Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
ISAPI_Rewrite 2.x support forum
 Helicon Tech : ISAPI_Rewrite 2.x support forum
Subject Topic: Filter SQL Injection Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 10 May 2008 at 11:15pm | IP Logged Quote linkusystems
Here is my rule, but what I want is to send over the variables from the original request, such as requesting IP address, original URL, querystring variables, e.t.c.

This will allow me to send myself an e-mail alert with the details to determine any false positives and adjust accordingly. How would I do that? I cannot figure it out.

RewriteRule .*DECLARE%20* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*INSERT%20* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*%20xp_* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*EXEC(@* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*%20@* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*@%20* http\://www.mydomain.net/sql_error.asp [I,R]
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6303
Posted: 12 May 2008 at 10:05am | IP Logged Quote Yaroslav
Instead of redirecting problematic requests, rewrite them to some ASP script that will collect required data.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 12 May 2008 at 10:33am | IP Logged Quote linkusystems
That sounds good, but how do I do that? I am good with ASP, but I just don't know how to get that to work with your stuff.
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6303
Posted: 12 May 2008 at 11:42am | IP Logged Quote Yaroslav
RewriteRule .*DECLARE%20* /sql_error.asp [I]
RewriteRule .*INSERT%20* /sql_error.asp [I]
RewriteRule .*%20xp_* /sql_error.asp [I]
RewriteRule .*EXEC(@* /sql_error.asp [I]
RewriteRule .*%20@* /sql_error.asp [I]
RewriteRule .*@%20* /sql_error.asp [I]

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 12 May 2008 at 11:49am | IP Logged Quote linkusystems
Oh I see... but the problem with that is I would need to have the page sql_error.asp uploaded to every websites directory, which there are 1000s, so that is why I was trying to do it this way, because it is global.
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
ballmatic
Newbie
Newbie


Joined: 30 January 2007
Online Status: Offline
Posts: 7
Posted: 12 May 2008 at 5:17pm | IP Logged Quote ballmatic
I am having SQL injection problems as well. A few sites of ours were taken offline. Thank God for Windows 2003's shadow copy so we could restore the databases.

We noticed that our websites are being attacked more frequently. We have been playing with the code above, but when we try simple requests the sql_error.asp page that we created isn't triggered! Are you positive that the RewriteRule is correct? When we use other rules we have they work, but these in particular don't seem to be working.

Example:
http://localhost/default.asp?id=3;EXEC(@

That SHOULD trigger the sql_error.asp page, but it's not. Suggestions?
Back to Top View ballmatic's Profile Search for other posts by ballmatic
 
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 12 May 2008 at 5:35pm | IP Logged Quote linkusystems
It doesn't seem to be catching it.. also doesn't seem to catch this: ";DECLARE @S NVARCHAR(4000);" event though %20@ is a rule... I really don't know why, I am not too good at writing these rules, can someone let us know if there is a better way to write the rules than what I have?
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 13 May 2008 at 2:55am | IP Logged Quote linkusystems
Hey Yaroslav, can you remove my domain name from my posts that I just put on. I cannot find a way to edit it.
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6303
Posted: 13 May 2008 at 7:20am | IP Logged Quote Yaroslav
I have missed dot at the end of rules (since you have been stating these rules where working). These should work fine and do what you ask:

RewriteRule .*DECLARE%20.* /sql_error.asp
RewriteRule .*INSERT%20.* /sql_error.asp
RewriteRule .*%20xp_.* /sql_error.asp
RewriteRule .*EXEC(@.* /sql_error.asp
RewriteRule .*%20@.* /sql_error.asp
RewriteRule .*@%20.* /sql_error.asp

I simply deleted your posts.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6303
Posted: 13 May 2008 at 7:21am | IP Logged Quote Yaroslav
Forum engine broken my rules. Here again:

RewriteRule .*DECLARE%20.* /sql_error.asp [I]
RewriteRule .*INSERT%20.* /sql_error.asp [I]
RewriteRule .*%20xp_.* /sql_error.asp [I]
RewriteRule .*EXEC(@.* /sql_error.asp [I]
RewriteRule .*%20@.* /sql_error.asp [I]
RewriteRule .*@%20.* /sql_error.asp [I]

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
ballmatic
Newbie
Newbie


Joined: 30 January 2007
Online Status: Offline
Posts: 7
Posted: 13 May 2008 at 7:52am | IP Logged Quote ballmatic
This is what I've ended up with. So far, it has been working GREAT!

