stop sqli now and protect your site

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    stop sqli now and protect your site

    ok so u wana make your script secure against sql injection ive made this possible to ban the hacker directly from the server
    first add this to your htaccess page rename my url to yours
    Code:
    Options -Indexes
    ErrorDocument 402 http://mobilezonez.net/?err
    ErrorDocument 403 http://mobilezonez.net/?err
    ErrorDocument 404 http://mobilezonez.net/?err
    ErrorDocument 500 http://mobilezonez.net/?err
    
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\"|%22).*(\>|%3E|<|%3C).* [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteCond %{QUERY_STRING} (javascript:).*(\;).* [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteCond %{QUERY_STRING} (\;|\’|\"|\%22).*(union|select|insert|drop|update|validated|md5|1|5|perm|1 FROM ibwf_users|benchmark|or|and|if).* [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteRule (,|;|<|>|’|`) /logs.php [NC]
    
    
    RemoveHandler .phtml .php3 .php4 .php5 .php6 .phps .cgi .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .py
    AddType application/x-httpd-php-source .phtml .php3 .php4 .php5 .php6 .phps .cgi .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .py
    
    php_flag display_errors 0
    php_value error_reporting 7
    php_value register_globals 0
    php_flag session.use_trans_sid off
    php_value magic_quotes_gpc 0
    php_value magic_quotes_runtime 0
    php_value magic_quotes_sybase 0
    php_value allow_url_fopen 0
    php_value arg_separator.output "&amp;"
    AddDefaultCharset UTF-8
    
    <IfModule mod_expires.c>
      ExpiresActive On
      ExpiresDefault A1209600
      <FilesMatch \.php$>
        ExpiresActive Off
      </FilesMatch>
    </IfModule>
    
    
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
    RewriteRule .* - [F]
    
    RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
    RewriteRule ^(.*)$ – [F,L]
    make sure your htaccess page is chmodded to 666 to allow rewrite
    now make a logs.php page for your server

    Code:
    <?php
    /*
    ////////////////////////////////////////
    //       mobilezonez sql inject trap //
    //              by                          //
    //       Ozziemale aka Rampage     //
    ///////////////////////////////// //////
    */
    
    $r= $_SERVER['REQUEST_URI'];
    $q= $_SERVER['QUERY_STRING'];
    $i= $_SERVER['REMOTE_ADDR'];
    $u= $_SERVER['HTTP_USER_AGENT'];
    $i = "deny from $REMOTE_ADDR\n" ;
    $banip = '.htaccess';
    $fp = fopen($banip, "a");
    $write = fputs($fp, $i);
    fclose($fp);
    
    $ref = $_SERVER['HTTP_REFERER'];
    $phone=$_SERVER['HTTP_USER_AGENT'];
    $forwarder_ip = @htmlspecialchars(getenv('HTTP_X_FORWARDED_FOR'));
    $sydnNew_Time = time() + (24 * 60 * 60);
    $sydn=date("H:i",$sydnNew_Time);
    $time = date("F jS Y,");
    $iplog = "Time:$time-$sydn ::Browser:$r :: Ip-$i ::Referer:$ref ::Attempt: $r - $q - $i - $u";
               $fp=@fopen("iplog.txt","a+");
               @fputs($fp,"$iplog \r\n");
               @fclose($fp);
    $mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u;
    mail("admin@mobilezonez.net","bad request",$mess,"from:hacker@mobilezonez.net");
    echo "Bye Bye Mother ****er!!!";
    ?>
    now make a page called iplog.txt

    chmod it to 777
    and we are done this will block sql injection logg the attempt email it to you then write the log onto a text file then ban the ip from your server...
    thus stopping them in their tracks. hope you all enjoy this code i made
    dont forget to say thanks
    Last edited by ozziemale31; 24.01.12, 09:56.









    Dont Ask Me Dumb Questions.Or you'l get a Dumb Answer..
    Want A Profesional Logo or Theme For Your wap site Pm Me.If I Have The Time Ill Make It For Free


    #2
    for those who end up with a 500 misconfiguration error
    use this version

    Code:
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\"|%22).*(\>|%3E|<|%3C).* [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteCond %{QUERY_STRING} (javascript:).*(\;).* [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteCond %{QUERY_STRING} (\;|\’|\"|\%22).*(union|select|insert|drop|update|perm|validated|md5|benchmark|or|and|if).* [NC]
    RewriteRule ^(.*)$ logs.php [NC]
    RewriteRule (,|;|<|>|’|`) /logs.php [NC]
    
    RemoveHandler .phtml .php3 .php4 .php5 .php6 .phps .cgi .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .py
    AddType application/x-httpd-php-source .phtml .php3 .php4 .php5 .php6 .phps .cgi .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .py
    
    php_flag display_errors 0
    php_value error_reporting 7
    php_value register_globals 0
    php_flag session.use_trans_sid off
    php_value magic_quotes_gpc 0
    php_value magic_quotes_runtime 0
    php_value magic_quotes_sybase 0
    php_value allow_url_fopen 0
    php_value arg_separator.output "&amp;"
    AddDefaultCharset UTF-8
    
    <IfModule mod_expires.c>
      ExpiresActive On
      ExpiresDefault A1209600
      <FilesMatch \.php$>
        ExpiresActive Off
      </FilesMatch>
    </IfModule>
    
    
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
    RewriteRule .* - [F]
    
    RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
    RewriteRule ^(.*)$ – [F,L]









    Dont Ask Me Dumb Questions.Or you'l get a Dumb Answer..
    Want A Profesional Logo or Theme For Your wap site Pm Me.If I Have The Time Ill Make It For Free

    Comment


      #3
      this now working bro i think you should test it and add it to the htaccess for does using the scriptand make it possible to download

      Comment


        #4
        This code was made for lava script, but will work also for other script if this script work
        It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

        Comment


          #5
          this is not for sql injection, its for xss

          http://wapx.amob.com
          Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

          Comment


            #6
            Thank you for acetate given code

            Comment


              #7
              I honestly don't understand why people go through much stress over this whole injection thing, I've learnt enough to know there is no way to inject cleanly written codes. The php function coupled with good filter practices effectively contains injection.

              Comment


                #8
                Originally posted by CreativityKills View Post
                I honestly don't understand why people go through much stress over this whole injection thing, I've learnt enough to know there is no way to inject cleanly written codes. The php function coupled with good filter practices effectively contains injection.
                True words. However these codes might give a sense of security for people who have just set up a site out of free available script
                tinyurl.com/earnbymobile
                Easy earning for Indians
                ---------------------
                Alternative mobile advertising network .. Minimum 100 USD pay / NET15 pay cycle, Good Brand, Best targeting for Android
                goo.gl/6vub3

                Comment


                  #9
                  Yeah good point bro

                  Comment

                  Working...
                  X