0

I wished to block requests like http://anything.com/something.php?hack_attempt=select * from users.

For this I do in .htaccess

RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

The problem is that this rule hits also http://anything.com/update.php As I know %{QUERY_STRING} should contain only get params string after ? , but it hits the URI. Can anyone advice where the problem can be?

UPDATE: full rule

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).*                                [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(\.|\*|;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*                 [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*/ban_url/                                                           [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]
 RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|insert|cast|set|declare|drop).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*\?.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

 RewriteRule ^(.*)$ - [R=400,L]
</IfModule>

if I uncomment

RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

then Apache will block www.anything.com/update.php but it should block only www.anything.com/something.php?param=update

UPDATE 2: full conf

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).*                                [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(\.|\*|;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*                 [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*/ban_url/                                                           [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]
 RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|insert|cast|set|declare|drop).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*\?.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

 RewriteRule ^(.*)$ - [R=400,L]

 RewriteCond %{REQUEST_URI} ^.*wp-*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*www\.zip*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*backup\.zip*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*public_html\.zip*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*\.tar\.gz*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*administrator*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*admin\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*admin/index\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*elrekt\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*_adminer*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*accesson*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*agentui*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*trackback*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*wp-login*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*router\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*AspCms_AdminAdd*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*public/js/wind*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*include/calendar/calendar-cn*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*app-ads*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*vendor/phpunit/*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*utility/*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*blackhat*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*data/admin/allowurl*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*js/varien*                                                           [NC,OR] #magento
 RewriteCond %{REQUEST_URI} ^.*js/mage*                                                           [NC,OR] #magento
 RewriteCond %{REQUEST_URI} ^.*magento_version*                                                           [NC,OR] #magento
 RewriteCond %{REQUEST_URI} ^.*db_z\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*functions\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*lottery-index*                                                           [NC]

 RewriteRule ^(.*)$ - [R=400,L]


</IfModule>

this conf file is applied in site conf like

<VirtualHost *:80>
    Include /var/www/url_blacklist.conf
        ServerName ...
        DocumentRoot ...
        ErrorLog ...
</VirtualHost>
Improve this question
8
  • Please post your RewriteRule and be more specific about the problem you are having. Commented Nov 27, 2020 at 14:05
  • @AmitVerma updated Commented Nov 27, 2020 at 18:41
  • @MykolaMykolayovichDolynskyi, is the string hack_attempt= is a sample one of a real string in your query string(if not then please do mention whatever could be there with samples)? Kindly confirm once. Commented Nov 28, 2020 at 4:47
  • @RavinderSingh13 not real, I just want to search for any forbidden words which are only in get params (after ? sign), but in real it also finds them in URI also. I can not use sample as I don`t know which kind of attack robots will deploy next time Commented Nov 29, 2020 at 20:36
  • 1
    “UPDATE: full rule” - is this your full rewrite configuration now, or are you doing other stuff as well? What you say is happening, can’t be explained by what you have shown so far, and a test tool like htaccess.madewithlove.be agrees. Commented Nov 30, 2020 at 8:21

1 Answer 1

Reset to default
2

I am assuming that you want to block/forbid all those requests which have select * in their query string along with their uri doesn't have update.php requested, if this is the case could you please try following once. These conditions are written as per requested conditions only, you could try to test it alone and then could try to merge them with your existing conditions too.

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/update\.php [NC]
RewriteCond %{QUERY_STRING} select \* [NC]
RewriteRule ^ - [R=301,F]
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

like that, I wish to redirect to 301 any request which have SQL expressions only in get params. At same time I need to allow ULRs like /update.php and so on (but QUERY_STRING hits URL also, I thought it should only include get params only)
@MykolaMykolayovichDolynskyi, looks like your conditions like RewriteCond %{REQUEST_URI} ^.*wp-* then RewriteCond %{REQUEST_URI} ^.*www\.zip* having an issue here, you did not put OR condition there so all are considered as an AND condition which can't be the case by seeing your regex(which isn't looking ok to me since everything is checking that it ^ starts from), kindly try to put OR condition once there?
the [NC,OR] seems to be everywhere, may be have not scrolled code frame to right?
@MykolaMykolayovichDolynskyi, sorry usually conditions wouldn't have many spaces so I haven't scrolled right to it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.