kys16

2026-06-02 23:38:20 +01:00
parent c053a064b2
commit 0992d4a6e0
1 changed files with 5 additions and 5 deletions
--- a/conf/modsecurity.conf
+++ b/conf/modsecurity.conf
@@ -8,12 +8,12 @@ SecAuditLogType Serial
 SecAuditLog /var/log/modsecurity/audit.log

 # sql injection
-SecRule REQUEST_URI|ARGS "(?i:(?:select|insert|update|delete|drop|union|create|alter|truncate)\s+.+\s+from|'[^']*'|--|;|\b(or|and)\b\s+\d+\s*=\s*\d+)" \
-    "id:950001,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!!!',log,t:urlDecode,t:sqlHexDecode,t:lowercase"
+SecRule ARGS "(?i)(['\"]|--|#|/\*|\*/)" \
+    "id:950001,phase:2,deny,status:403,msg:'SQL Injection: Escape or Comment',log,t:urlDecode,t:lowercase"

-# sql injection parte 2
-SecRule REQUEST_URI|ARGS "['\"](?:\s+or\s+\d+\s*=\s*\d+\s*--|\s+or\s+'.+?'\s*=\s*'.+?'\s*--|.*?--)" \
-    "id:950002,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!1!',log,t:urlDecode,t:lowercase,t:compressWhitespace"
+# sql keyword
+SecRule ARGS "(?i)\b(select|insert|update|delete|drop|union|grant|alter|truncate)\b" \
+    "id:950002,phase:2,deny,status:403,msg:'SQL Injection: Keyword',log,t:urlDecode,t:lowercase"

 # xss / html injection
 SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \