TrendMicro - Best Login System

Write snort rules for a vulnerability in a PHP application.

Solution

First off, don’t bug John/Thracky with the inane and dumb questions if you haven’t read the manual BEFORE trying to troubleshoot your rules.

Takeaways:

• Snort does not support /g.
• Generalize for that specific exploit, not EVERY SQLi possible.

The folder given is a git repo, meaning you can use git log to check the commit history. In the commit history you can see the vulnerability was patched, and you can check out the vulnerable version of the code.

The vulnerable line is as follows:

 if (empty($username_err) && empty($password_err)) {
        // Prepare a select statement
        $sql = "SELECT id, username, password FROM users WHERE username = '" . $username . "'";

The vulnerability is that the username field is vulnerable to SQLi. Let’s take notes of what is required for this vulnerability specifically.

• Must have a single quote somewhere as the start of the SQL commands.
• Must either end with a single quote, or a SQL comment to hide the rest of the commands.

I spent too long working on a super long regex line that would handle all MySQL. Until I was re-educated about how you should make it as broad as possible to avoid boxing yourself in.

That ended up with the final alert rule of:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Best Login System Ever Vulnerability"; flow:to_server; content:"POST"; http_method; content:"/login.php"; http_uri; content:"username="; pcre:"/username=.*'.*('|--)/i"; classtype:web-application-attack; sid:1234560001;)