The following SQL injection attack below uses "%3d" (URL Encoded) instead of "=" in the parameter query string. So the parameter name reaches to the next "=". Thus in this example the parameter name which is containing the SQL Injection is:page%3d-1'+UnIOn+seLEcT+iF(ascii(substring(user(),7,1))=
The whole parameter query string looks like:
?option=com_virtuemart&page%3d-1'+UnIOn+seLEcT+iF(ascii(substring(user(),7,1))=56,benchmark(5000000,MD5('x')),NULL)--+junk.page HTTP/1.1
Since there is no default rule configured to recognize SQL Injection in the parameter name Airlock does not block this kind of attack by default.
To prevent this attack install the Airlock update 4.2.3.2 or newer.
Otherwise read the following instructions.
The "(default) SQL injection rule" of Airlock cannot prevent this type of attack yet. You must therefore configure a custom deny rule as outlined below. We will soon update the default rule set in order to protect web applications from this attack out-of-the-box.
Since the parameter name is affected, a new deny rule filter for parameter names is required:
Deny rule for paramter name:
Name: SQL Injection rule for Parameter Names
Comment: Rule to prevent from SQL Injection attacks in parameter name
Path: (default) No Restriction
HTTP Method: (default) No Restriction
Content Type: (default) No Restriction
IP: (default) No Restriction
Parameter Name: SQL Injection pattern
ParameterValue: (default) No RestrictionParameter name pattern:
Name: SQL Injection pattern
Comment: Detects SQL Injection attack
Pattern: /\*|;.*--|;.*[^&]#|;.*(execute|exec|insert|update|select|delete|drop|waitfor)['([:cntrl:][:space:]]|[[:cntrl:][:space:](]select[[:cntrl:][:space:]]|[')][[:cntrl:][:space:]]*(or|and|having)['([:cntrl:][:space:]]|[[:digit:]][[:cntrl:][:space:]]+(or|and|having)['([:cntrl:][:space:]]
Ignore Case: On
Invert: OffEnable this two rules in the corresponding mappings and activate the configuration.