msg# 1
Hello
Just another Idea i was thinking about, if protector could Has a file lets Call it scanner.php , this file job to search for any exploit command , and ban or log the ip for who tried to exploit the page . Exp when someone call a page like this
http://xoops/modules/news/index.php?cmd=as CMD is explot sql injection .
Now after we created the Scanner.php we need to include it in the mainfile then , we need to create a list of well known exploit character strings used for remote execution exploits.
and here some ..
chr(
chr=
chr%20
%20chr
wget%20
%20wget
wget(
cmd=
%20cmd
cmd%20
rush=
%20rush
rush%20
union%20
%20union
union(
union=
echr(
%20echr
echr%20
echr=
esystem(
esystem%20
cp%20
%20cp
cp(
mdir%20
%20mdir
mdir(
mcd%20
mrd%20
rm%20
%20mcd
%20mrd
%20rm
mcd(
mrd(
rm(
mcd=
mrd=
mv%20
rmdir%20
mv(
rmdir(
chmod(
chmod%20
%20chmod
chmod(
chmod=
chown%20
chgrp%20
chown(
chgrp(
locate%20
grep%20
locate(
grep(
diff%20
kill%20
kill(
killall
passwd%20
%20passwd
passwd(
telnet%20
vi(
vi%20
insert%20into
select%20
nigga(
%20nigga
nigga%20
fopen
fwrite
%20like
like%20
_REQUEST
_GET
$REQUEST
$GET
.system
HTTP_PHP
&aim
%20getenv
getenv%20
new_password
&icq
/etc/password
/etc/shadow
/etc/groups
/etc/gshadow
HTTP_USER_AGENT
HTTP_HOST
/bin/ps
wget%20
uname\x20-a
/usr/bin/id
/bin/echo
/bin/kill
/bin/
/sbin/
/usr/sbin
/chgrp
/chown
/usr/bin
g\+\+
bin/python
bin/tclsh
bin/nasm
perl%20
traceroute%20
ping%20
.pl
/usr/X11R6/bin/xterm
lsof%20
/bin/mail
.conf
motd%20
HTTP/1.
.inc.php
config.php
cgi-
.eml
file\://
file://
window.open
javascript\://
ijava script://
mg src
img%20src
.jsp
ftp.exe
xp_enumdsn
xp_availablemedia
xp_filelist
xp_cmdshell
nc.exe
.htpasswd
servlet
/etc/passwd
wwwacl
~root
~ftp
.js
.jsp
admin_
.history
bash_history
.bash_history
~nobody
server-info
server-status
reboot%20
halt%20
powerdown%20
/home/ftp
/home/www
secure_site, ok
chunked
org.apache
/servlet/con
<script
/robot.txt
/robots.txt
/perl
mod_gzip_status
db_mysql.inc
.inc
select%20from
select from
drop%20
.system
getenv
http_
_php
php_
phpinfo()
<?php
?>
sql=
%2527
<br
cc:
bcc:
\r
\n
admin'--
'%20or%200=0%20--
"%20or%200=0%20--
or%200=0%20--
'%20or%200=0%20#
"%20or%200=0%20#
or%200=0%20#
'%20or%20'x'='x
"%20or%20"x"="x
')%20or%20('x'='x
'%20or%201=1--
"%20or%201=1--
or%201=1--
'%20or%20a=a--
"%20or%20"a"="a
')%20or%20('a'='a
")%20or%20("a"="a
hi"%20or%20"a"="a
hi"%20or%201=1%20--
hi'%20or%201=1%20--
hi'%20or%20'a'='a
hi')%20or%20('a'='a
hi")%20or%20("a"="a
c99shell
r57shell
crystalshell
phpshell
dtool
fetch%20
curl%20
lynx%20
ls%20-
/var/tmp
cd%20
_SERVER
$SERVER
_POST
$POST
rundll32
PHP_SELF
<iframe
<script
<a href
<javascript
alert(
<img
<embed
<object
%20src
%3b
%2f
%3f
%3a
%40
%3d
%26
%3c
%3e
%22
%23
%7b
%7d
%7c
%5c
%5e
%7e
%5b
%5d
%60
%25
%27
\x3b
\x2f
\x3f
\x3a
\x40
\x3d
\x26
\x3c
\x3e
\x22
\x23
\x7b
\x7d
\x7c
\x5c
\x5e
\x7e
\x5b
\x5d
\x60
\x25
\x27
Just another idea..
Votes:19
Average:5.26
msg# 1.1
Mikhail
From: Rio de Janeiro, Brasil
Posts: 15
Excellent idea. You can update your list looking in source codes of the last cracker-scanners and in your web-logs. I love to do it.
Ps1: a lot of web scanners created by genial "
script kiddiez" and designed to attack can also be used to discover and solve potential security holes, but rarely the professional developers and webmasters do that (
AFAIK).
Ps2: (maybe off-topic) I'm
trying to code a new security scanner application (Win32/
Lua) called "Pandora's Cube" that test all XOOPS files and uses all ~
4.000 variables extracted from XOOPS Cube using PHPXREF 0.7. The objective is make a more specific tool to help to find some kind of
vulnerabilities in XOOPS Cube.
Votes:11
Average:9.09
msg# 1.2
hi onasre.
I also think it's an interesting idea.
But the method of "black listing" can protect the site from only script kiddies or worms.
It never be a high hurdle for good-handed-crackers.
I believe DBLayer-Anti-SQL-Injection is a ultimate method protecting SQL Injection.
Now, I just want all core developpers adopt my overridable databasefactory.php
Votes:11
Average:6.36
msg# 1.3
interesting i think too, but then you will have to keep updating the list when new methods are found.
personally i think the whitelist approach is best of all. only allow what you want to allow, and prevent anything else.
Gijoe approach with this new db layer is excellent IMO.
I was also looking into DB layer aswell for icms, with the idea of better filtering and making better use of mysql_real_escape_string() instead of having all the addslashes() stripslashes() all over the place. aswell as SQL Prepared Statements instead of current methods. other filters such as PHP 5 native filter_var() & filter_input() etc
Votes:11
Average:6.36
msg# 1.3.1
hi vaughan.
I'm waiting that ImpressCMS adopt my databasefactory.php can work DBLayer-Anti-SQL-Injection of Protector 3.3
It must be a killer feature for securing CMS.
Votes:10
Average:9.00
msg# 1.4
hi Gijoe,
ImpressCMS 1.1.2 final includes your databasefactory.php modifications, so the patch file you include is not required for 1.1.2 final :)
Votes:10
Average:10.00
msg# 1.4.1
hi vaughan.
Quote:
ImpressCMS 1.1.2 final includes your databasefactory.php modifications, so the patch file you include is not required for 1.1.2 final :)
Oh!
It's my negligence.
I have to check ImpressCMS 1.1.2 and fix protector's package and documentation.
Anyway, thank you for the adoption.
This is another proof that ImpressCMS is a good security conscious CMS.
Votes:11
Average:9.09
msg# 1.5
Glad you liked the Idea..
By the way Gijoe , are you going to do something about High Load Hits or load server..it was an idea from someone i forgot who was ..
Votes:8
Average:10.00
msg# 1.5.1
hi onasre.
Quote:
By the way Gijoe , are you going to do something about High Load Hits or load server..it was an idea from someone i forgot who was ..
You can find
precommon_bwlimit_errorlog.php
precommon_bwlimit_message.php
from TRUST/modules/protector/filters_disabled.
I cannot ensure it is always useful for high loaded sites.
I can say the Apache modules like mod_bandwidth might be better options if you can do that.
Votes:6
Average:10.00