Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...SiteUrls / SQL Injection AttackSiteUrls / SQL Injection Attack
Previous
 
Next
New Post
8/9/2008 1:23 PM
 
David Abad


Joined: 5/11/2006
Posts: 10

Hey there,

I've got an issue that I'm trying to resolve for a client and I'm hoping that someone here can help...

There's this nasty SQL injection attack out there that DNN does not appear to be suceptable to which is great. But I'm trying to modify my SiteUrls.config to detect it so I redirect the zombies to a page so that I can track the incidences and respond with a page that looks like the attack works so the bots will stop hitting the portal.

 

The SQL attack is detailed here:

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

 

But the short version is that what I want to do is test the querystring of any request to any of the portals for the string ";DECLARE" and if it's found redirect to a specific page "http://www.mydomain/devnull.html"

 

I've managed to successfully match strings a the page level:

        <RewriterRule>
            <LookFor>.*/Fred.aspx</LookFor>
            <SendTo>http://www.mydomain.org/diezombiedie.html</SendTo>
        </RewriterRule>

But I can't seem to figure out the synatax to match on the querystring of the request. Something like:

        <RewriterRule>
            <LookFor>*;DECLARE*</LookFor>
            <SendTo>http://www.ifdf.org/filenotfound.html</SendTo>
        </RewriterRule>

When the request looks something like:

http://www.mydomain.org/LinkClick.aspx?fileticket=Jwu4XKtCo48%3D&tabid=127&mid=526&forcedownload=true;DECLARE

 

Thanks for reading.

 

 

Dave
 
New Post
8/9/2008 5:34 PM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi David,

DNN uses simple regex matches, so you'll need to formulate a regular expression that meets your needs.  Your working expression, *;DECLARE*, isn't going to match against your sample string (in particular, it's looking for "E*" -- zero or more E's).

You're looking for something more like: .*;DECLARE.* (note the addition of periods).  You may also want to ensure that the ";DECLARE" occurs after the querystring delimiter (.*\?.*;DECLARE.*).  You can Google "regex tester" and "regex cheat sheet" or something similar to work out your expression, and then paste that into your siteurls.config file. 

You do need to be careful here, however, to ensure that there are no VALID requests that contain the string ";DECLARE" that this will incorrectly forward.  I can't think of a circumstance in which this will be the case though.

Hope this gets you started!

Brandon

EDIT: I thought I'd add that I haven't tested the expressions that I wrote above; they were only intended to be starting points.  Make sure you test thoroughly before implementing live!

Brandon Haynes
BrandonHaynes.org
 
New Post
8/9/2008 6:18 PM
 
David Abad


Joined: 5/11/2006
Posts: 10

Brandon,

 

I suspected that the issue lay with my ignorance of regex.

I'll Google up a primer and get cracking.

 

Thanks for your prompt reply and point in the right direction.

 

With much appreciation,

 

Dave
 
New Post
8/11/2008 2:53 PM
 
David Abad


Joined: 5/11/2006
Posts: 10
Hey there DotNetNuke community,

So I've done some reading up on RegEx and experimenting with the FriendlyURL Settings on the Host-Host Settings.

Here's the dilemma...

If I setup a rule to match ".*;LinkClick(.*)" and redirect... it works great for http://www.mydomain.org/LlinkClick.asp?blahblah
But not for http://www.mydomain.org/default.aspx?blahblah=LinkClick or http://www.mydomain.org/default.aspx?LinkClick=blahblah

In order to redirect this injection attack I need is a rule to match on text within the query string.

Is this possible with the FriendlyURL Settings?

Thank you for your time.

Regards,

Dave
 
New Post
8/12/2008 10:55 AM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

Dave,

You should be able to do this with a single RegEx, using the example provided by the previous poster.

I also have a RegEx tester tool available at http://www.iowacomputergurus.com

The key is to identify the common elements

* It will always be in the querystring (Always after a ?)
* It will always start wtih the word DECLARE
* It could be at the beginning or end of the querystring

With these criteria you can easily build a RegEx that will match correctly.

If you need further assistance please feel free to e-mail me at msellers@iowacomputergurus.com as I do not get forum notifications here, and with as many posts as I reply to I can't always get back to check on the threads.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...SiteUrls / SQL Injection AttackSiteUrls / SQL Injection Attack


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out