enygma
SQL Injection
Are the filters configured to detect a SQL injection attempt?
I passed
anything' OR '1'='1
to one form and it didn't detect it.
Yes, it should detect SQLi as per filter_rules.json#L517-L529. If not, then the filter may have gotten broken. I had opened https://github.com/enygma/expose/issues/58 in hopes of having better quality checks on new/old/modified rules.
@tranba quotes are normalized here src/Expose/Converter/ConvertMisc.php#L80-L94 if that is not done then the patterns would be overly complex with having to match each and every variation of quote use.
@quantumpacket I've found a problem in the run function: https://github.com/enygma/expose/blob/07ee1ebe5af6a23029d4d30147463141df724fc5/src/Expose/Manager.php#L125-L129
Convert only apply to the first level of data array, then for example $data = array( 'POST' = array('dirty' => " a ' or 1 = 1") ) will bypass
@enygma Have not tested the below, but would using array_walk_recursive() suffice for the above? We may want to also check that recursion is being done in other areas as well. [ DEMO ]
src/Expose/Manager.php
// try to clean up standard filter bypass methods
array_walk_recursive($data, [new \Expose\Converter\Converter, 'runAllConversions']);
$path = array();
// ...
src/Expose/Converter/Converter.php
public function runAllConversions(&$value)
{
// ...
// return $value;
Might I suggest running the rules against https://github.com/minimaxir/big-list-of-naughty-strings as part of the unit tests?
Also on a side-note, would you be interested in a Python3 port of Expose?
Seems anything' OR '1'='1 doesn't match with rules
Below are matched:
a' or 1=1;# a' or 1=1;--
@yehgdotnet what was the downvote for? Did the code not work or is the rule itself broken?
@yehgdotnet what was the downvote for? Did the code not work or is the rule itself broken?
wrong click, was too sleepy, cheers