Write snort rules for a vulnerability in a PHP application.
First off, don’t bug John/Thracky with the inane and dumb questions if you haven’t read the manual BEFORE trying to troubleshoot your rules.
Takeaways:
/g
.The folder given is a git repo, meaning you can use git log
to check the commit history. In the commit history you can see the vulnerability was patched, and you can check out the vulnerable version of the code.
The vulnerable line is as follows:
if (empty($username_err) && empty($password_err)) {
// Prepare a select statement
$sql = "SELECT id, username, password FROM users WHERE username = '" . $username . "'";
The vulnerability is that the username field is vulnerable to SQLi. Let’s take notes of what is required for this vulnerability specifically.
I spent too long working on a super long regex line that would handle all MySQL. Until I was re-educated about how you should make it as broad as possible to avoid boxing yourself in.
That ended up with the final alert rule of:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Best Login System Ever Vulnerability"; flow:to_server; content:"POST"; http_method; content:"/login.php"; http_uri; content:"username="; pcre:"/username=.*'.*('|--)/i"; classtype:web-application-attack; sid:1234560001;)