Introduction to SQL Injection, Code Injection, and Apache Input Fields
SQL injection and Code Injection are common hacking techniques used to maliciously harm websites and promote spam. This post will describe methods for detecting SQL and Code Injection attempts using the Apache .htaccess file and detail how to forward traffic identified as suspicious to your honeypot.
Software bugs, poor programming practices, and outdated software have the potential to expose your website to SQL and Code Injection vulnerabilities. Injection attacks are performed by inserting malicious code into website input fields that are then processed and stored on your server. Using .htaccess we can review these input fields for signs of malicious code and prevent that code from reaching your web application or database.
There are multiple HTTP server input fields that could be used to deliver a SQL Injection or Code Injection attack. This post will cover the HTTP QUERY_STRING input field, and subsequent posts will cover additional fields including:
- HTTP_USER_AGENT
- HTTP_REFERER
- HTTP_COOKIE
- HTTP_FORWARDED
- HTTP_PROXY_CONNECTION
- HTTP_ACCEPT
- HTTP:X-FORWARDED-FOR
- HTTP:X-FORWARDED-HOST
- HTTP:X-FORWARDED-SERVER
The above list is not comprehensive of all input fields that could potentially contain injection code. It is important to keep in mind that there are multiple ways a SQL Injection or Code Injection attack can affect your website. The configuration of your website will determine the different input fields that could be used to deliver an attack.
The QUERY_STRING input field passes data to your web server through the Universal Resource Locator (URL). The data this field contains begins after the ”?” in standard URL format. For example, if the URL is www.mywesite.com/index.php?foo=foobar, the QUERY_STRING variable would contain “foo=foobar”.
We will use the Apache RewriteCond command to scan the QUERY_STRING variable for character strings that resemble SQL language commands. A basic understanding of the SQL language is required to understand these commands and an advanced understanding is helpful in identifying advanced SQL Injection attack methods in the QUERY_STRING.
The SQL language was designed to be easy to understand, and many of the commands resemble common English words. Common language commands present a challenge in distinguishing between false positives and actual SQL Injection attacks. Your specific website use cases and configuration will help you to determine if any SQL command character strings require exclusion from the SQL Injection scans because they potentially generate false positives.
.htaccess Code to Block SQL Injection Attacks in QUERY_STRING
We will start with the .htaccess file we created in the previous blog. The new code we create uses the framework introduced in the previous post to send suspicious traffic to our honeypot webpage using the Project Honey Pot system.
The code below uses the RewriteCond command to scan the QUERY_STRING variable for common SQL language commands including union select, cast, declare, drop, md5, benchmark, table, column, distinct, substr, concat, schema, hex, truncate, convert, exe, passthru, system, popoen, proc, load, between, null, delay, char, sleep, schema, and unhex.
The [NC] switch is used with RewriteCond to indicate that the string is not case sensitive. If a positive match is found the command RewriteRule is used to direct suspicious traffic to your honeypot. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.
##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START #QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test #Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{QUERY_STRING} union [NC,OR] RewriteCond %{QUERY_STRING} select [NC,OR] RewriteCond %{QUERY_STRING} cast [NC,OR] RewriteCond %{QUERY_STRING} declare [NC,OR] RewriteCond %{QUERY_STRING} drop [NC,OR] RewriteCond %{QUERY_STRING} md5 [NC,OR] RewriteCond %{QUERY_STRING} benchmark [NC,OR] RewriteCond %{QUERY_STRING} table [NC,OR] RewriteCond %{QUERY_STRING} column [NC,OR] RewriteCond %{QUERY_STRING} distinct [NC,OR] RewriteCond %{QUERY_STRING} substr [NC,OR] RewriteCond %{QUERY_STRING} concat [NC,OR] RewriteCond %{QUERY_STRING} schema [NC,OR] RewriteCond %{QUERY_STRING} hex [NC,OR] RewriteCond %{QUERY_STRING} truncate [NC,OR] RewriteCond %{QUERY_STRING} convert [NC,OR] RewriteCond %{QUERY_STRING} exec [NC,OR] RewriteCond %{QUERY_STRING} passthru [NC,OR] RewriteCond %{QUERY_STRING} system [NC,OR] RewriteCond %{QUERY_STRING} popen [NC,OR] RewriteCond %{QUERY_STRING} proc [NC,OR] RewriteCond %{QUERY_STRING} load [NC,OR] RewriteCond %{QUERY_STRING} between [NC,OR] RewriteCond %{QUERY_STRING} null [NC,OR] RewriteCond %{QUERY_STRING} delay [NC,OR] RewriteCond %{QUERY_STRING} char [NC,OR] RewriteCond %{QUERY_STRING} sleep [NC,OR] RewriteCond %{ QUERY_STRING } schema [NC,OR] RewriteCond %{QUERY_STRING} unhex [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END
|
Hackers have adapted their methods to disguise or obfuscate SQL Injection and Code Injection commands from web application firewalls using character encoding. The below code uses the same framework as above but tests for character encoding in the QUERY_STRING input variable and suspicious traffic is sent to the honeypot.
