| Posted: 25 August 2008 at 11:52am | IP Logged
|
|
|
I am new to ISAPI_Rewrite and have very limited coding experience. I am trying to write a rule to redirect a SQL Injection attack. The attacking code uses the following url patterns:
According to the IIS log:
(1) GET /overview.aspx ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST 0x4445434 (shortened)
(2) GET /overview.aspx ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434 (shortened)
According to the ISAPI_Rewrite.log:
(1)init rewrite engine with requested uri /overview.aspx?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434 (shortened)
(2)init rewrite engine with requested uri /overview.aspx?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434 (shortened)
Note that ISAPI_Rewrite displays the space after overview.aspx as ?.
The Rewrite Rule I'm currently using is:
RewriteRule .*DECLARE.* http://www.mydomain.com/badpage.html [I,R]
If I paste the The above RewriteRule and url format of GET /overview.aspx ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST 0x4445434 (shortened)
into the Regextest it returns a match and if I test it in my browser it executes the url redirect.
However, based on the Rewrite.log, it appears that ISAPI_Rewrite converts or displays the space after the .aspx to ? and then doesn't recognize or check the query that follows, including the DECLARE statement based on the above rule.
Can someone give me a rewrite rule syntax that will redirect these sql injection attempts and explain how to have it evaluate the query portion following the .aspx?
Thanks in advance for your help.
Edited by Pedge99 - 25 August 2008 at 11:55am
|
Helicon Tech : ISAPI_Rewrite 3.0 support forum
Topic: SQL Injection Attack Redirect Rule Syntax
Active Topics
Memberlist
Help
Register
Login
