[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)
2022-05-16
簡介
[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html
軟體或套件,需要3個
1.Apache HTTP Server (httpd) for Windows
本篇使用XAMPP,7.4.29 或 8.0.18 都可,8.1.5 不要,之前測試 Apache HTTP Server 無法於安裝後直接使用。
[研究]XAMPP 8.1.5 安裝
https://shaurong.blogspot.com/2022/05/xampp-815.html
XAMPP
https://www.apachefriends.org/zh_tw/download.html
下載 xampp-windows-x64-7.4.29-0-VC15-installer.exe
2.WAF Modules for Apache HTTP Server for Windows
官方沒有現成可用的
Release v2.9.5 · SpiderLabs/ModSecurity · GitHub
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.5
可到 Apache Lounge 網站下載
https://www.apachelounge.com/
下載 mod_security-2.9.5-win64-VS16.zip
3.WAF Rules
OWASP ModSecurity Core Rule Set (CRS)
https://coreruleset.org/
下載coreruleset-3.3.2.zip
下載 xampp-windows-x64-7.4.29-0-VC15-installer.exe 於 Windows Server 2019 上安裝
檢查 C:\xampp\apache\modules 目錄,沒有 mod_security2.so
另外用 VM 安裝 Windows 10 測試安裝 XAMPP 7.4.29.0,也是沒有 mod_security2.so
********************************************************************************
2.安裝 ModSecurity 2.9.5
解壓mod_security-2.9.5-win64-VS16.zip,參考ReadMe.txt內容安裝。
********************************************************************************
3.安裝 WAF Rules
解壓 coreruleset-3.3.2.zip,參考 INSTALL 檔案。
建立 C:\xampp\apache\conf\crs 目錄。( 在 apache\conf 目錄中新增 crs 目錄)
把 crs-setup.conf.example 拷貝到 C:\xampp\apache\conf\crs 目錄,改名為 crs-setup.conf
把 rules 目錄拷貝到 C:\xampp\apache\conf\crs\rules 目錄
把 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 改名為
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
把 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 改名為
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
( 就是把副檔名 .example 拿掉 )
參考
https://github.com/SpiderLabs/ModSecurity/wiki
修改 httpd.conf,最後加上
<IfModule mod_security2.c> SecRuleEngine On SecDataDir logs Include conf/crs/crs-setup.conf Include conf/crs/rules/*.conf </IfModule> |
存檔,關閉,重新啟動 Apache Web Server。
********************************************************************************
4.測試
網站根目錄是 C:\xampp\htdocs,裡面有 index.php
http://localhost:/index.php 是可以正常顯示的 ( 上面測過,就是 http://localhost:/ )
嘗試連
http://localhost/index.php?id=<script>alert(%27Hello%27);</script>
或
http://localhost/?abc=../../
檢視 C:\xampp\apache\logs\error.log 內容
[Mon May 16 11:07:43.972487 2022] [ssl:warn] [pid 3392:tid 536] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/) configured. [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0" [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: PCRE compiled version="8.45 "; loaded version="8.45 2021-06-15" [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: LUA compiled version="Lua 5.2" [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: YAJL compiled version="2.1.0" [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: LIBXML compiled version="2.9.12" [Mon May 16 11:07:43.988478 2022] [:notice] [pid 3392:tid 536] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. [Mon May 16 11:07:44.066296 2022] [ssl:warn] [pid 3392:tid 536] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon May 16 11:07:44.097033 2022] [mpm_winnt:notice] [pid 3392:tid 536] AH00354: Child: Starting 150 worker threads. [Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. detected XSS using libinjection. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"] [Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"] [Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"] [Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"] [Mon May 16 11:08:26.997837 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAKlNAK70X1vcS-h5XhQAAAGs"] [Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. detected XSS using libinjection. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"] [Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"] [Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"] [Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"] [Mon May 16 11:08:27.513138 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhgAAAGs"] [Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. detected XSS using libinjection. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"] [Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"] [Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:id. [file "C:/xampp/apache/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:id: <script>alert('Hello');</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"] [Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"] [Mon May 16 11:08:27.762581 2022] [:error] [pid 3392:tid 2036] [client ::1:50046] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/index.php"] [unique_id "YoHAK1NAK70X1vcS-h5XhwAAAGs"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_URI_RAW. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 30)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.763025 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 30 - SQLI=0,XSS=0,RFI=0,LFI=30,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 30, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiAAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_URI_RAW. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at REQUEST_URI. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI: /?abc=../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:abc. [file "C:/xampp/apache/conf/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:abc: ../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/xampp/apache/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 30)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] [Mon May 16 11:08:28.965612 2022] [:error] [pid 3392:tid 2008] [client ::1:50047] [client ::1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/xampp/apache/conf/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 30 - SQLI=0,XSS=0,RFI=0,LFI=30,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 30, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "localhost"] [uri "/"] [unique_id "YoHALFNAK70X1vcS-h5XiQAAAJU"] |
(完)
相關
[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html
[研究]IIS 安裝 ModSecurity 2.9.5 (Windows 2019)
https://shaurong.blogspot.com/2022/05/iis-modsecurity-295-windows-2019.html
[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)
https://shaurong.blogspot.com/2022/05/xampp-74290-modsecurity-295-waf-windows.html
[研究]XAMPP 7.4.29.0 安裝
https://shaurong.blogspot.com/2022/05/xampp-74290.html
[研究]XAMPP 8.1.5 安裝
https://shaurong.blogspot.com/2022/05/xampp-815.html
[研究] XAMPP win32-7.3.1-0-VC15安裝(Windows 2019)
https://shaurong.blogspot.com/2019/02/xampp-win32-731-0-vc15windows-2019.html
[研究] XAMPP for Windows 7.1.7 + HTTPS (SSL) 安裝 (Windows 7)
http://shaurong.blogspot.com/2017/07/xampp-for-windows-717-https-ssl-windows.html
https://shaurong.blogspot.com/2017/01/xampp-for-windows-5638-https-ssl.html
[研究] LAMP(Linux, Apache 2.4.6, MariaDB 5.5.52, PHP 5.4.16)+OpenSSL 1.0.1e (yum)快速安裝程式(CentOS 7.3)
https://shaurong.blogspot.com/2017/01/lamplinux-apache-mariadb_5.html
[研究] AppServ 8.6.0 (Apache 2.4.25 + PHP 5.6.30/7.1.1 + MySQL 5.7.17 + phpMyAdmin 4.6.6 + SSL) 安裝 (Windows 2019)
https://shaurong.blogspot.com/2019/02/appserv-860-apache-2425-php-5630711.html
[研究] Apache Web Server 2.4.x 架站軟體比較 (AMP、WAMP、LAMP)
https://shaurong.blogspot.com/2018/07/apache-web-server-24x.html
[研究] XAMPP for Windows 7.1.7 + HTTPS (SSL) 安裝 (Windows 7)
https://shaurong.blogspot.com/2017/07/xampp-for-windows-717-https-ssl-windows.html
[研究] AppServ 8.6.0 (Apache 2.4.25 + PHP 5.6.30/7.1.1 + MySQL 5.7.17 + phpMyAdmin 4.6.6 + SSL) 安裝 (Windows 7)
http://shaurong.blogspot.tw/2017/07/appserv-860-apache-2425-php-5630711.html
[研究] AppServ 8.4.0 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/appserv-840-https-ssl-windows-2012-r2.html
[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-2423-https-ssl.html
[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-246-https-ssl.html
網際網路資訊服務(英语:Internet Information Services,簡稱IIS)
https://zh.wikipedia.org/wiki/%E7%B6%B2%E9%9A%9B%E7%B6%B2%E8%B7%AF%E8%B3%87%E8%A8%8A%E6%9C%8D%E5%8B%99
有 Windows 版本和內建 IIS 版本關係
[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法二)
http://shaurong.blogspot.com/2015/04/windows-2012-r2-iis-http-ssl.html
[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法一)
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html
[研究] Windows 2012 安裝 IIS 8.0 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2012-iis-http-ssl.html
[研究] Windows 2008 R2 安裝 IIS 7.5 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html
[研究] Windows 2003 R2 安裝 IIS 6.0 和 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2003-r2-iis-https-ssl.html
[研究] Windows 10 Enterprise 1511 (x64)安裝架設IIS 10.0、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-10-enterprise-1511-x64iisssl.html
[研究] Windows 7 Ultimate x64安裝架設IIS 7.5、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-7-ultimate-x64iisssl-https-ssl.html
[研究] Windows XP Professional x86 安裝架設IIS 5.1、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-xp-professional-x86-iisssl.html
[研究] 在Windows XP Professional上IIS 5.1啟動SSL
http://shaurong.blogspot.com/2011/06/windows-xp-professionaliisssl.html
Internet Information Services (IIS) 10.0 Express 下載
https://www.microsoft.com/zh-TW/download/details.aspx?id=48264
支援 Windows 7/2008R2,8/2012,8.1/2012 R2,10/2016
Internet Information Services (IIS) 8.0 Express
https://www.microsoft.com/en-us/download/details.aspx?id=34679
Internet Information Services (IIS) 7 Manager
https://www.microsoft.com/en-us/download/details.aspx?id=2299
Internet Information Services (IIS) 6.0 Resource Kit
https://www.microsoft.com/en-us/download/details.aspx?id=5135
支援 Windows XP/2003
Internet Information Services (IIS) 6.0 Resource Kit Tools
https://www.microsoft.com/en-us/download/details.aspx?id=17275
Internet Information Services (IIS) 6.0 Manager for Windows XP
https://www.microsoft.com/en-us/download/details.aspx?id=15662
沒有留言:
張貼留言