Stop SQL Injection through .htaccess

Question

We have been the target of some nasty SQL injection attacks - all hitting the same page, and using roughly the same injection parameters. They aren't actually getting anywhere, but when they hit the same page it takes up server resources and slows everything down.

I've attempted using a generic SQL Injection code block like the one found here, but not 100% it's actually working.

I've taken a snippet of the URL they are hitting, see below:

b%27%20and%20if%28Length%28%28database%28%29%29%29%3C24%2CBENCHMARK%281206122%2CMD5%280x41%29%29%2C0%29%20and%20%27x%27%3D%27x

I just want to send them to an error page or something, but not quite sure how to implement what I am after.

Any and all help appreciated.

On a side note, it is not a Wordpress directory they are hitting, so Wordpress security plug-ins are no good.

Cheers, BH-Tech

I'd also add that the injection parameters are not in a query string. The requests are similar to below:

/directory/hospitals/http://www.domain%27%20and%20if%28Length%28%28select%20distinct%20table_name%20from%20%60information_schema%60.tables%20where%20table_schema%3D%27mysql%27%20limit%200%2C1%29%29%3D13%2CBENCHMARK%281925550%2CMD5%280x41%29%29%2C0%29%20and%20%27x%27%3D%27x.com/directory/hospitals/

checkout this link. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — shadab, Apr 27 '15 at 05:56
Thanks - it's not so much I want to safeguard the application - but actually do something about the requests that are being made to the page — , Apr 27 '15 at 06:08

Nikita 웃 · Answer 1 · 2018-09-05T10:45:59.350

I have been using this with great success for several years on my Wordpress sites. (source):

MySQL injection attempts are one of the most common hacking attacks against PHP websites. If your website is hosted on a dedicated or virtual server, the best solution is to your server hardened with proper mod_security rules. However, if you're on shared hosting, this is not an option. Although it's not possible to use advanced strategies to protect your website, you're still able to protect it against hacking attempts using .htaccess rules. To implement such a protection, append your current .htaccess file with the following code, or create a new file called .htaccess, if you don't use any yet, and place it in your website's main folder:

#####################################################    
# Script: htaccess Security                                                                 
#
# Version: 1.0                                                                                     
# 
#  ### Changelog ###                                                                        
#
# v1.0 - 2012-02-14                                                                            
#
#####################################################

# No web server version and indexes
ServerSignature Off
Options -Indexes

# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]

# Deny browser access to config files

Order allow,deny
Deny from all
#Allow from 1.2.3.4

It should work fine with most PHP scripts and has been tested with WordPress and Joomla!. If you want to run your install.php or directly access a config file with your browser, remove the hash symbol at the end of the file before "Allow from 1.2.3.4" and replace "1.2.3.4" with your external IP. .htaccess files will only work with Apache and LiteSpeed.

score 1 · Answer 2 · answered Apr 27 '15 at 18:28

I'm using this for sometime and it never failed me:

RewriteCond %{QUERY_STRING} DECLARE [NC]
RewriteRule !403\.html$ - [F]
RewriteCond %{QUERY_STRING} SELECT [NC]
RewriteRule !403\.html$ - [F]
RewriteCond %{QUERY_STRING} UPDATE [NC]
RewriteRule !403\.html$ - [F]
RewriteCond %{QUERY_STRING} DELETE [NC]
RewriteRule !403\.html$ - [F]
RewriteCond %{QUERY_STRING} TRUNCATE [NC]
RewriteRule !403\.html$ - [F]
RewriteCond %{QUERY_STRING} DROP [NC]
RewriteRule !403\.html$ - [F]

Basically, all these QS are denied. And I take care so my code do not use them. This, together with the parameterization will always work.

Hi SmartDev. These rules makes sense, and would work in a normal sql injection attack, however the issue we are facing is it's almost as if they are doing the sql injection wrong. There is no query string in the URL, so the .htaccess rules have no effect. For now I have just had to check the request as a whole and if there is a particular word present, I send them to 403. This is risky, but has seemed to of worked. — , Apr 28 '15 at 23:12

score 0 · Answer 3 · answered Apr 28 '15 at 23:21

All though quite risky, I have used this code to send the malicious requests to 403 Forbidden.

RewriteCond %{REQUEST_URI} KEYWORD
RewriteRule ^(.*)$ - [F,L]

Changing KEYWORD to a unique word in you find in the requests. Be very careful using this rule, thoroughly check logs and analytics to make sure you don't block legitimate users using the keyword.

Stop SQL Injection through .htaccess

3 Answers3