| Author |
|
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 10 May 2008 at 11:15pm | IP Logged
|
|
|
Here is my rule, but what I want is to send over the variables from the original request, such as requesting IP address, original URL, querystring variables, e.t.c.
This will allow me to send myself an e-mail alert with the details to determine any false positives and adjust accordingly. How would I do that? I cannot figure it out.
RewriteRule .*DECLARE%20* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*INSERT%20* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*%20xp_* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*EXEC(@* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*%20@* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*@%20* http\://www.mydomain.net/sql_error.asp [I,R]
|
| Back to Top |
|
| |
Yaroslav
Admin Group
Joined: 15 August 2002
Online Status: Offline
Posts: 6521
|
| Posted: 12 May 2008 at 10:05am | IP Logged
|
|
|
Instead of redirecting problematic requests, rewrite them to some ASP script that will collect required data.
__________________
Yaroslav Govorunov,
Helicon Tech
|
| Back to Top |
|
| |
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 12 May 2008 at 10:33am | IP Logged
|
|
|
That sounds good, but how do I do that? I am good with ASP, but I just don't know how to get that to work with your stuff.
|
| Back to Top |
|
| |
Yaroslav
Admin Group
Joined: 15 August 2002
Online Status: Offline
Posts: 6521
|
| Posted: 12 May 2008 at 11:42am | IP Logged
|
|
|
RewriteRule .*DECLARE%20* /sql_error.asp [I]
RewriteRule .*INSERT%20* /sql_error.asp [I]
RewriteRule .*%20xp_* /sql_error.asp [I]
RewriteRule .*EXEC(@* /sql_error.asp [I]
RewriteRule .*%20@* /sql_error.asp [I]
RewriteRule .*@%20* /sql_error.asp [I]
__________________
Yaroslav Govorunov,
Helicon Tech
|
| Back to Top |
|
| |
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 12 May 2008 at 11:49am | IP Logged
|
|
|
Oh I see... but the problem with that is I would need to have the page sql_error.asp uploaded to every websites directory, which there are 1000s, so that is why I was trying to do it this way, because it is global.
|
| Back to Top |
|
| |
ballmatic
Newbie
Joined: 30 January 2007
Online Status: Offline
Posts: 20
|
| Posted: 12 May 2008 at 5:17pm | IP Logged
|
|
|
I am having SQL injection problems as well. A few sites of ours were taken offline. Thank God for Windows 2003's shadow copy so we could restore the databases.
We noticed that our websites are being attacked more frequently. We have been playing with the code above, but when we try simple requests the sql_error.asp page that we created isn't triggered! Are you positive that the RewriteRule is correct? When we use other rules we have they work, but these in particular don't seem to be working.
Example:
http://localhost/default.asp?id=3;EXEC(@
That SHOULD trigger the sql_error.asp page, but it's not. Suggestions?
|
| Back to Top |
|
| |
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 12 May 2008 at 5:35pm | IP Logged
|
|
|
It doesn't seem to be catching it.. also doesn't seem to catch this: ";DECLARE @S NVARCHAR(4000);" event though %20@ is a rule... I really don't know why, I am not too good at writing these rules, can someone let us know if there is a better way to write the rules than what I have?
|
| Back to Top |
|
| |
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 13 May 2008 at 2:55am | IP Logged
|
|
|
Hey Yaroslav, can you remove my domain name from my posts that I just put on. I cannot find a way to edit it.
|
| Back to Top |
|
| |
Yaroslav
Admin Group
Joined: 15 August 2002
Online Status: Offline
Posts: 6521
|
| Posted: 13 May 2008 at 7:20am | IP Logged
|
|
|
I have missed dot at the end of rules (since you have been stating these rules where working). These should work fine and do what you ask:
RewriteRule .*DECLARE%20.* /sql_error.asp
RewriteRule .*INSERT%20.* /sql_error.asp
RewriteRule .*%20xp_.* /sql_error.asp
RewriteRule .*EXEC(@.* /sql_error.asp
RewriteRule .*%20@.* /sql_error.asp
RewriteRule .*@%20.* /sql_error.asp
I simply deleted your posts.
