From 0b9c81aa673a752ef6272b19dddaeec4bf151d78 Mon Sep 17 00:00:00 2001 From: Roland Haeder Date: Sat, 20 Jul 2013 14:24:06 +0000 Subject: [PATCH] Resorted almost all pattern checks + used more single-quotes than double --- libs/lib_detector.php | 156 +++++++++++++++++++++++++++++------------- 1 file changed, 108 insertions(+), 48 deletions(-) diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 8c1e22d..a724d7d 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -43,39 +43,99 @@ function initCrackerTrackerArrays () { // Attacks we should detect and block $GLOBALS['ctracker_get_blacklist'] = array( - 'chr(', 'chr=', 'chr%20', '%20chr', 'wget%20', '%20wget', 'wget(', - 'cmd.exe', '%20cmd', 'cmd%20', 'rush=', '%20rush', 'rush%20', - 'union%20', '%20union', 'union(', 'union=', 'echr(', '%20echr', 'echr%20', 'echr=', - 'esystem(', 'esystem%20', 'cp%20', '%20cp', 'cp(', 'mdir%20', '%20mdir', 'mdir(', - 'mcd%20', 'mrd%20', 'rm%20', '%20mcd', '%20mrd', '%20rm', - 'mcd(', 'mrd(', 'rm(', 'mcd=', 'mrd=', 'mv%20', 'rmdir%20', 'mv(', 'rmdir(', - 'chmod(', 'chmod%20', '%20chmod', 'chmod(', 'chmod=', 'chown%20', 'chgrp%20', 'chown(', 'chgrp(', - 'locate%20', 'grep%20', 'locate(', 'grep(', 'diff%20', 'kill%20', 'kill(', 'killall', - 'passwd%20', '%20passwd', 'passwd(', 'telnet%20', 'vi(', 'vi%20', 'cgi-', '.eml', - 'insert%20into', 'select%20', 'nigga(', '%20nigga', 'nigga%20', 'fopen', 'fwrite', '%20like', 'like%20', - '$_request', '$_get', '$request', '$get', '.system', 'HTTP_PHP', '&aim', '%20getenv', 'getenv%20', - 'new_password', '&icq', '/self/', '/environ', '/shadow', '/gshadow', '/etc/', '/passwd', - 'HTTP_USER_AGENT', 'HTTP_HOST', 'wget%20', 'uname\x20-', 'uname%20-', 'bin/id', '/bin/', '/chgrp', - '/chown', '/chmod', 'chown%20', 'chmod%20', 'chgrp%20', '/usr/bin', 'g++', 'c++', 'bin/python', - 'bin/tclsh', 'bin/nasm', 'perl%20', 'traceroute%20', 'ping%20', 'bin/xterm', 'lsof%20', '.conf', - 'motd%20', 'HTTP/1.', '.inc.php', '.lib.php', '.class.php', 'config.php', 'file\://', 'file://', - 'window.open', 'javascript\://', 'img src', 'img%20src', '.jsp', 'ftp.exe', 'xp_enumdsn', - 'xp_availablemedia', 'xp_filelist', 'xp_cmdshell', 'nc.exe', '.htpasswd', 'servlet', - '/etc/passwd', 'wwwacl', '~root', '~ftp', '.js', '.jsp', '.history', 'bash_history', - '.bash_history', '~nobody', 'server-info', 'server-status', 'reboot%20', 'halt%20', - 'powerdown%20', '/home/ftp', '/home/www', 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con', - '', 'sql=', - 'div style=', 'overflow: auto', 'height: 1px', 'cc%20', 'path=', 'starhack', 'busca', - 'uol.com', '=http://', '=https://','=ftp://','=file://','_SESSION','CFG_ROOT','/proc/', ',0x', '(0x', - '=%7BQUOT%7D', '=%5C', 'DOCUMENT_ROOT', '_SERVER','=%22http','=%22ftp','=%22file','=%27http','=%27ftp', - '../../','..