##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START #QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test #Excluded "%20", "%2F", "%26", "%3A", "%3D" due to use in site URL variables RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} ! honeypot.php/ RewriteCond %{QUERY_STRING} %00 [OR] RewriteCond %{QUERY_STRING} %0A [NC,OR] RewriteCond %{QUERY_STRING} %0D [NC,OR] RewriteCond %{QUERY_STRING} %21 [OR] RewriteCond %{QUERY_STRING} %22 [OR] RewriteCond %{QUERY_STRING} %23 [OR] RewriteCond %{QUERY_STRING} %24 [OR] RewriteCond %{QUERY_STRING} %25 [OR] RewriteCond %{QUERY_STRING} %27 [OR] RewriteCond %{QUERY_STRING} %28 [OR] RewriteCond %{QUERY_STRING} %29 [OR] RewriteCond %{QUERY_STRING} %40 [OR] RewriteCond %{QUERY_STRING} %60 [OR] RewriteCond %{QUERY_STRING} %2A [NC,OR] RewriteCond %{QUERY_STRING} %2B [NC,OR] RewriteCond %{QUERY_STRING} %2C [NC,OR] RewriteCond %{QUERY_STRING} %2D [NC,OR] RewriteCond %{QUERY_STRING} %3B [NC,OR] RewriteCond %{QUERY_STRING} %3C [NC,OR] RewriteCond %{QUERY_STRING} %3E [NC,OR] RewriteCond %{QUERY_STRING} %5B [NC,OR] RewriteCond %{QUERY_STRING} %5C [NC,OR] RewriteCond %{QUERY_STRING} %5D [NC,OR] RewriteCond %{QUERY_STRING} %5E [NC,OR] RewriteCond %{QUERY_STRING} %5F [NC,OR] RewriteCond %{QUERY_STRING} %7B [NC,OR] RewriteCond %{QUERY_STRING} %7C [NC,OR] RewriteCond %{QUERY_STRING} %7D [NC,OR] RewriteCond %{QUERY_STRING} %7E [NC,OR] RewriteCond %{QUERY_STRING} > [OR] RewriteCond %{QUERY_STRING} < [OR] RewriteCond %{QUERY_STRING} ; RewriteRule ^(.*)$ / honeypot.php/ [NC,L] ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END
|
To block Code Injection attempts we will scan the QUERY_STRING variable for common programmatic commands that are not used in standard written English. Unless your website is focused on programming, it would be highly suspicious to see these strings in normal a webform submission. The below code uses the same framework as the previous two code snippets but tests for programmatic commands in the QUERY_STRING input variable and suspicious traffic is sent to the honeypot.
##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- START RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{QUERY_STRING} sanitize [NC,OR] RewriteCond %{QUERY_STRING} eval [NC,OR] RewriteCond %{QUERY_STRING} base64 [NC,OR] RewriteCond %{QUERY_STRING} echo [NC,OR] RewriteCond %{QUERY_STRING} @set [NC,OR] RewriteCond %{QUERY_STRING} @ini [NC,OR] RewriteCond %{QUERY_STRING} dirname [NC,OR] RewriteCond %{QUERY_STRING} decode [NC] RewriteRule ^(.*)$ / honeypot.php/ [NC,L] ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- END
|
The working file is available for download here. We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at