__________________
Yaroslav Govorunov,
Helicon Tech
|
| Back to Top |
|
| |
Yaroslav
Admin Group
Joined: 15 August 2002
Online Status: Offline
Posts: 6521
|
| Posted: 13 May 2008 at 7:21am | IP Logged
|
|
|
Forum engine broken my rules. Here again:
RewriteRule .*DECLARE%20.* /sql_error.asp [I]
RewriteRule .*INSERT%20.* /sql_error.asp [I]
RewriteRule .*%20xp_.* /sql_error.asp [I]
RewriteRule .*EXEC(@.* /sql_error.asp [I]
RewriteRule .*%20@.* /sql_error.asp [I]
RewriteRule .*@%20.* /sql_error.asp [I]
__________________
Yaroslav Govorunov,
Helicon Tech
|
| Back to Top |
|
| |
ballmatic
Newbie
Joined: 30 January 2007
Online Status: Offline
Posts: 20
|
| Posted: 13 May 2008 at 7:52am | IP Logged
|
|
|
This is what I've ended up with. So far, it has been working GREAT!
Code:
# Block external HACK attempts
RewriteRule .*DECLARE.* /security-violation.htm
RewriteRule .*NVARCHAR.* /security-violation.htm
RewriteRule .*INSERT .* /security-violation.htm
RewriteRule .*INSERT %20.* /security-violation.htm
RewriteRule .* xp_.* /security-violation.htm
RewriteRule .*%20xp_.* /security-violation.htm
RewriteRule .*%20@.* /security-violation.htm
RewriteRule .* @.* /security-violation.htm
RewriteRule .*@%20.* /security-violation.htm
RewriteRule .*@ .* /security-violation.htm
RewriteRule .*';* /security-violation.htm
RewriteRule .*EXEC\(@.* /security-violation.htm
RewriteRule .*sp_password.* /security-violation.htm
RewriteRule /security-violation.htm /security.asp |
|
|
As you can see, /SECURITY-VIOLATION.HTM is really SECURITY.ASP and sends us an email. So far, we've seen many of our hosted sites getting hit with these attacks, but the block is working and the reports are flowing in! Now if we could auto-block those IP's on IIS that would be AWESOME!!!
We also added these rules to the httpd.ini file in the c:\program files\Helicon\ISAPI_Rewrite\ directory so we didn't have to update each individual httpd.ini file for each site.
Hope this helps people out! Cheers!
|
| Back to Top |
|
| |
ballmatic
Newbie
Joined: 30 January 2007
Online Status: Offline
Posts: 20
|
| Posted: 13 May 2008 at 8:35am | IP Logged
|
|
|
**** UPDATE: Reposting because it removed the brackets on the end of the RewriteRule line ****
This is what I've ended up with. So far, it has been working GREAT!
RewriteRule .*DECLARE.* /security-violation.htm [I]
RewriteRule .*NVARCHAR.* /security-violation.htm [I]
RewriteRule .*INSERT .* /security-violation.htm [I]
RewriteRule .*INSERT %20.* /security-violation.htm [I]
RewriteRule .* xp_.* /security-violation.htm [I]
RewriteRule .*%20xp_.* /security-violation.htm [I]
RewriteRule .*%20@.* /security-violation.htm [I]
RewriteRule .* @.* /security-violation.htm [I]
RewriteRule .*@%20.* /security-violation.htm [I]
RewriteRule .*@ .* /security-violation.htm [I]
RewriteRule .*';* /security-violation.htm [I]
RewriteRule .*EXEC\(@.* /security-violation.htm [I]
RewriteRule .*sp_password.* /security-violation.htm [I]
RewriteRule /security-violation.htm /security.asp [I,L]
As you can see, /SECURITY-VIOLATION.HTM is really SECURITY.ASP and it
sends us an email. Notice it also has the [I,L] bracket unlike the others. I believe this is important because it stops any other rules to override it, right?
