Forum Topic: concat went through

Forum: .htaccess Forum : Security • Posted by Jeroen • Updated:

Jeff,

I saw that a query with concat went through with a status code 200 while I blocked it in htaccess. What could be reasons to ignore the rules? I can imagine that a rule earlier allowed it, but since it had a direct 200 it wasn’t redirected, right?

Request:

GET /index.php?option=com_formmaker&view=formmaker&id=1+or%281%29group+by%28concat%28mid%28%28select%20concat_ws%280x3a,12,89%29%29,1,60%29,0x00,floor%28rand%280%29*2%29%29%29having%28min%280%29or%281%29%29 HTTP/1.1

part of the htaccess

###### FILTER BAD QUERIES ######
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR] 
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (path\=\.|mod\=\.) [NC,OR]
RewriteCond %{QUERY_STRING} (input_file|execute|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ /403.shtml?$1 [R=301,L]

5 Replies to “concat went through”

Posted by Jeff Starr

Lol, am I supposed to dig thru that mountain of regex..? Maybe try asking whoever wrote that code for help. Good luck man.

Posted by Jeroen •

Well, it’s part of the mountain :) I’m doing some htaccess tests to see what is necessary for my site. There are so many websites that offer code to block things, but I wonder what is necessary these days.

Forget about the mountain, when it has a request gets a 200 status, it is either redirected to that page or the the request is not blocked by htaccess rules, right? Or is there another option that I don’t see?

This part of the forum is still not working: “Notify me of follow-up replies via email” ;)

Posted by Jeff Starr

“This part of the forum is still not working: ‘Notify me of follow-up replies via email’ ;)”

It worked for me, which is why I’m here 29 minutes after your post.

“There are so many websites that offer code to block things”

There aren’t that many; or do you mean, there are so many that I forget who the authors are? Either way, it’s one of the reasons that I no longer spend so much time working on .htaccess codes.

“I wonder what is necessary these days”

If it helps, none of it necessary if your site is otherwise secure.

“when it has a request gets a 200 status, it is either redirected to that page or the the request is not blocked by htaccess rules, right? Or is there another option that I don’t see?”

Correct, 200 indicates that the request was met by the server. If blocked by your mountain, a request would respond as 301, as specified in the RewriteRule.

Posted by Jeroen •

Message is clear, Jeff. Thanks.

Posted by Jeff Starr

Jeroen, I was having a really bad day yesterday, hopefully you will excuse the bluntness of my response.

In order to try and help, I took another look at this, and found that “concat” was allowed through because it doesn’t meet the conditions of the regex. Compare:

.htaccess regex: concat[^\(]*\(

vs:

query string: concat%28mid
query string: concat_ws%28

As you can see, the two instances of concat in the query string do not satisfy those present in the regex.

I hope this helps.