-2

I am currently being attacked with a URL of the form:

/act/test.php?CourseId=66'+and(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fcOnCaT(0x217e21,ifnull(MailingDate,char(32)),0x217e21)+%2f**%2ffRoM+contin5_Mailing.Customers+%2f**%2flImIt+1400,1))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a)+and+'1'='1

and

/act/index.php?Ad=999999.9+%2f**%2fuNiOn%2f**%2faLl+%2f**%2fsElEcT+0x393133353134353632312e39

I wish to block these types of attacks with a reasonably straightforward validation of the url early in the PHP processing of my website.

Since a signature of this type of attack seems to be "%2f*" (meaning "/*" which is injecting a comment, I guess), I used this hamfisted approach which does work for this specific attack:

$UrlParms = $_SERVER['REQUEST_URI'];
$FoundAnomalies = (strpos($UrlParms, '%2f*'));  //* If we found anomalies in the parameters
if ($FoundAnomalies)
{
   LogErrorToFileOnly("BOGUS URL: ".$FoundAnomalies." ".$UrlParms);
   die();
}

which logs the error to a file and dies before actually outputting any HTML. This has significantly reduced the cpu and memory load on my server by failing early and not later after actually opening a database and executing this failed SQL injection.

I know this is kind of a "whack-a-mole" approach, but can you tell me if this seems reasonable and whether there are any other strings to look for that indicate a SQL injection attack? Or point me to any general purpose php code that would handle this better? Note that I am only interested in code that would look at the URL and parameters very early on in the PHP execution and knows nothing about what parameters are legal for use later in the code.

Historic note: I wrote this e-commerce code 15 years ago using PHP and MySQL and it continues to function to this day. However, the standards of the time didn't really consider this type of security, and I don't know if SQL injection even existed at the time. The effort it would take to rewrite the entire website is not really worth it, so please don't admonish me to scrub every individual parameter, etc., etc. I would write it differently today, but I just want to try to detect SQL injection with simple URL filtering first thing in the php processing then abort.

Final edit 5/11/2018:

Despite the naysayers, I have created some PHP code and Javascript that solves this problem (and many related problems) nicely, and has been thwarting the active hackers attacking my commercial website. It has been working for two months now. The code is posted below in my answer.

Gary Samad
  • 813
  • 7
  • 14
  • 8
    This is entirely the wrong approach. The _only_ way to prevent SQL injection is to use parameterized queries. – ChrisGPT was on strike Mar 05 '18 at 02:55
  • 1
    Hm. Didn't you read the details of the question? I said I know about parameterized queries and such, but am not going to rewrite the entire website. I'm just implementing a band-aid here. I think this is a valid question that could be useful for many legacy websites. – Gary Samad Mar 05 '18 at 05:23
  • 2
    Hm. Didn't you read my comment? There is _no other solution_. The payloads that can carry SQL injection are legion. You cannot beat them with "whack-a-mole", as you put it. Look at something like [sqlmap](http://sqlmap.org/) to start to get an idea of how vast the attack surface is. – ChrisGPT was on strike Mar 05 '18 at 12:51
  • Ok, Chris, I voted you up since you pointed me to useful information that aided my project. See my Answer below to see why my approach actually has some merit, though. – Gary Samad Mar 19 '18 at 01:17

2 Answers2

1

There are Web App Firewall products that use URL whitelisting as an attempt to filter out any unauthorized types of URLs.

  • GreenSQL
  • Oracle Database Firewall
  • Apache mod_security

Generally you need to "teach" these firewalls what types of URLs are legitimate, and then the firewall rejects any request that isn't in the list of whitelisted URLs.

But in my opinion, fixing your code to use SQL query parameters is less work than integrating a WAF product into your site.

