openRasp block requeste after that not able to do further any action in application, not able access
92 views
Skip to first unread message
ashok manda
Jun 20, 2019, 4:19:14 AM6/20/19
to OpenRASP
when openRasp block request then I got a log in alarm directory and after that, I restart PHP and apache2 both but not able or access to PHP application.
I got an sql injection attack so log format is here.
{
"request_method": "get",
"target": "webgoat.test",
"server_ip": "127.0.0.1",
"referer": "",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"attack_source": "127.0.0.1",
"path": "\/",
"url": "http:\/\/webgoat.test\/",
"client_ip": "",
"event_type": "attack",
"server_hostname": "inctashok",
"server_type": "PHP",
"server_version": "7.1.30",
"request_id": "801ae0a8168ddd9800002fc2133295c8",
"body": "",
"event_time": "2019-06-20\t13:43:05+0530",
"stack_trace": "\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/DBAL\/Connection.php(query:646)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/DBAL\/Connection.php(executeQuery:584)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/DBAL\/Schema\/AbstractSchemaManager.php(fetchAll:290)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/DBAL\/Schema\/AbstractSchemaManager.php(listTableForeignKeys:257)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/DBAL\/Schema\/AbstractSchemaManager.php(listTableDetails:242)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/DBAL\/Schema\/AbstractSchemaManager.php(listTables:831)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/ORM\/Tools\/SchemaTool.php(createSchema:733)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine\/Doctrine\/ORM\/Tools\/SchemaTool.php(getUpdateSchemaSql:711)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine.php(updateSchema:70)\n\/home\/inct-ashok\/Documents\/code\/WebGoatPHP\/app\/plugin\/doctrine.php(UpdateSchema:80)",
"attack_type": "sql",
"intercept_state": "block",
"plugin_message": "SQLi - Detected MySQL version comment in sql query",
"plugin_name": "offical",
"plugin_confidence": 100,
"attack_params": {
"query": "SELECT DISTINCT k.`CONSTRAINT_NAME`, k.`COLUMN_NAME`, k.`REFERENCED_TABLE_NAME`, k.`REFERENCED_COLUMN_NAME` \/*!50116 , c.update_rule, c.delete_rule *\/ FROM information_schema.key_column_usage k \/*!50116 INNER JOIN information_schema.referential_constraints c ON c.constraint_name = k.constraint_name AND c.table_name = 'app_user' *\/ WHERE k.table_name = 'app_user' AND k.table_schema = 'webgoat' \/*!50116 AND c.constraint_schema = 'webgoat' *\/ AND k.`REFERENCED_COLUMN_NAME` is not NULL",
"server": "mysql"
}
}
c0debreak
Jun 20, 2019, 8:01:02 AM6/20/19
to OpenRASP
Please elaborate on the "not able or access to PHP" part.
Are you getting an "Connection refused" error, HTTP 500 error or anything else?
ashok manda
Jun 20, 2019, 8:06:40 AM6/20/19
to OpenRASP
no, when I open my application then it always blocks every request by openrasp.
c0debreak
Jun 20, 2019, 9:36:16 AM6/20/19
to OpenRASP
Ah, just figured out:
"SQLi - Detected MySQL version comment in sql query"
We have an algorithm that blocks the request if the SQL query contains `/*!`, you can disable it by changing the following lines:
version_comment: true,To
version_comment: false,
c0debreak
Jun 20, 2019, 10:31:10 AM6/20/19
to OpenRASP
You will need to modify the `plugin/official.js` file, then restart Apache/PHP server to take effect.
SAJAL GUPTA
Jun 6, 2024, 3:43:36 AM6/6/24
to OpenRASP
can you tell me how you setup openrasp i have downloaded in window apache xampp tomcat but it i is unable to detect attacks pls help me
Reply all
Reply to author
Forward
0 new messages