Skip to content

feat(942450): add another hex + binary declaration pattern #4374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fzipi merged 12 commits into from
Jan 25, 2026
Merged

feat(942450): add another hex + binary declaration pattern #4374

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d9eca97
feat(942450): add another hex declaration pattern
touchweb-vincent Dec 7, 2025
46701b2
Update 942450.yaml
touchweb-vincent Dec 7, 2025
5645f0b
Update REQUEST-942-APPLICATION-ATTACK-SQLI.conf
touchweb-vincent Dec 7, 2025
74c73c4
Update 942450.yaml
touchweb-vincent Dec 7, 2025
4dfc830
Update 942450.yaml
touchweb-vincent Dec 7, 2025
4b7825f
Merge branch 'main' into patch-24
touchweb-vincent Dec 21, 2025
14aa4fe
Update 942450.yaml
touchweb-vincent Dec 22, 2025
2cb3b5a
Merge branch 'main' into patch-24
touchweb-vincent Dec 22, 2025
5bb88ca
Merge branch 'main' into patch-24
touchweb-vincent Jan 24, 2026
573c5aa
Merge branch 'main' into patch-24
fzipi Jan 24, 2026
f08bc1e
Merge branch 'main' into patch-24
fzipi Jan 24, 2026
62f2a5d
Update rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
touchweb-vincent Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1381,18 +1381,18 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|


#
# -=[ SQL Hex Evasion Methods ]=-
# -=[ SQL Bin / Hex Evasion Methods ]=-
#
# Hex encoding detection:
# (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on)
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,}|x\'[a-f\d]{3,}\'|b\'[0-1]{10,}\')" \
"id:942450,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQL Hex Encoding Identified',\
msg:'SQL Bin or Hex Encoding Identified',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down
38 changes: 37 additions & 1 deletion tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
meta:
author: "William Woodson, azurit"
author: "William Woodson, azurit, touchweb_vincent"
rule_id: 942450
tests:
- test_id: 1
Expand Down Expand Up @@ -88,3 +88,39 @@ tests:
output:
log:
no_expect_ids: [942450]
- test_id: 6
desc: "SQL Hex Encoding - self-adaptive blind SQL injection"
stages:
- input:
dest_addr: 127.0.0.1
port: 80
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
uri: "/post"
# mod(1,1);SET @a = X'5345542040747066203D202873656C656374206C656674287461626C655F6E616D65202C204C4F434154452827636F6E66696775726174696F6E272C207461626C655F6E616D65292D31292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D61203D202873656C65637420646174616261736528292920616E64207461626C655F6E616D65206C696B65202725636F6E66696775726174696F6E27204F52444552204259204C454E475448287461626C655F6E616D652920415343204C494D49542031293B';PREPARE stmt FROM @a;EXECUTE stmt;SET @b = 0x534554204063203D20434F4E434154282755504441544520272C407470662C27636F6E66696775726174696F6E205345542076616C75653D434F4E4341542876616C75652C223C7363726970743E616C65727428537472696E672E66726F6D436F6465506F696E74283078323736342C2030784645304629293B3C2F7363726970743E2229205748455245206E616D653D2250535F53484F505F4E414D45222729;PREPARE stmt2 FROM @b;EXECUTE stmt2;PREPARE stmt3 FROM @c;EXECUTE stmt3;
data: "var=mod%281%2C1%29;SET%20%40a%20%3D%20X%275345542040747066203D202873656C656374206C656674287461626C655F6E616D65202C204C4F434154452827636F6E66696775726174696F6E272C207461626C655F6E616D65292D31292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D61203D202873656C65637420646174616261736528292920616E64207461626C655F6E616D65206C696B65202725636F6E66696775726174696F6E27204F52444552204259204C454E475448287461626C655F6E616D652920415343204C494D49542031293B%27%3BPREPARE%20stmt%20FROM%20%40a%3BEXECUTE%20stmt%3BSET%20%40b%20%3D%200x534554204063203D20434F4E434154282755504441544520272C407470662C27636F6E66696775726174696F6E205345542076616C75653D434F4E4341542876616C75652C223C7363726970743E616C65727428537472696E672E66726F6D436F6465506F696E74283078323736342C2030784645304629293B3C2F7363726970743E2229205748455245206E616D653D2250535F53484F505F4E414D45222729%3BPREPARE%20stmt2%20FROM%20%40b%3BEXECUTE%20stmt2%3BPREPARE%20stmt3%20FROM%20%40c%3BEXECUTE%20stmt3%3B"
version: HTTP/1.1
output:
log:
expect_ids: [942450]
- test_id: 7
desc: "SQL Binary Encoding - Binary encoded SQL injection"
stages:
- input:
dest_addr: 127.0.0.1
port: 80
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
uri: "/post"
# mod(1,1);SET @a=b'0111001101100101011011000110010101100011011101000010000001110011011011000110010101100101011100000010100000110001001100000010100100111011';prepare b from @a;execute b;
data: "var=mod%281%2C1%29;SET%20%40a%3Db%270111001101100101011011000110010101100011011101000010000001110011011011000110010101100101011100000010100000110001001100000010100100111011%27%3Bprepare%20b%20from%20%40a%3Bexecute%20b%3B"
version: HTTP/1.1
output:
log:
expect_ids: [942450]
Loading