If you want to avoid rewriting lots of code all at once, and you prefer a "whack-a-mole" approach, I encourage you to fix the code in one of your PHP pages at a time, as you detect attempted SQL injection attacks. Start with index.php of course. If attackers sees that the homepage is resistant to SQL injection, most might assume the rest of your pages are secure too, and move on to other sites. But you never know, they might just test all of your pages. If you were a hacker, wouldn't you?

This still isn't a good plan, because you're like to get hacked if you delay fixing your code. But at least it spreads out the work over time.

P.S.: You commented that SQL injection may not have been a thing 15 years ago, but in fact:

The first public discussions of SQL injection started appearing around 1998; for example, a 1998 article in Phrack Magazine.

That's 20 years ago!

See https://en.wikipedia.org/wiki/SQL_injection#History

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • 1
    I want to note that DAF like GreenSQL(renamed to Hexatier that doesn't support now) and Oracle Database Firewall is not able to handle and filters requests in application level (in PHP level) by URL. These solutions work with a generated SQL query and try to detect injection in the SQL query (sometimes it possible, but false alarm can happen). – Radik Feb 09 '19 at 08:33
0

Final update 5/11/2018:

Ok, here's my final answer to my own question, meticulously constructed over several weeks and tested for two months on my active e-commerce website. It works marvelously.

This also thwarts other types of non-SQL-injection attacks, such as attempts to inject bogus blog posts and other attempts to inject global variables with urls and other detritus.

//************ Foil SQL injection attacks early by validating the URL and parameters ********
//*** Rejecting a bunch of special characters - make sure to change in both places if you change this!
function VerifyURL()
{
    global $URL_LOG;
    global $BOGUSURL_LOG;

$RejectChars = "'\"%;\\/()[]";  //* If you change this, also change the Javascript below
    $SleepTime = rand(2, 15);   //* Seconds to sleep to slow down the hackers (random to confuse them)

//* REQUEST_URI breaks down to: SCRIPT_NAME, PATH_INFO, QUERY_STRING
    $UrlParms = $_SERVER['REQUEST_URI'];
$ScriptName = $_SERVER['SCRIPT_NAME'];
$PathInfo = $_SERVER['PATH_INFO'];
$QueryString = $_SERVER['QUERY_STRING'];
$ClientIPAddress = str_pad($_SERVER['REMOTE_ADDR'], 15);

//* We don't use PATH_INFO (extra "/something/" after the SCRIPT_NAME) so this is always BOGUS
if (isset($PathInfo))
{
    LogToFileOnly($ClientIPAddress." *BOGUS PATH_INFO: ".$UrlParms, $URL_LOG);
    LogToFileOnly($ClientIPAddress." *BOGUS PATH_INFO: ".$UrlParms, $BOGUSURL_LOG);
    if (!empty($_POST))  //* Log any POST data, too, to help analyze the intent of this attack
    {
        LogArrayToFileOnly($ClientIPAddress." *BOGUS POST Array:", $_POST, $URL_LOG);
            LogArrayToFileOnly($ClientIPAddress." *BOGUS POST Array:", $_POST, $BOGUSURL_LOG);
    }
    sleep($SleepTime);  //* Slow down the hackers
    die();
}

    //* Look for unusual characters that should not be in the URL and abort
    $FoundAnomalies = (strpbrk($QueryString, $RejectChars));
    $Exception = strpos($ScriptName, "/srch.php");  //* if this is the search page, let it through
    $Exception |= strpos($ScriptName, "/amn2/");    //* if this is an admin page, let it through

    if ($FoundAnomalies && !$Exception)
    {
        LogToFileOnly($ClientIPAddress." *BOGUS URL: ".$UrlParms, $URL_LOG);
        LogToFileOnly($ClientIPAddress." *BOGUS URL: ".$UrlParms, $BOGUSURL_LOG);
    if (!empty($_POST))  //* Log any POST data, too, to help analyze the intent of this attack
    {
        LogArrayToFileOnly($ClientIPAddress." *BOGUS POST Array:", $_POST, $URL_LOG);
            LogArrayToFileOnly($ClientIPAddress." *BOGUS POST Array:", $_POST, $BOGUSURL_LOG);
    }
    sleep($SleepTime);  //* Slow down the hackers
        die();
    }
    else
        LogToFileOnly($ClientIPAddress." Valid URL: ".$UrlParms, $URL_LOG);

