08
Sep
2008
Subscribe
Bookmark and Share

Lately my blog has been clogged with thousands of SQL injection attempts. One day in particular, I got more than 2000 SQL injection attempts. Luckily for me, despite I was on vacation, I had the nice idea to look at the web traffic in my server control panel and I saw that something was wrong, terribly wrong. As a matter of fact most of this attempts had to do with this kind of string:

DECLARE%20@S%20CHAR(4000);SET%20@S= CAST(0×4445434C—-removed—- %20AS%20 CHAR (4000));EXEC(@S);

Of course I didn’t know what it was about, but it looked suspicious to me. Anyway I decided to Google a little bit and with my dismay I found out what it was about. This kind of attacks are quite common and despite there is little to do because they come from different IP addresses, it has to be said that there are a lot of countermeasures to be applaied to avaoid this pest. But before speaking about it, I want to talk about this SQL attack. What was it trying to do in my blog? Reading from WebMasterWorld: “It’s actually a very common way that is used by hackers when they are exploiting blind SQL injection attacks. The idea is to create a condition that, if satisfied, will delay the execution of the script for a certain time period. So, the attacker watches the response time and if it was delayed, he knows that the SQL command was executed successfully.” This text doesn’t mean a lot, above all to people who are not into this kind of things. Let’s just said that someone was trying to replace page codes with javascript code in any vulnerable SQL database he could get into. Usually these kind of actions are related to spammers who try to show their personal junk on your website. Here are intestead the lines you will have to add to your .htaccess, if you get bombed by this kind of pest:

Code 1

RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]

Alternatively, you can use this other code:

Code 2

RewriteEngine On
RewriteCond %{QUERY_STRING} char(400) [NC]
RewriteRule .* – [F,L]

Useless to say, after I added one of the two codes (I used the first one), the attacks disappeared all of a sudden.

Edit: Here is a better solution. In the end I used this one because it provides a better protection.

### Injection Attack: DECLARE, SET and CAST. More: http://www.informationtechnologymanager.net/?p=25 ###
RewriteEngine On
Options +FollowSymLinks
ServerSignature Off
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* (/\*|union|select| insert|cast|set|declare |drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ http://www.nosqlinjectionsanymoreplease.com


Tags: security, trick, WebTalk



WP Greet Box icon
Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Related Articles Latest Articles

If you can not find what you are looking for, you might want to try Google Advanced Search and get thousands of results, specifically selected for you.

Google Advanced Search
.

Leave a Comment

If you want to show an image next to your comments, get your gravatar now!

XHTML - You can use the following tags:  <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv Enabled




All contents are licenced under a Creative Commons Licence.
Best screen resolution 1280x800 or higher.
Web Talk is best viewed in Firefox.