Changeset 14723
- Timestamp:
- 12/06/10 22:02:08 (18 months ago)
- Location:
- trunk/plugins/phpids/IDS
- Files:
-
- 2 edited
-
Converter.php (modified) (5 diffs)
-
default_filter.xml (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/plugins/phpids/IDS/Converter.php
r14722 r14723 123 123 $value = preg_replace('/(<\w+)\/+(\w+=?)/m', '$1/$2', $value); 124 124 $value = preg_replace('/[^\\\:]\/\/(.*)$/m', '/**/$1', $value); 125 $value = preg_replace('/([^\-&])#.*[\r\n\v\f]/m', '$1', $value); 125 126 126 127 return $value; … … 303 304 { 304 305 $matches = array(); 305 if(preg_match_all('/(?:(?:\A|[^\d])0x[a-f\d]{ 2,}[a-f\d]*)+/im', $value, $matches)) {306 if(preg_match_all('/(?:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+/im', $value, $matches)) { 306 307 foreach($matches[0] as $match) { 307 308 $converted = ''; … … 315 316 } 316 317 // take care of hex encoded ctrl chars 317 $value = preg_replace('/0x\d+/m', 1, $value);318 $value = preg_replace('/0x\d+/m', ' 1 ', $value); 318 319 319 320 return $value; … … 330 331 public static function convertFromSQLKeywords($value) 331 332 { 332 $pattern = array('/(?: IS\s+null)|(LIKE\s+null)|' .333 '(?:(?:^|\W) IN[+\s]*\([\s\d"]+[^()]*\))/ims');333 $pattern = array('/(?:is\s+null)|(like\s+null)|' . 334 '(?:(?:^|\W)in[+\s]*\([\s\d"]+[^()]*\))/ims'); 334 335 $value = preg_replace($pattern, '"=0', $value); 336 335 337 $value = preg_replace('/\W+\s*like\s*\W+/ims', '1" OR "1"', $value); 336 338 $value = preg_replace('/null[,"\s]/ims', ',0', $value); … … 340 342 $value = preg_replace('/(?:and\s+\d+\.?\d*)/ims', '', $value); 341 343 $value = preg_replace('/(?:\s+and\s+)/ims', ' or ', $value); 342 $pattern = array('/[^\w,(]NULL|\\\N|TRUE|FALSE|UTC_TIME|' . 343 'LOCALTIME(?:STAMP)?|CURRENT_\w+|BINARY|' . 344 '(?:(?:ASCII|SOUNDEX|FIND_IN_SET|' . 345 'MD5|R?LIKE)[+\s]*\([^()]+\))|(?:-+\d)/ims'); 344 345 $pattern = array('/[^\w,(]null|\\\n|true|false|utc_time|' . 346 'localtime(?:stamp)?|current_\w+|binary|' . 347 '(?:(?:ascii|soundex|find_in_set|' . 348 'md5|r?like)[+\s]*\([^()]+\))|(?:-+\d)/ims'); 346 349 $value = preg_replace($pattern, 0, $value); 347 $pattern = array('/(?:NOT\s+BETWEEN)|(?:IS\s+NOT)|(?:NOT\s+IN)|' . 348 '(?:XOR|\WDIV\W|<>|RLIKE(?:\s+BINARY)?)|' . 349 '(?:REGEXP\s+BINARY)|' . 350 '(?:SOUNDS\s+LIKE)/ims'); 350 351 $pattern = array('/(?:not\s+between)|(?:is\s+not)|(?:not\s+in)|' . 352 '(?:xor|<>|rlike(?:\s+binary)?)|' . 353 '(?:regexp\s+binary)|' . 354 '(?:sounds\s+like)/ims'); 351 355 $value = preg_replace($pattern, '!', $value); 352 356 $value = preg_replace('/"\s+\d/', '"', $value); 357 $value = preg_replace('/(\W)div(\W)/ims', '$1 OR $2', $value); 353 358 $value = preg_replace('/\/(?:\d+|null)/', null, $value); 354 359 -
trunk/plugins/phpids/IDS/default_filter.xml
r14722 r14723 21 21 </filter> 22 22 <filter> 23 <id>69</id>24 <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>25 <description>finds malicious attribute injection attempts</description>26 <tags>27 <tag>xss</tag>28 <tag>csrf</tag>29 </tags>30 <impact>6</impact>31 </filter>32 <filter>33 23 <id>3</id> 34 24 <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule> … … 229 219 <filter> 230 220 <id>21</id> 231 <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s ]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>221 <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule> 232 222 <description>Detects very basic XSS probings</description> 233 223 <tags> … … 603 593 <filter> 604 594 <id>57</id> 605 <rule><![CDATA[(?: select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>606 <description>Detects MySQL comment-/space-obfuscated injections </description>595 <rule><![CDATA[(?:,.*[)\da-f"]"(?:".*"|\Z|[^"]+))|(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule> 596 <description>Detects MySQL comment-/space-obfuscated injections and backtick termination</description> 607 597 <tags> 608 598 <tag>sqli</tag> … … 657 647 <filter> 658 648 <id>62</id> 659 <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof) \W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule>649 <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule> 660 650 <description>Detects common function declarations and special JS operators</description> 661 651 <tags> … … 737 727 </tags> 738 728 <impact>4</impact> 739 </filter> 729 </filter> 730 <filter> 731 <id>71</id> 732 <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule> 733 <description>finds malicious attribute injection attempts</description> 734 <tags> 735 <tag>xss</tag> 736 <tag>csrf</tag> 737 </tags> 738 <impact>6</impact> 739 </filter> 740 740 </filters>
Note: See TracChangeset
for help on using the changeset viewer.