    //* Now look for unusual characters injected into a POST, if a POST was sent
    if (!empty($_POST) && !$Exception)
    {
        foreach ($_POST as $key => $value)
        {
            //* Validate both keys and values
            $FoundAnomalies = (strpbrk($key, $RejectChars) || strpbrk($value, $RejectChars));
            //$Exception = ($key == "AmnMsg");    //* if this is the admin emailing message page, let it through - we want to email urls and stuff
            if ($FoundAnomalies && !$Exception)
            {
                //* Found an anomaly, report it and die
                LogArrayToFileOnly($ClientIPAddress." *BOGUS POST Array:", $_POST, $URL_LOG);
        LogToFileOnly($ClientIPAddress." Valid URL: ".$UrlParms, $BOGUSURL_LOG);
                LogArrayToFileOnly($ClientIPAddress." *BOGUS POST Array:", $_POST, $BOGUSURL_LOG);
        sleep($SleepTime);  //* Slow down the hackers
                die();
            }
        }
        LogArrayToFileOnly($ClientIPAddress." Valid POST Array:", $_POST, $URL_LOG);
    }
}

//*** This code is added near the bottom of the page, and is for javascript filtering, but could be for other purposes
function FinalHTMLCode()
{
//* Attach a filter to every text input field to filter prohibited characters using javascript
echo '
     <script>
         //* Set the key filtering for every text type input field in the entire page
     var node = document.querySelectorAll("input[type=text],input[type=password],textarea");
     for (var i = 0, len = node.length; i < len; i++)
     {
         node[i].addEventListener("keyup", OnKeyUpEvent);  //* Filter later on keypresses (and paste)
         FilterInputChars(node[i]);                        //* Do the filtering immediatly, too
     }

     function OnKeyUpEvent()
     {
         FilterInputChars(this);
     }

     function FilterInputChars(textfield)
     {
         //* Remove prohibited characters globally in this field - also works when user pastes text!
         textfield.value=textfield.value.replace(/[\\\'\"%\;\\\\/()\[\]]/g,\'\');
     }
    </script>
';  //* End echo
}

The number one benefit to this approach is that it detects hacking attempts early in the processing, and just die()s, therefore causing no additional cpu load of opening databases, etc., and no further information to the hacker about why the attempt failed. I also added code to confuse an active hacker by delaying the response randomly (see sleep()), so he thinks he's accomplishing something.

A legitimate user must not enter these prohibited characters into forms, so I have set up some Javascript that automatically filters all of the special characters. You can place this single line of code near the bottom of your HTML and it will automatically attach the Javascript to every text field and filter the characters:

<?php FinalHTMLCode(); //* Block prohibited characters from all text fields ?>

Note that the code also includes exceptions for pages where I know there might be a special character entered by a legitimate user but where there is no chance of a SQL injection attack succeeding.

Other improvements I made during this journey included the creation of a SQL web user account that did not have admin privileges, but just SELECT, INSERT, and UPDATE privileges for the database. This keeps a malicious attacker from DROPing tables or DELETEing rows or other potentially malicious activity.

Gary Samad
  • 813
  • 7
  • 14
  • This is not a good solution. Even assuming it works in its home context (IDK), its fragile _vis-a-vis_ future changes to the context. I'd be particularly worried about the assumptions that requests to `search` and `admin` are "safe". **Fundamentally, you're enumerating what's forbidden instead of what's allowed.** And consider the cost you're paying: Text-inputs around the site won't allow certain special characters that users might try to enter. – ShapeOfMatter Feb 08 '21 at 00:41