next up previous contents
Next: 實機操作練習題 Up: SQL Injection 注入 Previous: 限制輸入字元   Contents   DYWANG_HOME


  1. mod_security 是 Apache 的一個模組,可以提供入侵偵測及防禦,如同 web 應用程式的防火牆,用來抵擋如 SQL injection attacks, cross-site scripting, path traversal attacks。
  2. 沒有安裝 mod_security 模組時,injection.php 存在 sql injection 漏洞。
    [root@kvm3 src]# curl -s http://kvm3/injection.php?"user='a'%20or%201" \
     | sed 's/<br> */\n/g'
    User: root
    User: hosttest
    User: user2
    HOST: ::1
    User: root
    User: root
    HOST: localhost
    User: dywang
    HOST: localhost
    User: root
    HOST: localhost
    User: user1
    HOST: localhost
    User: user3
    Fetched data successfully
  3. 安裝 mod_security 模組。
    [root@kvm3 src]# yum install mod_security
  4. 查看 mod_security 模組訊息,版本是 2.9.2。
    [root@kvm3 src]# yum info mod_security
    Repository AppStream is listed more than once in the configuration
    Repository BaseOS is listed more than once in the configuration
    Last metadata expiration check: 0:08:40 ago on Tue 28 Apr 2020 03:14:41 PM CST.
    Installed Packages
    Name         : mod_security
    Version      : 2.9.2
    Release      : 8.el8
    Arch         : x86_64
    Size         : 1.0 M
    Source       : mod_security-2.9.2-8.el8.src.rpm
    Repo         : @System
    From repo    : AppStream
    Summary      : Security module for the Apache HTTP Server
    URL          :
    License      : ASL 2.0
    Description  : ModSecurity is an open source intrusion detection and prevention
                 : engine for web applications. It operates embedded into the web
                 : server, acting as a powerful umbrella - shielding web
                 : applications from attacks.
  5. 查看 mod_security 模組,rpm 安裝的檔案。
    [root@kvm3 src]# rpm -ql mod_security
  6. 安裝 git。
    [root@kvm3 src]# yum install git
  7. 使用 git 下載 owasp modsecurity core rule 集合。
    [root@kvm3 src]# git clone
    Cloning into 'owasp-modsecurity-crs'...
    remote: Enumerating objects: 10292, done.
    remote: Total 10292 (delta 0), reused 0 (delta 0), pack-reused 10292
    Receiving objects: 100% (10292/10292), 3.29 MiB | 1.17 MiB/s, done.
    Resolving deltas: 100% (7547/7547), done.
  8. 複製 crs-setup.conf.example 到 /etc/httpd/conf.d/crs-setup.conf。
    [root@kvm3 src]# cd owasp-modsecurity-crs/
    [root@kvm3 owasp-modsecurity-crs]# cp crs-setup.conf.example \
  9. 複製包含所有規則的目錄 rules 到 /etc/httpd/modsecurity.d/
    [root@kvm3 owasp-modsecurity-crs]# cp -a rules /etc/httpd/modsecurity.d/
  10. 編輯 /etc/httpd/conf.d/mod_security.conf,將規則目錄 modsecurity.d/rules/ 中的所 *.conf 規則檔加入模組。
    [root@kvm3 owasp-modsecurity-crs]# vim /etc/httpd/conf.d/mod_security.conf
    [root@kvm3 owasp-modsecurity-crs]# vim /etc/httpd/conf.d/mod_security.conf
    [root@kvm3 owasp-modsecurity-crs]# grep rules -A3 /etc/httpd/conf.d/mod_security.conf
    	IncludeOptional modsecurity.d/activated_rules/*.conf
    	IncludeOptional modsecurity.d/local_rules/*.conf
    	IncludeOptional modsecurity.d/rules/*.conf
  11. 因為 rules 是由下載目錄複製到 /etc/httpd 目錄,所以必須恢得其 selinux file context。
    [root@kvm3 owasp-modsecurity-crs]# restorecon -Rv /etc/httpd/mod_security.conf
  12. 重啟 httpd 服務。
    [root@kvm3 owasp-modsecurity-crs]# systemctl restart httpd.service
  13. 再連線存在 sql injection 漏洞的 injection.php,回應 403 Forbidden。
    [root@kvm3 owasp-modsecurity-crs]# curl -s \
    http://kvm3/injection.php?"user='a'%20or%201" | sed 's/<br> */\n/g'
    <title>403 Forbidden</title>
    <p>You don't have permission to access /injection.php
    on this server.<br />

De-Yu Wang 2020-09-18