CODEWITHSUNDEEP
apache.htaccessmod-rewriteurl-rewriting
Mykola Mykolayovich Dolynskyi
Mykola Mykolayovich Dolynskyi

Reputation: 99

Apache: RewriteCond %{QUERY_STRING} issue

I wished to block requests like http://anything.com/something.php?hack_attempt=select * from users.

For this I do in .htaccess

RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

The problem is that this rule hits also http://anything.com/update.php As I know %{QUERY_STRING} should contain only get params string after ? , but it hits the URI. Can anyone advice where the problem can be?

UPDATE: full rule

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).*                                [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(\.|\*|;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*                 [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*/ban_url/                                                           [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]
 RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|insert|cast|set|declare|drop).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*\?.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

 RewriteRule ^(.*)$ - [R=400,L]
</IfModule>

if I uncomment

RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

then Apache will block www.anything.com/update.php but it should block only www.anything.com/something.php?param=update

UPDATE 2: full conf

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).*                                [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(\.|\*|;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*                 [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*/ban_url/                                                           [NC,OR]
 #RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]
 RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|insert|cast|set|declare|drop).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*\?.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]

 RewriteRule ^(.*)$ - [R=400,L]

 RewriteCond %{REQUEST_URI} ^.*wp-*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*www\.zip*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*backup\.zip*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*public_html\.zip*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*\.tar\.gz*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*administrator*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*admin\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*admin/index\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*elrekt\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*_adminer*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*accesson*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*agentui*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*trackback*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*wp-login*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*router\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*AspCms_AdminAdd*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*public/js/wind*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*include/calendar/calendar-cn*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*app-ads*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*vendor/phpunit/*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*utility/*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*blackhat*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*data/admin/allowurl*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*js/varien*                                                           [NC,OR] #magento
 RewriteCond %{REQUEST_URI} ^.*js/mage*                                                           [NC,OR] #magento
 RewriteCond %{REQUEST_URI} ^.*magento_version*                                                           [NC,OR] #magento
 RewriteCond %{REQUEST_URI} ^.*db_z\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*functions\.php*                                                           [NC,OR]
 RewriteCond %{REQUEST_URI} ^.*lottery-index*                                                           [NC]

 RewriteRule ^(.*)$ - [R=400,L]


</IfModule>

this conf file is applied in site conf like

<VirtualHost *:80>
    Include /var/www/url_blacklist.conf
        ServerName ...
        DocumentRoot ...
        ErrorLog ...
</VirtualHost>

Upvotes: 0

Views: 1390

Answers (1)

RavinderSingh13
RavinderSingh13

Reputation: 133650

I am assuming that you want to block/forbid all those requests which have select * in their query string along with their uri doesn't have update.php requested, if this is the case could you please try following once. These conditions are written as per requested conditions only, you could try to test it alone and then could try to merge them with your existing conditions too.

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/update\.php [NC]
RewriteCond %{QUERY_STRING} select \* [NC]
RewriteRule ^ - [R=301,F]

Upvotes: 2

Related Questions