PDA

View Full Version : REQ: SQL Injection Prevention


|Jordan|
12-16-2004, 03:51 AM
I manage a large forum with over 3000 members.

Recently a member did an SQL Injection to a game in the arcade. I tried adding code which blocks Union, Clicke, and String based attacks but ended up messing the forum up because i didn't completely know what i was doing.

Can anyone make a modification that blocks these attacks?

I was using code from Raven's SQL Injection PHP Nuke Hack (http://ravenphpscripts.com/modules.php?name=Downloads&d_op=viewdownloaddetails&cid=12&lid=88&ttitle=SQL_Injection_Hack_Alert#dldetails) and Nuke Sentinel (http://www.nukescripts.net/modules.php?name=User_Guide) (Which has code based on Ravens stuff)

Snippets of code below:


// Raven http://ravenphpscripts.com
$queryString = strtolower($HTTP_SERVER_VARS['QUERY_STRING']);
if (strstr($queryString,'%20union%20') OR strstr($queryString,'/*')) {
header("Location: hackattempt.php?$queryString");
die();
}

// Check for UNION attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = abget_blocker("union");
if($blocker_row['activate'] > 0) {
$reason = $blocker_row['blocker'];
if (stristr($querystring,'%20union%20') OR stristr($querystring,'*/union/*') OR stristr($querystringBase64,'%20union%20') OR stristr($querystringBase64,'*/union/*') OR stristr($querystringBase64,' union ')) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}

// Check for CLIKE attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = abget_blocker("clike");
if($blocker_row['activate'] > 0) {
$reason = $blocker_row['blocker'];
if (stristr($querystring,'/*') OR stristr($querystringBase64,'/*')) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}

// Check for SCRIPTING attack
// Copyright 2004(c) ChatServ
$blocker_row = abget_blocker("script");
if($blocker_row['activate'] > 0) {
$reason = $blocker_row['blocker'];
foreach ($_GET as $secvalue) {
$secvalue = strtolower($secvalue);
str_replace("%3c", "<", $secvalue);
str_replace("%3e", ">", $secvalue);
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("\([^>]*\"?[^)]*\)", $secvalue)) || (eregi("\"", $secvalue))) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}
foreach ($_POST as $secvalue) {
$secvalue = strtolower($secvalue);
str_replace("%3c", "<", $secvalue);
str_replace("%3e", ">", $secvalue);
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}
}

// DOS Attack Blocker
if($ab_config['prevent_dos'] == 1 AND !stristr($_SERVER['SCRIPT_NAME'], "backend.php")) {
if ($_SERVER['HTTP_USER_AGENT'] == "" || $_SERVER['HTTP_USER_AGENT'] == "-" || !isset($_SERVER['HTTP_USER_AGENT'])) {
die(_AB_GETOUT);
}
}


In Ravens hack a page was displayed and email sent to admin when a user tried to hack.

|Jordan|
12-20-2004, 11:25 PM
*Bump*