPS (SSL) 安裝 (Windows 7)
http://shaurong.blogspot.com/2017/07/xampp-for-windows-717-https-ssl-windows.html

[研究] XAMPP for Windows 5.6.38 + HTTPS (SSL) 安裝 (Windows 2012 R2)
https://shaurong.blogspot.com/2017/01/xampp-for-windows-5638-https-ssl.html

[研究] LAMP(Linux, Apache 2.4.6, MariaDB 5.5.52, PHP 5.4.16)+OpenSSL 1.0.1e (yum)快速安裝程式(CentOS 7.3)
https://shaurong.blogspot.com/2017/01/lamplinux-apache-mariadb_5.html

[研究] AppServ 8.6.0 (Apache 2.4.25 + PHP 5.6.30/7.1.1 + MySQL 5.7.17 + phpMyAdmin 4.6.6 + SSL) 安裝 (Windows 2019)
https://shaurong.blogspot.com/2019/02/appserv-860-apache-2425-php-5630711.html

[研究] Apache Web Server 2.4.x 架站軟體比較 (AMP、WAMP、LAMP)
https://shaurong.blogspot.com/2018/07/apache-web-server-24x.html

[研究] XAMPP for Windows 7.1.7 + HTTPS (SSL) 安裝 (Windows 7)
https://shaurong.blogspot.com/2017/07/xampp-for-windows-717-https-ssl-windows.html

[研究] AppServ 8.6.0 (Apache 2.4.25 + PHP 5.6.30/7.1.1 + MySQL 5.7.17 + phpMyAdmin 4.6.6 + SSL) 安裝 (Windows 7)
http://shaurong.blogspot.tw/2017/07/appserv-860-apache-2425-php-5630711.html

[研究] AppServ 8.4.0 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/appserv-840-https-ssl-windows-2012-r2.html

[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-2423-https-ssl.html

[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-246-https-ssl.html

網際網路資訊服務（英语：Internet Information Services，簡稱IIS）
https://zh.wikipedia.org/wiki/%E7%B6%B2%E9%9A%9B%E7%B6%B2%E8%B7%AF%E8%B3%87%E8%A8%8A%E6%9C%8D%E5%8B%99
有 Windows 版本和內建 IIS 版本關係

[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法二)
http://shaurong.blogspot.com/2015/04/windows-2012-r2-iis-http-ssl.html

[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法一)
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html

[研究] Windows 2012 安裝 IIS 8.0 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2012-iis-http-ssl.html

[研究] Windows 2008 R2 安裝 IIS 7.5 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html

[研究] Windows 2003 R2 安裝 IIS 6.0 和 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2003-r2-iis-https-ssl.html

[研究] Windows 10 Enterprise 1511 (x64)安裝架設IIS 10.0、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-10-enterprise-1511-x64iisssl.html

[研究] Windows 7 Ultimate x64安裝架設IIS 7.5、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-7-ultimate-x64iisssl-https-ssl.html

[研究] Windows XP Professional x86 安裝架設IIS 5.1、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-xp-professional-x86-iisssl.html

[研究] 在Windows XP Professional上IIS 5.1啟動SSL
http://shaurong.blogspot.com/2011/06/windows-xp-professionaliisssl.html

Internet Information Services (IIS) 10.0 Express 下載
https://www.microsoft.com/zh-TW/download/details.aspx?id=48264
支援 Windows 7/2008R2,8/2012,8.1/2012 R2,10/2016

Internet Information Services (IIS) 8.0 Express
https://www.microsoft.com/en-us/download/details.aspx?id=34679

Internet Information Services (IIS) 7 Manager
https://www.microsoft.com/en-us/download/details.aspx?id=2299

Internet Information Services (IIS) 6.0 Resource Kit
https://www.microsoft.com/en-us/download/details.aspx?id=5135
支援 Windows XP/2003

Internet Information Services (IIS) 6.0 Resource Kit Tools
https://www.microsoft.com/en-us/download/details.aspx?id=17275

Internet Information Services (IIS) 6.0 Manager for Windows XP
https://www.microsoft.com/en-us/download/details.aspx?id=15662

浮雲雅築

2022年5月16日星期一

[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)

沒有留言:

張貼留言

2022年5月16日 星期一

[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)

沒有留言:

張貼留言

2022年5月16日星期一