Skip to content

feat(942450): add another hex + binary declaration pattern#4374

Merged
fzipi merged 12 commits into
coreruleset:mainfrom
touchweb-vincent:patch-24
Jan 25, 2026
Merged

feat(942450): add another hex + binary declaration pattern#4374
fzipi merged 12 commits into
coreruleset:mainfrom
touchweb-vincent:patch-24

Conversation

@touchweb-vincent
Copy link
Copy Markdown
Contributor

@touchweb-vincent touchweb-vincent commented Dec 7, 2025
edited
Loading

Hello,

Here is another form of hex declaration that I think 942450 should trigger.

Another PR will come for this payload - which is not handled by PL1 currently:

SET @a=x'73656C65637420736C6565702835293B';prepare b from @a;execute b;
SET @a=b'01110011011001010110110001100101011000110111010000100000011100110110110001100101011001010111000000101000001101010010100100111011';prepare b from @a;execute b;


curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:2" "http://sandbox.coreruleset.org/" -d 'test=mod%281%2C1%29;SET%20%40a%3Dx%2773656C65637420736C6565702835293B%27%3Bprepare%20b%20from%20%40a%3Bexecute%20b%3B'
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
942150 PL2 SQL Injection Attack: SQL function name detected
942180 PL2 Detects basic SQL authentication bypass attempts 1/3
942200 PL2 Detects MySQL comment-/space-obfuscated injections and backtick termination
942210 PL2 Detects chained SQL injection attempts 1/2
942380 PL2 SQL Injection Attack
942410 PL2 SQL Injection Attack

In a more aggressive form, these SQL injections are particularly dangerous because they allow attackers to design payloads that blindly self-adapt to any random database prefix - a makeshift protection often used by CMS platforms to reduce the impact of SQL injection vulnerabilities:

SET @a = X'5345542040747066203D202873656C656374206C656674287461626C655F6E616D65202C204C4F434154452827636F6E66696775726174696F6E272C207461626C655F6E616D65292D31292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D61203D202873656C65637420646174616261736528292920616E64207461626C655F6E616D65206C696B65202725636F6E66696775726174696F6E27204F52444552204259204C454E475448287461626C655F6E616D652920415343204C494D49542031293B';PREPARE stmt FROM @a;EXECUTE stmt;SET @b = 0x534554204063203D20434F4E434154282755504441544520272C407470662C27636F6E66696775726174696F6E205345542076616C75653D434F4E4341542876616C75652C223C7363726970743E616C65727428537472696E672E66726F6D436F6465506F696E74283078323736342C2030784645304629293B3C2F7363726970743E2229205748455245206E616D653D2250535F53484F505F4E414D45222729;PREPARE stmt2 FROM @b;EXECUTE stmt2;PREPARE stmt3 FROM @c;EXECUTE stmt3;

These injections are currently causing serious harm to the PHP e-commerce ecosystem.

--

What do you think ?

Vincent

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 7, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@touchweb-vincent touchweb-vincent changed the title feat(942450): add another hex declaration pattern feat(942450): add another hex + binary declaration pattern Dec 7, 2025
dkegel-fastly
dkegel-fastly approved these changes Dec 22, 2025
View reviewed changes
Copy link
Copy Markdown

@dkegel-fastly dkegel-fastly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The attacks in the tests look good and dangerous to me

I don't read seclang well, so no opinion about the rest

dkegel-fastly
dkegel-fastly reviewed Dec 22, 2025
View reviewed changes
Comment thread tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml Outdated
@theseion theseion mentioned this pull request Jan 5, 2026
Closed
@github-actions github-actions Bot added the Stale label Jan 22, 2026
@EsadCetiner EsadCetiner removed the Stale label Jan 24, 2026
fzipi
fzipi reviewed Jan 24, 2026
View reviewed changes
Comment thread rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Outdated
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Jan 24, 2026

Thanks for this update.

If you apply my suggestion, I can approve.

@fzipi fzipi added the release:new-detection In this PR we introduce a new detection label Jan 24, 2026
@touchweb-vincent @fzipi
Update rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
62f2a5d 
Co-authored-by: Felipe Zipitría <3012076+fzipi@users.noreply.github.com>
@touchweb-vincent
Copy link
Copy Markdown
Contributor Author

touchweb-vincent commented Jan 25, 2026

@fzipi it's done. Thanks you.

fzipi
fzipi approved these changes Jan 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@fzipi fzipi added this pull request to the merge queue Jan 25, 2026
Merged via the queue into coreruleset:main with commit 242d90b Jan 25, 2026
8 checks passed
@touchweb-vincent touchweb-vincent deleted the patch-24 branch January 25, 2026 13:31
@theseion theseion mentioned this pull request Feb 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

+1 more reviewer

@dkegel-fastly dkegel-fastly dkegel-fastly approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@touchweb-vincent @fzipi @dkegel-fastly @EsadCetiner