SQL Injection - XSS Preventor.. Need
Results 1 to 10 of 10

Thread: SQL Injection - XSS Preventor.. Need

  1. #1
    Banned
    Join Date
    Nov 2003
    Posts
    68

    SQL Injection - XSS Preventor.. Need

    Finally i have got an idea of an script to do this JOB.. well i know it have alot of LAME things but thats my first script mmmm maybe i need to get SHOOTED for it .. i dont know it need your opinion >> Professionals
    + there is something last that Can Bypass the Script Check..
    ok the script checks the Requested URL for any Metacharacter Used in SQL Injection or XSS exploits.. so i have made that.. and it BAN the person that Does try it..
    there is 2 problems i have faced and didn't find a solution for it..
    1st : the $REMOTE_ADDR doesn't get the Real IP sometimes if a user is using a proxy. so if anybody can tell me how to get the REAL ip of the person.. or i may Disable the BAN IP thing

    2nd : the script can be bypassed by 1 thing... if i made a HTML page in my pc that POST a value with THE SQL INJECTIONS it passes the Script check
    so can any1 tell me how to check the POST VARS..
    thanks in advance

    PHP Code:
    <?
    //////////////////////////////////////////////////////
    //     SCRIPT CODED By : rOCk-MaStEr                //
    //     Any Comments contact me :                  //
    //     [email]rock_mask@hotmail.com[/email]                //
    //     For more Security and Scripts Visit :         //
    //     [url]http://www.securitygurus.net[/url]            //
    //////////////////////////////////////////////////////
    $f=fopen("ip.txt","r");
              
    $data=fread($f,filesize("ip.txt"));
              
    fclose($f);
    $banchk strpos($data,$REMOTE_ADDR);
    if(
    $banchk != false )
    {
    echo 
    ": You Are BANNED from This website :";
    exit;
    }
    else 
    {
    $checktheurl $_SERVER['REQUEST_URI'];
    $metacharacter = array("UNION","SELECT","WHERE","INSERT","union","select","insert","where",";","*","%3c","%3e","<",">",",","'");
    $error=0;
    for(
    $count=0;$count<count($metacharacter);$count++)
    {
    $checker strpos($checktheurl$metacharacter[$count]);
    if(
    $checker != false)
    {
    $error=1;

    $fa=fopen("ip.txt" ,"a");
              
    fwrite($fa,"$REMOTE_ADDR ");
              
    fclose($fa);
    }
    }

    if(
    $error==1)
    {
    echo 
    ": Sorry! You attemping Banned Operation.. ! :";
    exit;
    }
    }
    ?&
    gt

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    This might point you in the right direction...

    http://www.developersdex.com/asp/mes...egroups.com%3E


    Or...you can go here...but you'll have to scroll down to get to it...

    http://www.webservertalk.com/archive126-2005-2.html

  3. #3
    Banned
    Join Date
    Nov 2003
    Posts
    68
    Thx for ur reply
    but i need that for PHP

  4. #4
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    If you're looking for a coding site I hope this fits the bill...

    http://www.codingforums.com/archive/index.php/f-6-p-23

    it says it has what you're looking for.

  5. #5
    Instead of detecting it in the URI, how about sanitizing your fields in the script?

    Search this site for an PHP owasp filters tutorial

    You can grab fields from the url with $_GET and $_POST, and sanitize($string, HTML) those fields using that tut.

  6. #6
    Banned
    Join Date
    Nov 2003
    Posts
    68
    i dont get u totally
    i need for an example to INCLUDE the script in Forum files so it can check for sql injections !!

  7. #7
    Ok I see what you're doing. You search for XSS or SQL in the URI and if it appears, you log and ban them automatically.

    Depending on the enviroment you are working on, heres a possibly big vulnerability:

    I use an open relay, spoof your addy and email this link to everyone in your intranet or website:
    http://www.yourdomain.com%3F%27

    All of a sudden, I've banned everyone that clicked that link from viewing your site. If you run a forum, that could be an issue.

    There are PHP arrays that contain all fields (I think), you would have to loop through and sanitize each one and put it right back if you want to prevent an attack, instead of detect it and keep your drop in solution working.

  8. #8
    Banned
    Join Date
    Nov 2003
    Posts
    68
    So i May Remove the BAN issue because it doesn't get the real IP if a user is over a proxy
    but what about the POST VARS i need to check a value in all POSTED
    any ideas !

  9. #9
    Try a foreach loop with your $_POST, it will run through each variable, but you still need to find a way to stick it back into the array.

    regarding foreach:
    As of PHP 5, you can easily modify array's elements by preceding $value with &. This will assign reference instead of copying the value.
    I don't know how to loop through and reassign in PHP 4.

  10. #10
    Banned
    Join Date
    Nov 2003
    Posts
    68
    well i got a solution in my mind and did it

    PHP Code:
    for($j=0;$j<count($HTTP_POST_VARS);$j++)
        {
            
    $vars each($HTTP_POST_VARS);
            
    $varsext $varsext $vars["value"];
        } 
    i will put all the Vars in a 1 variable as String then use it
    i removed the IP BAN THING bcoz no use of it
    +
    i converted the Variables to Lowercase to Get any Tricking in playin with it

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •