I manage a large forum with over 3000 members.
Recently a member did an SQL Injection to a game in the arcade. I tried adding code which blocks Union, Clicke, and String based attacks but ended up messing the forum up because i didn't completely know what i was doing.
Can anyone make a modification that blocks these attacks?
I was using code from
Raven's SQL Injection PHP Nuke Hack and
Nuke Sentinel (Which has code based on Ravens stuff)
Snippets of code below:
PHP Code:
// Raven http://ravenphpscripts.com
$queryString = strtolower($HTTP_SERVER_VARS['QUERY_STRING']);
if (strstr($queryString,'%20union%20') OR strstr($queryString,'/*')) {
header("Location: hackattempt.php?$queryString");
die();
}
// Check for UNION attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = abget_blocker("union");
if($blocker_row['activate'] > 0) {
$reason = $blocker_row['blocker'];
if (stristr($querystring,'%20union%20') OR stristr($querystring,'*/union/*') OR stristr($querystringBase64,'%20union%20') OR stristr($querystringBase64,'*/union/*') OR stristr($querystringBase64,' union ')) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}
// Check for CLIKE attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = abget_blocker("clike");
if($blocker_row['activate'] > 0) {
$reason = $blocker_row['blocker'];
if (stristr($querystring,'/*') OR stristr($querystringBase64,'/*')) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}
// Check for SCRIPTING attack
// Copyright 2004(c) ChatServ
$blocker_row = abget_blocker("script");
if($blocker_row['activate'] > 0) {
$reason = $blocker_row['blocker'];
foreach ($_GET as $secvalue) {
$secvalue = strtolower($secvalue);
str_replace("%3c", "<", $secvalue);
str_replace("%3e", ">", $secvalue);
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("\([^>]*\"?[^)]*\)", $secvalue)) || (eregi("\"", $secvalue))) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}
foreach ($_POST as $secvalue) {
$secvalue = strtolower($secvalue);
str_replace("%3c", "<", $secvalue);
str_replace("%3e", ">", $secvalue);
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
block_ip($ip, $banuser, $bantime, $blocker_row);
}
}
}
// DOS Attack Blocker
if($ab_config['prevent_dos'] == 1 AND !stristr($_SERVER['SCRIPT_NAME'], "backend.php")) {
if ($_SERVER['HTTP_USER_AGENT'] == "" || $_SERVER['HTTP_USER_AGENT'] == "-" || !isset($_SERVER['HTTP_USER_AGENT'])) {
die(_AB_GETOUT);
}
}
In Ravens hack a page was displayed and email sent to admin when a user tried to hack.
12-16-2004, 03:51 AM
REQ: SQL Injection Prevention
Linear Mode
