mod_security 是 Apache 的一個模組,可以提供入侵偵測及防禦,如同 web 應用程式的防火牆,用來抵擋如 SQL injection attacks, cross-site scripting, path traversal attacks。
mod_security 模組時,injection.php 存在 sql injection 漏洞。
[root@kvm3 src]# curl -s http://kvm3/injection.php?"user='a'%20or%201" \ | sed 's/<br> */\n/g' HOST: 127.0.0.1 User: root -------------------------------- HOST: 192.168.122.1 User: hosttest -------------------------------- HOST: 192.168.122.1 User: user2 -------------------------------- HOST: ::1 User: root -------------------------------- HOST: kvm3.deyu.wang User: root -------------------------------- HOST: localhost User: dywang -------------------------------- HOST: localhost User: root -------------------------------- HOST: localhost User: user1 -------------------------------- HOST: localhost User: user3 -------------------------------- Fetched data successfully
mod_security 模組。
[root@kvm3 src]# yum install mod_security Complete!
mod_security 模組訊息,版本是 2.9.2。
[root@kvm3 src]# yum info mod_security
Repository AppStream is listed more than once in the configuration
Repository BaseOS is listed more than once in the configuration
Last metadata expiration check: 0:08:40 ago on Tue 28 Apr 2020 03:14:41 PM CST.
Installed Packages
Name : mod_security
Version : 2.9.2
Release : 8.el8
Arch : x86_64
Size : 1.0 M
Source : mod_security-2.9.2-8.el8.src.rpm
Repo : @System
From repo : AppStream
Summary : Security module for the Apache HTTP Server
URL : http://www.modsecurity.org/
License : ASL 2.0
Description : ModSecurity is an open source intrusion detection and prevention
: engine for web applications. It operates embedded into the web
: server, acting as a powerful umbrella - shielding web
: applications from attacks.
mod_security 模組,rpm 安裝的檔案。
[root@kvm3 src]# rpm -ql mod_security /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.modules.d/10-mod_security.conf /etc/httpd/modsecurity.d /etc/httpd/modsecurity.d/activated_rules /etc/httpd/modsecurity.d/local_rules /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf /usr/lib/.build-id /usr/lib/.build-id/c1 /usr/lib/.build-id/c1/678c921f1523a225ddb40d90c86efeb1106371 /usr/lib64/httpd/modules/mod_security2.so /usr/share/doc/mod_security /usr/share/doc/mod_security/CHANGES /usr/share/doc/mod_security/LICENSE /usr/share/doc/mod_security/NOTICE /usr/share/doc/mod_security/README.TXT /var/lib/mod_security
[root@kvm3 src]# yum install git
[root@kvm3 src]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git Cloning into 'owasp-modsecurity-crs'... remote: Enumerating objects: 10292, done. remote: Total 10292 (delta 0), reused 0 (delta 0), pack-reused 10292 Receiving objects: 100% (10292/10292), 3.29 MiB | 1.17 MiB/s, done. Resolving deltas: 100% (7547/7547), done.
[root@kvm3 src]# cd owasp-modsecurity-crs/ [root@kvm3 owasp-modsecurity-crs]# cp crs-setup.conf.example \ /etc/httpd/conf.d/crs-setup.conf
[root@kvm3 owasp-modsecurity-crs]# cp -a rules /etc/httpd/modsecurity.d/
/etc/httpd/conf.d/mod_security.conf,將規則目錄 modsecurity.d/rules/ 中的所 *.conf 規則檔加入模組。
[root@kvm3 owasp-modsecurity-crs]# vim /etc/httpd/conf.d/mod_security.conf
[root@kvm3 owasp-modsecurity-crs]# vim /etc/httpd/conf.d/mod_security.conf
[root@kvm3 owasp-modsecurity-crs]# grep rules -A3 /etc/httpd/conf.d/mod_security.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
IncludeOptional modsecurity.d/local_rules/*.conf
IncludeOptional modsecurity.d/rules/*.conf
</IfModule>
[root@kvm3 owasp-modsecurity-crs]# restorecon -Rv /etc/httpd/mod_security.conf
[root@kvm3 owasp-modsecurity-crs]# systemctl restart httpd.service
[root@kvm3 owasp-modsecurity-crs]# curl -s \ http://kvm3/injection.php?"user='a'%20or%201" | sed 's/<br> */\n/g' <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /injection.php on this server.<br /> </p> </body></html>