So far, we've seen many of our hosted sites getting
hit with these attacks, but the block is working and the reports are
flowing in! Now if we could auto-block those IP's on IIS that would be
AWESOME!!!
We also added these rules to the httpd.ini file in
the c:\program files\Helicon\ISAPI_Rewrite\ directory so we didn't have
to update each individual httpd.ini file for each site.
Hope this helps people out! Cheers!
|
| Back to Top |
|
| |
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 13 May 2008 at 10:29am | IP Logged
|
|
|
Everything works great now in regards to the filter, but what I want is to send over the variables from the original request, such as requesting IP address, original URL, querystring variables, e.t.c.
This will allow me to send myself an e-mail alert with the details to determine any false positives and adjust accordingly. How would I do that?
The reason I need it to redirect is because I have several thousand sites and cannot put this file in each folder. Any ideas?
Here are just a few of my rules below...
RewriteRule .*DECLARE .* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*DECLARE%20.* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*NVARCHAR.* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*INSERT .* http\://www.mydomain.net/sql_error.asp [I,R]
|
| Back to Top |
|
| |
linkusystems
Newbie
Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 30
|
| Posted: 13 May 2008 at 10:35am | IP Logged
|
|
|
By the way, I am trying to use:
response.write Request.ServerVariables("HTTP_X_REWRITE_URL")
in my asp script but it is just writing "/sql_error.asp".
|
| Back to Top |
|
| |
ballmatic
Newbie
Joined: 30 January 2007
Online Status: Offline
Posts: 20
|
| Posted: 13 May 2008 at 12:13pm | IP Logged
|
|
|
The reason you are getting "/sql_error.asp" and not the actual URL they are trying to attack you with is because of the redirect. I don't use a redirect because I have a global folder, so my rule is [I] instead of [I,R] and everything works good for me. Almost too good, I've been getting hit a LOT with the 50-60 sites we host!
I know you run several thousand websites, so if you don't add a global folder than I have no clue how to solve that issue. I know you can have a global httpd.ini, perhaps you can have a global virtual directory in IIS. Worth a look with Google or something? Hope you figure it out! What a pain!!!
|
| Back to Top |
|
| |
miclovio
Newbie
Joined: 25 August 2008
Online Status: Offline
Posts: 1
|
| Posted: 25 August 2008 at 2:30pm | IP Logged
|
|
|
Ballmatic: can you post the security.asp script you used or an example. i would like to get emails.
|
| Back to Top |
|
| |
mamin123
Newbie
Joined: 27 August 2008
Online Status: Offline
Posts: 28
|
| Posted: 01 September 2008 at 5:36pm | IP Logged
|
|
|
ballmatic
Rules mentioned does not work in ISAP rewrite 3. Do you have updated one...I am getting error
|
| Back to Top |
|
| |
dennisg
Groupie
Joined: 14 May 2009
Online Status: Offline
Posts: 66
|
| Posted: 07 January 2010 at 8:10am | IP Logged
|
|
|
Hi everyone.
I was reading the post above and wanted to see if anyone has anything working for not just the query string, but all parts request object - form, cookies, servervariables, etc. I ask since the URL is only one part of the SQL injection issue. We get MANY form & cookie requests. I am currently using an include file at the top of all of my ASP pages on every site we have - and it works very well since you can block just about anything you want. Yes, all I have to do is update the include file if I make a change, but that could be on 20 sites and is just time consuming. I feel like there has to be a better way and that the power of this tool can do it. We currently use rewrite on all our sites and figured that there could be a global rule put in place for the server.
Thanks in advance for any info you can provide!!!
Dennis
|
| Back to Top |
|
| |
Anton
Admin Group
Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 10520
|
| Posted: 08 January 2010 at 5:14am | IP Logged
|
|
|
@dennisg:
Could you please create a new forum topic and describe your situation and requirements in more details.
__________________
Regards,
Anton
|
| Back to Top |
|
| |
Helicon Tech : ISAPI_Rewrite 2.x
Topic: Filter SQL Injection
Active Topics
Memberlist
Help
Register
Login