Blocking SQL Injection and Code Injection Attacks Using Apache .htaccess

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Introduction to SQL Injection, Code Injection, and Apache Input Fields

SQL injection and Code Injection are common hacking techniques used to maliciously harm websites and promote spam.  This post will describe methods for detecting SQL and Code Injection attempts using the Apache .htaccess file and detail how to forward traffic identified as suspicious to your honeypot.

Software bugs, poor programming practices, and outdated software have the potential to expose your website to SQL and Code Injection vulnerabilities. Injection attacks are performed by inserting malicious code into website input fields that are then processed and stored on your server.  Using .htaccess we can review these input fields for signs of malicious code and prevent that code from reaching your web application or database.

There are multiple HTTP server input fields that could be used to deliver a SQL Injection or Code Injection attack.  This post will cover the HTTP QUERY_STRING input field, and subsequent posts will cover additional fields including:

  • HTTP_USER_AGENT
  • HTTP_REFERER
  • HTTP_COOKIE
  • HTTP_FORWARDED
  • HTTP_PROXY_CONNECTION
  • HTTP_ACCEPT
  • HTTP:X-FORWARDED-FOR
  • HTTP:X-FORWARDED-HOST
  • HTTP:X-FORWARDED-SERVER

The above list is not comprehensive of all input fields that could potentially contain injection code.  It is important to keep in mind that there are multiple ways a SQL Injection or Code Injection attack can affect your website.  The configuration of your website will determine the different input fields that could be used to deliver an attack. 

The QUERY_STRING input field passes data to your web server through the Universal Resource Locator (URL).  The data this field contains begins after the ”?” in standard URL format.  For example, if the URL is www.mywesite.com/index.php?foo=foobar, the QUERY_STRING variable would contain “foo=foobar”.

We will use the Apache RewriteCond command to scan the QUERY_STRING variable for character strings that resemble SQL language commands.  A basic understanding of the SQL language is required to understand these commands and an advanced understanding is helpful in identifying advanced SQL Injection attack methods in the QUERY_STRING. 

The SQL language was designed to be easy to understand, and many of the commands resemble common English words.  Common language commands present a challenge in distinguishing between false positives and actual SQL Injection attacks.  Your specific website use cases and configuration will help you to determine if any SQL command character strings require exclusion from the SQL Injection scans because they potentially generate false positives.

 

.htaccess Code to Block SQL Injection Attacks in QUERY_STRING

 

We will start with the .htaccess file we created in the previous blog.  The new code we create uses the framework introduced in the previous post to send suspicious traffic to our honeypot webpage using the Project Honey Pot system.  

The code below uses the RewriteCond command to scan the QUERY_STRING variable for common SQL language commands including union select, cast, declare, drop, md5, benchmark, table, column, distinct, substr, concat, schema, hex, truncate, convert, exe, passthru, system, popoen, proc, load, between, null, delay, char, sleep, schema, and unhex.

The [NC] switch is used with RewriteCond to indicate that the string is not case sensitive.  If a positive match is found the command RewriteRule is used to direct suspicious traffic to your honeypot.  The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START

#QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test

#Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives

RewriteCond %{QUERY_STRING} !^$

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{QUERY_STRING} union [NC,OR]

RewriteCond %{QUERY_STRING} select [NC,OR]

RewriteCond %{QUERY_STRING} cast [NC,OR]

RewriteCond %{QUERY_STRING} declare [NC,OR]

RewriteCond %{QUERY_STRING} drop [NC,OR]

RewriteCond %{QUERY_STRING} md5 [NC,OR]

RewriteCond %{QUERY_STRING} benchmark [NC,OR]

RewriteCond %{QUERY_STRING} table [NC,OR]

RewriteCond %{QUERY_STRING} column [NC,OR]

RewriteCond %{QUERY_STRING} distinct [NC,OR]

RewriteCond %{QUERY_STRING} substr [NC,OR]

RewriteCond %{QUERY_STRING} concat [NC,OR]

RewriteCond %{QUERY_STRING} schema [NC,OR]

RewriteCond %{QUERY_STRING} hex [NC,OR]

RewriteCond %{QUERY_STRING} truncate [NC,OR]

RewriteCond %{QUERY_STRING} convert [NC,OR]

RewriteCond %{QUERY_STRING} exec [NC,OR]

RewriteCond %{QUERY_STRING} passthru [NC,OR]

RewriteCond %{QUERY_STRING} system [NC,OR]

RewriteCond %{QUERY_STRING} popen [NC,OR]

RewriteCond %{QUERY_STRING} proc [NC,OR]

RewriteCond %{QUERY_STRING} load [NC,OR]

RewriteCond %{QUERY_STRING} between [NC,OR]

RewriteCond %{QUERY_STRING} null [NC,OR]

RewriteCond %{QUERY_STRING} delay [NC,OR]

RewriteCond %{QUERY_STRING} char [NC,OR]

RewriteCond %{QUERY_STRING} sleep [NC,OR]

RewriteCond %{ QUERY_STRING } schema [NC,OR]

RewriteCond %{QUERY_STRING} unhex [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END

 

 

Hackers have adapted their methods to disguise or obfuscate SQL Injection and Code Injection commands from web application firewalls using character encoding.  The below code uses the same framework as above but tests for character encoding in the QUERY_STRING input variable and suspicious traffic is sent to the honeypot.

