Daily security, how to defend your site against sql injections

[Bagi Zoltán]

Today I have already released a security solution at iwt, but now i will post one for here as well. You need to know that it was developped in the last ten minutes, but very effective. The basic would be the same as it was posted at iwt with less modification.

The sql injection is very popular hacking method but there is one common thing in these type of attacks. According to this resource, the URL contains a string which cause a bad manipulation of the sql database, for instance the 'UNION SELECT', 'DROP TABLE', 'TRUNCATE TABLE' sql commands as the part of the requested url. For instance my directory was hacked requesting this string

show_cat.php?cat_id=-1 union ALL SELECT login,password FROM dir_login /*

Since we know that the requested url will contain a certain string defending against this is quite easy, and funny.

1. Create a php file i would call this validator.php with the following content.

<?php
$url = $_SERVER['REQUEST_URI'];
$ip = $_SERVER["REMOTE_ADDR"];
$target = file(dirname(__FILE__). "/bannolnilog.txt");
foreach($target as $item){
$item = trim($item);
if(stristr($ip, $item)){
header("HTTP/1.0 403 Forbidden");
exit;
}
}
if(stristr($url, 'union') || stristr($url, 'drop') || stristr($url, 'truncate')){
include "message.php";
exit;
}
?>

The first part of the code will check if a certain browser is on our blacklist, and the second one will show him something special, can be found in the message.php file. At my site i use something very offensive text, but i don't want to influence you.

2. Create our logfile the blacklist which is called in my example bannolnilog.txt (to ban in Hungarian) chmod 644. Upload it to the root folder as you did it with the validator.php file.

3. We have the validator and the logfile so we need to create the message.php

I use this censored content as message

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta robots content="noindex, nofollow"/>
<title>F.... ..u!</title>
<style type="text/css">
<!--
.style1 {font-size: 24px}
-->
</style>
</head>

<body>
<br/><br/><br/><br/><br/><br/>
<p align="center" class="style1">Please be so kind and do me a favour</p>
<p align="center" class="style1"> F... ..U!! Poor b....d </p>
<p align="center" class="style1"> Your visit is now over </p>
<?php 
$ip = $_SERVER["REMOTE_ADDR"];
$logfile = 'bannolnilog.txt';
$fp = fopen($logfile, 'a');
fputs($fp, "$ip
");
fputs($fp, " "); 
fclose($fp);
?>
</body>
</html>

This will take the IP adress of the attacker and put it into our log file, so using the same IP all we get is the 403 error.

4 We already have everything, the message the logfile and the validator, all we need to do is to place the invitation of the validator file to the very front of your script.

<?php require "/you/need/to/insert/the/path/here/validator.php";?>

Now you may say good bye to those script kiddies.

 

[gkd_uk]

Great tutorial Bagi - rep added

I will be digging this post when I get home as I can no longer access digg from work

 

[Bagi Zoltán]

Thank iou Imran, meanwhile i completed the script with some other different malicious sql commands.

 

[Meti]

That is great Bagi! Thank you very much, this may come to good use and I have added you rep for your efforts.

Thanks,
Meti

 

[espmartin]

I can see how this works internally (the script and stopping injections), but how do you
implement it? I am a member of the WordPress Dev. email list, and a member just posted
that his WordPress was attacked with this type of hack.

His Host informed him of a few details, but not much else. He lost all data in the db!

So how do we use your script for protection?

 

[Bagi Zoltán]

Martin, you have a certain script. Before the connection would established to the database, in the case of wordpress this is the 1.st row of the given header.php in the template files you need to make the validator run using this

<?php require "/you/need/to/insert/the/path/here/validator.php";?>

This will redirect the request to the specified file if the requested url contains a given string such as drop, delete, truncate. Martin i still gather some string that may be originated from sql attack, but you know i am not a programmer so need a bit more time to collect every form of it.

 

[Resonate]

Excellent Bagi, You are a king of Kings :applause:

 

[Bagi Zoltán]

Don't think that Resonate, i only should have learned instead of script hacking

 

[Resonate]

Don't think that Resonate, i only should have learned instead of script hacking

Its good enough for me Bagi

 

[espmartin]

Please post your finding Bagi! I'm going to use this on one or two of my blogs that get
allot of spam. Not that this is a spam deterrent, but those sites seem to be "targeted" -
and a hack attack would be the next avenue for those people!

 

[Bagi Zoltán]

As you wish Martin, i found a really good resource which has collected the possible characters can be used during injection, similarly to the bad robot trap those characters and sql commands are now placed to a separated txt file.
Btw we have already released a defending wp plugin, which protect your website against proxy exploits.

 

[espmartin]

Is that your site Bagi? Is that WP plugin up-to-date, or is the code you've been writing
about here "newer"?

 

[Bagi Zoltán]

That is my neglected English blog Martin and that code is really up to date That will validate the access of the msnbot, Yahoo Slurp and googlebot. If they come cross a proxy link no content will be supplied for them but a 403 error.

 

[espmartin]

Great. I'll upload that plugin and script to my blog and websites

 

[Scripter]

Wow nice bagi. You have really learnt much! Rep added