Code:
# Block external HACK attempts
RewriteRule .*DECLARE.* /security-violation.htm
RewriteRule .*NVARCHAR.* /security-violation.htm
RewriteRule .*INSERT .* /security-violation.htm
RewriteRule .*INSERT %20.* /security-violation.htm
RewriteRule .* xp_.* /security-violation.htm
RewriteRule .*%20xp_.* /security-violation.htm
RewriteRule .*%20@.* /security-violation.htm
RewriteRule .* @.* /security-violation.htm
RewriteRule .*@%20.* /security-violation.htm
RewriteRule .*@ .* /security-violation.htm
RewriteRule .*';* /security-violation.htm
RewriteRule .*EXEC\(@.* /security-violation.htm
RewriteRule .*sp_password.* /security-violation.htm
RewriteRule /security-violation.htm /security.asp


As you can see, /SECURITY-VIOLATION.HTM is really SECURITY.ASP and sends us an email. So far, we've seen many of our hosted sites getting hit with these attacks, but the block is working and the reports are flowing in! Now if we could auto-block those IP's on IIS that would be AWESOME!!!

We also added these rules to the httpd.ini file in the c:\program files\Helicon\ISAPI_Rewrite\ directory so we didn't have to update each individual httpd.ini file for each site.

Hope this helps people out! Cheers!
Back to Top View ballmatic's Profile Search for other posts by ballmatic
 
ballmatic
Newbie
Newbie


Joined: 30 January 2007
Online Status: Offline
Posts: 7
Posted: 13 May 2008 at 8:35am | IP Logged Quote ballmatic
**** UPDATE: Reposting because it removed the brackets on the end of the RewriteRule line ****

This is what I've ended up with. So far, it has been working GREAT!

RewriteRule .*DECLARE.* /security-violation.htm [I]
RewriteRule .*NVARCHAR.* /security-violation.htm [I]
RewriteRule .*INSERT .* /security-violation.htm [I]
RewriteRule .*INSERT %20.* /security-violation.htm [I]
RewriteRule .* xp_.* /security-violation.htm [I]
RewriteRule .*%20xp_.* /security-violation.htm [I]
RewriteRule .*%20@.* /security-violation.htm [I]
RewriteRule .* @.* /security-violation.htm [I]
RewriteRule .*@%20.* /security-violation.htm [I]
RewriteRule .*@ .* /security-violation.htm [I]
RewriteRule .*';* /security-violation.htm [I]
RewriteRule .*EXEC\(@.* /security-violation.htm [I]
RewriteRule .*sp_password.* /security-violation.htm [I]
RewriteRule /security-violation.htm /security.asp [I,L]

As you can see, /SECURITY-VIOLATION.HTM is really SECURITY.ASP and it sends us an email. Notice it also has the [I,L] bracket unlike the others. I believe this is important because it stops any other rules to override it, right?

So far, we've seen many of our hosted sites getting hit with these attacks, but the block is working and the reports are flowing in! Now if we could auto-block those IP's on IIS that would be AWESOME!!!

We also added these rules to the httpd.ini file in the c:\program files\Helicon\ISAPI_Rewrite\ directory so we didn't have to update each individual httpd.ini file for each site.

Hope this helps people out! Cheers!
Back to Top View ballmatic's Profile Search for other posts by ballmatic
 
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 13 May 2008 at 10:29am | IP Logged Quote linkusystems
Everything works great now in regards to the filter, but what I want is to send over the variables from the original request, such as requesting IP address, original URL, querystring variables, e.t.c.

This will allow me to send myself an e-mail alert with the details to determine any false positives and adjust accordingly. How would I do that?

The reason I need it to redirect is because I have several thousand sites and cannot put this file in each folder. Any ideas?

Here are just a few of my rules below...

RewriteRule .*DECLARE .* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*DECLARE%20.* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*NVARCHAR.* http\://www.mydomain.net/sql_error.asp [I,R]
RewriteRule .*INSERT .* http\://www.mydomain.net/sql_error.asp [I,R]
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
linkusystems
Newbie
Newbie


Joined: 07 October 2004
Location: United States
Online Status: Offline
Posts: 15
Posted: 13 May 2008 at 10:35am | IP Logged Quote linkusystems
By the way, I am trying to use:

response.write Request.ServerVariables("HTTP_X_REWRITE_URL")

in my asp script but it is just writing "/sql_error.asp".
Back to Top View linkusystems's Profile Search for other posts by linkusystems Visit linkusystems's Homepage
 
ballmatic
Newbie
Newbie


Joined: 30 January 2007
Online Status: Offline
Posts: 7
Posted: 13 May 2008 at 12:13pm | IP Logged Quote ballmatic
The reason you are getting "/sql_error.asp" and not the actual URL they are trying to attack you with is because of the redirect. I don't use a redirect because I have a global folder, so my rule is [I] instead of [I,R] and everything works good for me. Almost too good, I've been getting hit a LOT with the 50-60 sites we host!

I know you run several thousand websites, so if you don't add a global folder than I have no clue how to solve that issue. I know you can have a global httpd.ini, perhaps you can have a global virtual directory in IIS. Worth a look with Google or something? Hope you figure it out! What a pain!!!
Back to Top View ballmatic's Profile Search for other posts by ballmatic
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum