We use cfqueryparam. But when ScanAlert tests our site every night, they want to see something like a cfabort or a blank page when they pass commands such as exec or delete. So we had to implement something like that below.
-----Original Message----- From: Bryan Stevenson [mailto:[email protected]] Sent: Thursday, December 09, 2010 4:22 PM To: cf-talk Subject: RE: index.cfm being hacked (now application.cfm) ....or just use CFQUERYPARAM and skip all that ;-) On Thu, 2010-12-09 at 18:45 -0500, Brian Polackoff wrote: > Hey Mike, > Sorry if this reply is off target, I'm jumping in here way after the > original post but I too had issues with people hacking pages (using > sql injection, not sure if that's what you said they are doing to > you). I did some research and found the below code that helped. I > admit it's not the most efficient way of stopping the attacks, but I > do FULLY admit it stops the immediate threats and may buy you some time. > > <!--- lower case checking ---> > <cfif > cgi.SCRIPT_NAME contains "cast(" OR > cgi.SCRIPT_NAME contains "exec(" OR > cgi.PATH_INFO contains "exec(" OR > cgi.QUERY_STRING contains "exec(" OR > cgi.SCRIPT_NAME contains "declare(" OR > cgi.PATH_INFO contains "declare(" OR > cgi.QUERY_STRING contains "declare("> <cfabort> </cfif> > <!--- upper case checking if needed---> <cfif > cgi.SCRIPT_NAME contains "CAST(" OR > cgi.SCRIPT_NAME contains "EXEC(" OR > cgi.PATH_INFO contains "EXEC(" OR > cgi.QUERY_STRING contains "EXEC(" OR > cgi.SCRIPT_NAME contains "DECLARE(" OR > cgi.PATH_INFO contains "DECLARE(" OR > cgi.QUERY_STRING contains "DECLARE("> <cfabort> </cfif> <cfif > CGI.QUERY_STRING contains "delete " OR > CGI.QUERY_STRING contains "update " OR > CGI.QUERY_STRING contains "DELETE" OR > CGI.QUERY_STRING contains "UPDATE"> > <cfabort> > ---> > </cfif> > > Again, sorry if SQL injection in not your problem. > > Brian Polackoff > [email protected] > http://www.emstoolkit.com > > > -----Original Message----- > From: Mike Little [mailto:[email protected]] > Sent: Thursday, December 09, 2010 5:56 PM > To: cf-talk > Subject: Re: index.cfm being hacked (now application.cfm) > > > darn. > > they have stopped targeting the index.cfm and are now targeting the > Application.cfm... > > for the sake of anyone who may have experienced something similar, the > following is what is prepended to my application script: > > --------------- > > <cfset domain = cgi.remote_addr> > <cfset userag = cgi.http_user_agent> > <cfset refer = cgi.HTTP_REFERER> > <cfset stop_ip_mask = > "66\.249\.[6-9][0-9]\.[0-9]+|74\.125\.[0-9]+\.[0-9]+|65\.5[2-5]\.[0-9] > +\.[0- > 9]+|74\.6\.[0-9]+\.[0-9]+|67\.195\.[0-9]+\.[0-9]+|72\.30\.[0-9]+\.[0-9 > ]+|38\ > .[0-9]+\.[0-9]+\.[0-9]+|93\.172\.94\.227|212\.100\.250\.218|71\.165\.2 > 23\.13 > 4|70\.91\.180\.25|65 ... \.74"> <cfset stop_useragents = "http| > 4|google| > slurp| msnbot| bot| crawl| spider| robot| HttpClient| curl| PHP| Indy > Library| > WordPress|Charlotte|wwwster|Python|urllib|perl|libwww|lynx|Twiceler|rambler| > yandex"> > > <cfif (REFindNoCase(stop_useragents,userag) GT 0) OR > (REFindNoCase(stop_ip_mask,domain) GT 0)> > > <cfset links = ' <a href="badurl">pharmacy related string</a> <a > href="badurl">pharmacy related string</a> <a href="badurl">pharmacy > related string</a> ... the list is huge !! ... > <a href="badurl">pharmacy related string</a>'> <cfset arr = > listToArray (links, "#chr(10)##chr(13)#")> > > <cfset CreateObject( > "java", > "java.util.Collections" > ).Shuffle( > arr > ) /> > > <cfset myList = ArrayToList(arr, " ")> > > > > <cfoutput>#myList#</cfoutput> > </cfif> > <!---pharmacylinks---> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339973 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