 

 

##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START

#QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test

#Excluded "%20", "%2F", "%26", "%3A", "%3D"  due to use in site URL variables

RewriteCond %{QUERY_STRING} !^$

RewriteCond %{REQUEST_URI} ! honeypot.php/

RewriteCond %{QUERY_STRING} %00 [OR]

RewriteCond %{QUERY_STRING} %0A [NC,OR]

RewriteCond %{QUERY_STRING} %0D [NC,OR]

RewriteCond %{QUERY_STRING} %21 [OR]

RewriteCond %{QUERY_STRING} %22 [OR]

RewriteCond %{QUERY_STRING} %23 [OR]

RewriteCond %{QUERY_STRING} %24 [OR]

RewriteCond %{QUERY_STRING} %25 [OR]

RewriteCond %{QUERY_STRING} %27 [OR]

RewriteCond %{QUERY_STRING} %28 [OR]

RewriteCond %{QUERY_STRING} %29 [OR]

RewriteCond %{QUERY_STRING} %40 [OR]

RewriteCond %{QUERY_STRING} %60 [OR]

RewriteCond %{QUERY_STRING} %2A [NC,OR]

RewriteCond %{QUERY_STRING} %2B [NC,OR]

RewriteCond %{QUERY_STRING} %2C [NC,OR]

RewriteCond %{QUERY_STRING} %2D [NC,OR]

RewriteCond %{QUERY_STRING} %3B [NC,OR]

RewriteCond %{QUERY_STRING} %3C [NC,OR]

RewriteCond %{QUERY_STRING} %3E [NC,OR]

RewriteCond %{QUERY_STRING} %5B [NC,OR]

RewriteCond %{QUERY_STRING} %5C [NC,OR]

RewriteCond %{QUERY_STRING} %5D [NC,OR]

RewriteCond %{QUERY_STRING} %5E [NC,OR]

RewriteCond %{QUERY_STRING} %5F [NC,OR]

RewriteCond %{QUERY_STRING} %7B [NC,OR]

RewriteCond %{QUERY_STRING} %7C [NC,OR]

RewriteCond %{QUERY_STRING} %7D [NC,OR]

RewriteCond %{QUERY_STRING} %7E [NC,OR]

RewriteCond %{QUERY_STRING} > [OR]

RewriteCond %{QUERY_STRING} < [OR]

RewriteCond %{QUERY_STRING} ;

RewriteRule ^(.*)$ / honeypot.php/ [NC,L]

 ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END

 

 

To block Code Injection attempts we will scan the QUERY_STRING variable for common programmatic commands that are not used in standard written English.  Unless your website is focused on programming, it would be highly suspicious to see these strings in normal a webform submission.  The below code uses the same framework as the previous two code snippets but tests for programmatic commands in the QUERY_STRING input variable and suspicious traffic is sent to the honeypot.

 

 

##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- START

RewriteCond %{QUERY_STRING} !^$

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{QUERY_STRING} sanitize [NC,OR]

RewriteCond %{QUERY_STRING} eval [NC,OR]

RewriteCond %{QUERY_STRING} base64 [NC,OR]

RewriteCond %{QUERY_STRING} echo [NC,OR]

RewriteCond %{QUERY_STRING} @set [NC,OR]

RewriteCond %{QUERY_STRING} @ini [NC,OR]

RewriteCond %{QUERY_STRING} dirname [NC,OR]

RewriteCond %{QUERY_STRING} decode [NC]

RewriteRule ^(.*)$ / honeypot.php/ [NC,L]

 ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- END

 

  

 

The working file is available for download here.  We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

 

About Private Client Cyber Security

Former U.S. defense industry cybersecurity executives founded PCCS after struggling to convince large cybersecurity companies to address the cyber risks of public persons and small sized business. 

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

We strive to provide a personal, professional and a next-generation technology level of cyber protection to our clients. 

 

Twitter @PCCyberSecurity


New Technique Recycles Exploit Chain to Keep Antivirus Silent https://t.co/YJDyTcVzTc

@verizonfios customers can use @nomorobo for free to block known #robocalls and #telemarketers on their FiOs phone… https://t.co/8XoVUAezR9
Follow Private Client Cyber Security on Twitter
New York NY | Washington DC | Bethesda MD | Chicago IL | Los Angeles CA
© 2015 Private Client Cyber Security. All Rights Reserved.

Search