File: //usr/local/modsecurity-crs/regex-assembly/942340.ra
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.
##! The meaning of this rule is.. uncertain.
##! Description doesn't help: "Detects basic SQL authentication bypass attempts 3/3"
##!+ i
##! Definitions and reusables
##!> define space_or_word_or_plus [\s\w+]+
##!> define quotes [\"'`]
##!> define digits \d+
##!> define space \s+
##!> define optional_space \s*?
##! ^ is the same as xor in major databases
##!> assemble
and
nand
or
xor
xxor
div
like
between
not
##!=< logical_operators
##!<
##!> assemble
%
&
<
>
\^
=
##!=< sql_operators
##!<
##! End definitions and reusables
##!> assemble
\|\|
&&
##!=< alternative_logical_operators
##!<
in\s*?\(+\s*?select
##!> assemble
##!> assemble
##!=> logical_operators
{{space}}
##!<
##!> assemble
##!=> alternative_logical_operators
{{optional_space}}
##!<
##!=>
{{space_or_word_or_plus}}
##!=>
regexp{{optional_space}}\(
sounds{{space}}like{{optional_space}}{{quotes}}
[=\d]+x
##!<
##! ORIGINAL :up:
##! (?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+regexp\s*?\(
##! (?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+sounds\s+like\s*?[\"'`]
##! (?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+[=\d]+x
##!
##! Prefix: [\"'`]\s*?
##!> assemble
{{quotes}}{{optional_space}}
##!=>
##!> assemble
{{digits}}{{optional_space}}
##!=>
--
#
##!<
##! ORIGINAL: :up:
##! [\"'`]\s*?\d\s*?--
##! [\"'`]\s*?\d\s*?#
##!
##!> assemble
is{{optional_space}}
##!=>
\d.+{{quotes}}?\w
[\d.]+{{optional_space}}\W.*?{{quotes}}
##!<
##! ORIGINAL: :up:
##! [\"'`]\s*?is\s*?\d.+[\"'`]?\w
##! [\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`]
##!> assemble
##!> assemble
##!=> logical_operators
{{space}}
##!<
##!> assemble
##!=> alternative_logical_operators
{{optional_space}}
##!<
##!<
##!=>
##!> assemble
array{{optional_space}}\[
true\b
false\b
##!> assemble
\w+
##!=>
{{optional_space}}!?~
##!> assemble
{{space}}
##!=>
not{{space}}similar
similar
##!=>
{{space}}to{{space}}
##!<
##!<
##!<
##! ORIGINAL :up:
##! [\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)array\s*\[
##! [\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\w]+\s*!?~
##! [\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\w]+\s+(?:not\s+)?similar\s+to\s+
##! [\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)(?:true|false)\b
##!
##!<
##! End prefix: [\"'`]\s*?
##!> assemble
{{quotes}}{{optional_space}}
##!=>
##!=> sql_operators
+{{digits}}
##!=>
{{optional_space}}
##!=>
##!> assemble
##!=> logical_operators
=
##!<
##!<
##! ORIGINAL :up:
##! [\"'`][\%&<>^=]+\d\s*?=
##! [\"'`][\%&<>^=]+\d\s*?or
##! [\"'`][\%&<>^=]+\d\s*?xor
##! [\"'`][\%&<>^=]+\d\s*?div
##! [\"'`][\%&<>^=]+\d\s*?like
##! [\"'`][\%&<>^=]+\d\s*?between
##! [\"'`][\%&<>^=]+\d\s*?and
##!> assemble
{{quotes}}
##!=>
##!> assemble
\W+[\w+-]+\s*?={{optional_space}}\d\W+
\|?[\w-]{3,}[^\w\s.,]+
##!<
##!=>
{{quotes}}
##!=>
##!<
##! ORIGINAL :up:
##! [\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`]
##! [\"'`]\|?[\w-]{3,}[^\w\s.,]+[\"'`]
##!> assemble
\bexcept{{space}}
##!=>
##!> assemble
select\b
values{{optional_space}}\(
##!<
##!<
##! ORIGINAL :up:
##! \bexcept\s+select\b
##! \bexcept\s+values\s*?\(