//', '=%27file', 'data://', 'tcp://', 'udp://', 'raw://' + // SQL injections + 'union%20', '%20union', 'insert%20', + 'select%20', '%20like', 'like%20', 'drop%20', 'update%20', + 'union(', 'union=', + + // $GLOBAL/$_SERVER array elements + 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION','CFG_ROOT', + 'DOCUMENT_ROOT', '_SERVER', + + // Sensitive files + '/environ', '/shadow', '/gshadow', '/passwd', '/group', '.htaccess', + '.htpasswd', '.htgroup', '.history', 'bash_history', 'bashrc', + + // Other Linux/FreeBSD/??? programs (sometimes with space) + 'traceroute%20', 'ping%20', 'bin/xterm', 'bin/./xterm', 'lsof%20', + 'telnet%20', 'wget%20', 'bin/id', 'uname\x20', 'uname%20', 'killall', + 'diff%20', 'kill%20', 'locate%20', 'grep%20', 'vi%20', 'mv%20', + 'rmdir%20', 'mcd%20', 'mrd%20', 'rm%20', '%20mcd', '%20mrd', '%20rm', + 'passwd%20', '%20passwd', 'mdir%20', '%20mdir', 'cp%20', '%20cp', + 'esystem%20', 'chr%20', '%20chr', 'wget%20', '%20wget', '%20cmd', + 'cmd%20', '%20rush', 'rush%20', '%20echr', 'echr%20', '%20getenv', + 'getenv', 'reboot%20', 'halt%20', 'powerdown%20', + + // Other Linux programs (+ brace) + 'locate(', 'grep(', 'kill(', 'mcd(', 'mrd(', 'rm(', 'mv(', 'rmdir(', + 'chmod(', 'chmod(', 'chown(', 'chgrp(', 'passwd(', 'vi(', 'cp(', + 'mdir(', 'esystem(', 'chr(', 'wget(', 'rush(',, 'echr(', + + // Other Linux programs (+ equal) + 'mcd=', 'mrd=', 'chmod=', 'chr=', 'rush=', 'echr=', + + // Paths + '/etc/', '/bin/', '/sbin/', '/self/', '/proc/', '../../','..//', '././', + '/home/ftp', '/home/./ftp', '/home/./www', '/home/www', '/www/virtual/', + '/www/./virtual/', + + // Uni* commands: + '/chgrp', '/chown', '/chmod', 'chown%20', 'chmod%20', 'chgrp%20', + + // Compiler/interpreter + 'g++%20', 'c++%20', 'cc%20', 'bin/./python', 'bin/python', 'bin/tclsh', + 'bin/./tclsh', 'bin/nasm', 'bin/./nasm', '/perl', 'perl%20', 'cmd.exe', + 'nc.exe', 'ftp.exe', + + // PHP commands/scripts + 'fopen', 'fwrite', 'phpinfo()', '\', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // Generic remote inclusion + '=http://', '=https://', + 'path=', 'sql=', + '=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp', + '=%27file', + + // Wrappers + 'data://', 'tcp://', 'udp://', 'raw://', 'javascript://', 'file://', 'ftp://', + + // Blocked "users" + 'nigga(', '%20nigga', 'nigga%20', 'starhack', 'busca', + + // Hidden HTML stuff + '%20style=', 'style%20=', + 'overflow:auto', 'overflow:%20auto', + 'overflow%20:auto', 'overflow%20:%20auto', + 'display:hidden', 'display:%20hidden', + 'display%20:hidden', 'display%20:%20hidden', + 'height:0px', 'height:%200px','height:1px', 'height:%201px', + 'width:0px', 'width:%200px','width:1px', 'width:%201px', + + // Uncommon user websites + '~root', '~ftp', '~nobody', + + // Windows XP (?) hacks + 'xp_enumdsn', 'xp_availablemedia', 'xp_filelist', 'xp_cmdshell', + + // @TODO Misc/unsorted + 'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system', + '&aim', 'new_password', '&icq', '.conf', 'motd%20', 'HTTP/1.', + 'window.open', 'img src', 'img%20src', '.jsp', 'servlet', + 'wwwacl', '.js', '.jsp', 'server-info', 'server-status', + 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con', + '