Monday, August 11, 2008

SQL Injection Worms of War

There is a worm on the loose. A SQL injection worm. A vicious little mealy mouthed slobbering parasite that opportunistically infects certain exploits in web software. And it hit one of my projects and this makes me a very unhappy. It is that today I spent a lot of time prowling the database with a flamethrower and machete doing in every malicious byte of its gruesome progeny.

For those who haven’t met this particularly pernicious bug, a word of caution: it will ruin thy day.

If thou happen to run an Apache server, I suggest heading on over to and taking a look at the .htaccess suggestions there. I certainly took a few more to add to my defense script and it has done well to prevent the furtherance of this nuisance.

In particular this line will stop this beast in its tracks:

RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

The malicious worm (which was insanely active on August 9th, 2008) depends on a SQL DECLARE, SET, and CAST statement all of which occur after some URL encoding and other tricks, which this line does an excellent job of ferreting out.

Onwards to battle. Onwards to a cleaner web experience.


No comments: