Greetz all! I have known about sla.ckers for awhile now but until watching a video of Jabra and Rsnake's "Unmasking You" never thought to register. I am very excited for the new release of BeEF.

Well anyways here is my first post, this is a script that I wrote to filter user input for the most common of web based attacks (XSS,RFI,SQLi).

This filter is not suitable for all web applications because it is strict on user input. If your application does not require special characters in user requests this filter will do a kick ass job of detecting attacks.

Source is in PHP, I have created a function out of the filter so set-up its pretty straight forward. All detected attacks trigger the banning of the IP address and redirection to cia.gov. Future attempts to visit the page will be redirected as well.

function r_filter($sent_vars,$user_vars,$ip) {
//Redirect banned ip's
$bans = file('banned.txt');
foreach ($bans as $banned) {
if (preg_match ("/$ip/", "$banned")) {
echo "<script language=javascript>alert('Banned!');window.location='https://www.cia.gov/'</script>";
$do = 'no';}
}
if ($do != 'no'){
unset($sent_vars['submit']);
//Filter variables not declared in user_vars
foreach (array_keys($sent_vars) as $filter) {
if (!in_array($filter, $user_vars)) {ban_ip($ip); return FALSE;}
}
//Filter requests with un-expected number of variables
if (count($sent_vars) != count($user_vars)) {ban_ip($ip); return FALSE;}
else {
//Filter XSS, RFI, and common SQLi attacks
$bad_chars = array('<','>','--','=','exec','^http:\/\/','^www.');
foreach ($sent_vars as $var) {
foreach ($bad_chars as $char) {
if (preg_match ("/$char/i", "$var") || preg_match("^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}^", $var)) {ban_ip($ip); return FALSE;}
if (preg_match ("/\(/", "$var") && preg_match ("/\)/", "$var")) {ban_ip($ip); return FALSE;}
                }
            }return TRUE;
        }
    }
}
//Redirect attacks and ban
function ban_ip($ip) {
echo "<script language=javascript>alert('Attack detected, Banned!');window.location = 'https://www.cia.gov/'</script>";
$ban = fopen('banned.txt', 'a');
fwrite($ban, "$ip\n");
fclose($ban);
}

Call the filter with the following lines...

$user_vars = array('name','business','message');
$sent_vars = empty($_GET) ? $_POST : $_GET;
if(r_filter($sent_vars,$user_vars,$_SERVER['REMOTE_ADDR'])) {echo 'Ok<br>';}

Where $user_vars is an array of allowed variables to be sent in a user request and echo 'Okay<br>'; is to be replaced with the code that will process the request.

I started programming less than a year ago with Perl, then moved on to PHP about 4 months back so go easy on me :P. Hope you enjoy, sM10.



Edited 1 time(s). Last edit at 09/02/2009 10:17PM by sM10.

You're definitely a Perl guy...

There are a couple of things you could change in it before spreading it:
1. For big files file() is expensive and slow.
2. You are not locking banned.txt when writing to it.
3. If you want to stop execution after alerting banned to the user, just use return false instead of $do = 'no', or better yet just exit()
4. You know that at the same time you can have set both $_POST and $_GET.
5. The filters are to poor. Why not use filters from PHPIDS?
6. Instead of preg_match ("/$char/i", "$var") should go stristr($var, $char). The other long regex I didn't even bother to understand.

:)

---
blog [-] microblog

Doesn't stop https ;-)