SQL Injection - XSS Preventor.. Need

**rOCk-MaStEr** · February 8th, 2005, 09:43 PM

Finally i have got an idea of an script to do this JOB.. well i know it have alot of LAME things but thats my first script mmmm maybe i need to get SHOOTED for it

.. i dont know it need your opinion >> Professionals
+ there is something last that Can Bypass the Script Check..
ok the script checks the Requested URL for any Metacharacter Used in SQL Injection or XSS exploits.. so i have made that.. and it BAN the person that Does try it..
there is 2 problems i have faced and didn't find a solution for it..
1st : the $REMOTE_ADDR doesn't get the Real IP sometimes if a user is using a proxy. so if anybody can tell me how to get the REAL ip of the person.. or i may Disable the BAN IP thing

2nd : the script can be bypassed by 1 thing... if i made a HTML page in my pc that POST a value with THE SQL INJECTIONS it passes the Script check
so can any1 tell me how to check the POST VARS..
thanks in advance

PHP Code:


&lt;?

//////////////////////////////////////////////////////

//     SCRIPT CODED By : rOCk-MaStEr                //

//     Any Comments contact me :                  //

//     [email]rock_mask@hotmail.com[/email]                //

//     For more Security and Scripts Visit :         //

//     [url]http://www.securitygurus.net[/url]            //

//////////////////////////////////////////////////////

$f=fopen("ip.txt","r");

          $data=fread($f,filesize("ip.txt"));

          fclose($f);

$banchk = strpos($data,$REMOTE_ADDR);

if($banchk != false )

{

echo ": You Are BANNED from This website :";

exit;

}

else 

{

$checktheurl = $_SERVER['REQUEST_URI'];

$metacharacter = array("UNION","SELECT","WHERE","INSERT","union","select","insert","where",";","*","%3c","%3e","&lt;","&gt;",",","'");

$error=0;

for($count=0;$count&lt;count($metacharacter);$count++)

{

$checker = strpos($checktheurl, $metacharacter[$count]);

if($checker != false)

{

$error=1;



$fa=fopen("ip.txt" ,"a");

          fwrite($fa,"$REMOTE_ADDR ");

          fclose($fa);

}

}



if($error==1)

{

echo ": Sorry! You attemping Banned Operation.. ! :";

exit;

}

}

?&gt;

***Egaladeist*** · February 9th, 2005, 10:20 PM

This might point you in the right direction...

http://www.developersdex.com/asp/mes...egroups.com%3E

Or...you can go here...but you'll have to scroll down to get to it...

http://www.webservertalk.com/archive126-2005-2.html

**rOCk-MaStEr** · February 9th, 2005, 10:32 PM

Thx for ur reply
but i need that for PHP

***Egaladeist*** · February 9th, 2005, 11:32 PM

If you're looking for a coding site I hope this fits the bill...

http://www.codingforums.com/archive/index.php/f-6-p-23

it says it has what you're looking for.

***Soda_Popinsky*** · February 9th, 2005, 11:53 PM

Instead of detecting it in the URI, how about sanitizing your fields in the script?

Search this site for an PHP owasp filters tutorial

You can grab fields from the url with $_GET and $_POST, and sanitize($string, HTML) those fields using that tut.

**rOCk-MaStEr** · February 9th, 2005, 11:59 PM

i dont get u totally
i need for an example to INCLUDE the script in Forum files so it can check for sql injections !!

***Soda_Popinsky*** · February 10th, 2005, 12:09 AM

Ok I see what you're doing. You search for XSS or SQL in the URI and if it appears, you log and ban them automatically.

Depending on the enviroment you are working on, heres a possibly big vulnerability:

I use an open relay, spoof your addy and email this link to everyone in your intranet or website:
http://www.yourdomain.com%3F%27

All of a sudden, I've banned everyone that clicked that link from viewing your site. If you run a forum, that could be an issue.

There are PHP arrays that contain all fields (I think), you would have to loop through and sanitize each one and put it right back if you want to prevent an attack, instead of detect it and keep your drop in solution working.

**rOCk-MaStEr** · February 10th, 2005, 01:30 AM

So i May Remove the BAN issue because it doesn't get the real IP if a user is over a proxy
but what about the POST VARS i need to check a value in all POSTED
any ideas !

***Soda_Popinsky*** · February 10th, 2005, 09:31 AM

Try a foreach loop with your $_POST, it will run through each variable, but you still need to find a way to stick it back into the array.

regarding foreach:

As of PHP 5, you can easily modify array's elements by preceding $value with &. This will assign reference instead of copying the value.

I don't know how to loop through and reassign in PHP 4.

**rOCk-MaStEr** · February 15th, 2005, 07:20 AM

well i got a solution in my mind and did it

PHP Code:


for($j=0;$j&lt;count($HTTP_POST_VARS);$j++)

    {

        $vars = each($HTTP_POST_VARS);

        $varsext = $varsext . $vars["value"];

    }

i will put all the Vars in a 1 variable as String then use it
i removed the IP BAN THING bcoz no use of it
+
i converted the Variables to Lowercase to Get any Tricking in playin with it

Thread: SQL Injection - XSS Preventor.. Need

Thread Tools

Display

SQL Injection - XSS Preventor.. Need

Posting Permissions