Welcome to WebmasterWorld Guest from 54.152.38.154

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

How can I block blind SQL injection attack?

Stop query string SQL injection

     
3:22 pm on Aug 26, 2008 (gmt 0)

New User

10+ Year Member

joined:Aug 26, 2008
posts:12
votes: 0


I'm getting a lot of hits from different ip addresses with the following string in the request. This string is after the file name, like:

http://www.example.com/myfile.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204

My question is how can I block all requests that contains the DECLARE in it.

I tried this but does not work.

RewriteCond %{REQUEST_METHOD} DECLARE
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Please help me.

Thanks

[edited by: jdMorgan at 6:12 pm (utc) on Nov. 15, 2008]
[edit reason] example.com [/edit]

4:42 pm on Aug 26, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5505
votes: 4


There's two threads

here [webmasterworld.com]

and

here [webmasterworld.com]

6:41 pm on Aug 26, 2008 (gmt 0)

New User

10+ Year Member

joined:Aug 26, 2008
posts:12
votes: 0


Thank you wilderness. These threads are great but there is no indication of how to block these requests using .htaccess

I would like to know how implement that.

Thanks

6:51 pm on Aug 26, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Well, here's one way:

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F]

Note that case variations have been seen, so the [NC] flag is used to make the string comparison case-insensitive.

This code returns 403-Forbidden response to requests for any URLs with any of those command or parameter keywords in the appended query string.

[added] Replace all broken pipe "¦" characters with solid pipe characters before use; Posting on this forum modifies the pipe characters. [/added]

Jim

[edited by: jdMorgan at 6:52 pm (utc) on Aug. 26, 2008]

7:16 pm on Aug 26, 2008 (gmt 0)

New User

10+ Year Member

joined:Aug 26, 2008
posts:12
votes: 0


Thank you Morgan.

If I enter the following in the address bar I don't get blocked.
Is there a different way to handle this?
Thanks

mydomain.com/myfile.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520

7:22 pm on Aug 26, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Do you have other working rewriterules? Did you change the pipes as noted above?
7:35 pm on Aug 26, 2008 (gmt 0)

New User

10+ Year Member

joined:Aug 26, 2008
posts:12
votes: 0


I'm sorry. I didn't noticed the pipes.
It's working like a charm. Wow!

Thanks

3:14 am on Aug 27, 2008 (gmt 0)

Moderator

WebmasterWorld Administrator 10+ Year Member

joined:July 2, 2000
posts:2455
votes: 1


I'm getting the same thing, so if I append the above code to a pre exisitng .htaccess file, will this have any effect on what I already have in the file? I would think not, but not being a coder I need to be sure.
1:05 pm on Aug 27, 2008 (gmt 0)

New User

10+ Year Member

joined:Dec 7, 2004
posts: 14
votes: 0


I've had a RewriteCond and RewriteRule blocking query strings for DECLARE [NC] for awhile and recently modified it to Jim's suggested RewriteCond. The long string of letters and numbers (eg. CAST(0x4445434C41524520405....) that are included in the query causes the server to give a 406 (Not Acceptable) error instead of a 403 error. This occurred with either my original RewriteCond or Jim's.

If I include the query string without the long string of letters and numbers in a request to test the block, I get a 403 error. (eg. ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST)

Not sure I should be concerned or not - it's still serving an error.

1:22 pm on Aug 27, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


> if I append the above code to a pre exisitng .htaccess file, will this have any effect on what I already have in the file?

You should place the code snippet "early" in your list of mod_rewrite rules; For example, there is no use in redirecting such abusive client requests to canonicalize the domain name, or in rewriting thsee requests to another filepath.

> 406 (Not Acceptable)

This indicates that MultiViews may be enabled on your server. If you are not using content negotiation, try adding

 Options -MultiViews 

to your .htaccess file (Or you could also add "-MultiViews" to any pre-existing "Options" line).

---

I should also add that this code is really only useful if you use scripts which directly access SQL on your server, and want to protect your site from "outside" requests arriving from the Web. If you don't have mySQL installed, then all this code does is "give you the satisfaction" of issuing a 403 response instead of serving the page that was requested with the injected squery string attached. But it's doubtful that the malicious program sending these injection attempts even bothers to check the target server response -- It's more likely a "fire and forget" kind of thing...

Jim

3:01 pm on Aug 27, 2008 (gmt 0)

New User

10+ Year Member

joined:Dec 7, 2004
posts: 14
votes: 0


My root .htaccess file starts with these lines:

ErrorDocument 403 "Error 403 / Access Denied.

Options +FollowSymLinks -Indexes -MultiViews
RewriteEngine on

-Multiviews has been there all along.

3:46 am on Aug 31, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


Thanks jdMorgan. That worked for us. We had been getting hit with those SQL Injection tests for a few weeks now. I had no clue if they had found their way in or not, but hopefully this will help keep them out in the future.
6:05 pm on Aug 31, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 1, 2004
posts:1258
votes: 0


Thanks Jim, much appreciated. Giving it a whirl right now.
3:15 pm on Sept 18, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 10, 2005
posts:139
votes: 0


I am getting attacks on pages like this:
myfile.php?pageid=43;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204

The code above works for page.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204
but doesn't seem to help when pageid=# is included. Is there a way to include both page types?

Thanks.

3:21 pm on Sept 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


The code above doesn't care about other parameters, so something else is likely interfering. Check the ordering of this new rule with respect to others which may match the requested URL before this rule can run.

Also beware of Alias, Redirect, MultiViews, AcceptPathInfo, and other factors which can pre-empt mod_rewrite rules.

Jim

4:15 pm on Sept 18, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 10, 2005
posts:139
votes: 0


Thanks, JD. Regarding the order, I have it listed above any other mod_rewrite rules.

Also beware of Alias, Redirect, MultiViews, AcceptPathInfo, and other factors which can pre-empt mod_rewrite rules.

Sorry. My assumption that if it worked in the one instance it should work for the other was obviously incorrect. Thanks anyway.
4:14 pm on Nov 15, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2006
posts:89
votes: 0


Hi Jim, I have tried your rule in my htaccess file on a domain I have and it works a charm - thank you so much.

Just one question - I have several sites on one dedicated server, so I guess I could add these lines to each separate htaccess file (ie on a per site basis), but can it be placed to work server-wide without having to alter each individual htaccess file? ie at some top level htaccess file? If so, where exactly is that file?

5:52 pm on Nov 15, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Since .htaccess files are per-domain, you can't use .htaccess. But if you have server configuration privileges, you could put the code into the httpd.conf file.

Jim

2:11 pm on Nov 16, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2006
posts:89
votes: 0


Thanks, Jim. I was wondering if there is an alternative/additional way to do this in the httpd.conf file, by returning a 403 for any url that was longer than, say 150 characters (depending on what particular set-up one has). Is that possible or even desireable?

Man_in_Poland

4:29 pm on Nov 16, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


> returning a 403 for any url that was longer than, say 150 characters

Possible? Yes, of course:


RewriteRule .{150,} - [F]

Desireable? That would depend on your normal site traffic, and I can not recommend for or against this.

But note that you asked about the URL, and that is not where the problem is here. The problem is in the query string, which is not part of a URL, but rather, data attached to a URL to be passed to the resource at that URL. So the above code probably won't do what you really want. You'd need something like this:


RewriteCond %{QUERY_STRING} .{150,}
RewriteRule .* - [F]

BTW, I've seen mod_rewrite get confused when the quantifier exceeds 250 -- Not 255 or 256, but 250. So if you need more that 250 characters, then use a base quantifier less than 251, and then either include multiple instances, or use nested quantifiers e.g. ".{250}.{250}.{250,}" or "(.{250}){3,}" for a maximum of 750 characters in this example.

Jim

6:44 pm on Nov 16, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


See also the last post on the very last page of [webmasterworld.com...]
1:01 am on Dec 25, 2008 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:July 23, 2004
posts:577
votes: 94


@jdMorgan

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F]

We may also just want to touch base on the fact that this write will directly interfere with some Wordpress functions (changing things like skins and removing posts).

Also, it may provide a challenge (by way of 403) to those who would provide sitewide search using any of the terms contained in the write.

4:23 am on Dec 25, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Use a RewriteCond to exclude WP and/or search page URL-paths if needed.

Alternately, specify a specific URL-path to which the rule is to apply using the RewriteRule pattern, instead of the ".*" pattern shown above.

There is no "one-size-fits-all" solution.

Jim

7:58 pm on Dec 25, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


Instead of banning the words, you might have better luck banning the punctuation that is required for those injected commands to work (such as parentheses), as long as your own URLs don't use those punctuation characters.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members