The eighth web attack: overflow attack (nginx server anti-sql injection/overflow attack/spam and ban User-agents)

1. What is an overflow attack

First of all, overflow, in layman's terms, is the rewriting of accidental data, like a bucket full of water, if you continue to fill it with water, it will overflow, and overflow attack is that the attacker can control the overflowing code, if the object of the program is the kernel level, such as dll, sys files, etc., you can directly control the system kernel

Secondly, classification: distinguish by object name: IIS overflow, SQL overflow, etc., is to distinguish by object name, distinguish by characteristics: remote overflow, local overflow

Finally, the basic principles of overflow: one is memory overflow; the other is buffer overflow

1. Memory overflow

Memory overflow means that the program uses an unreliable way to access/copy the memory buffer, or the edited memory buffer is too close to the data structure, etc., which causes the memory buffer to overflow, and the overflowed characters will replace the following data. . For example, c language does not check array boundaries, does not check the reliability of data types, and c language is close to machine kernel code, and can directly access memory and registers.

2. Buffer overflow

The buffer is a continuous memory applied by the user in the computer for the program to run. It saves a given type of data, and the buffer overflow is to cause the buffer to be caused by writing content exceeding its length into the program's buffer. The overflow of the program destroys the stack of the program, so that the program turns to execute other commands to achieve the purpose of the attack.

3. Concepts and connections of memory, buffer, heap and stack

This part will be explained separately later

nginx defense method

This article introduces an example code of nginx server anti-sql injection/overflow attack/spam and banned User-agents. Friends who need to know can enter for reference.

Add the following fields to the configuration file

server { 
## Block SQL injections 
set $block_sql_injections 0; 
if ($query_string ~ "union.*select.*(") { 
set $block_sql_injections 1; 
} 
if ($query_string ~ "union.*all.*select.*") { 
set $block_sql_injections 1; 
} 
if ($query_string ~ "concat.*(") { 
set $block_sql_injections 1; 
} 
if ($block_sql_injections = 1) { 
return 444; 
} 
  
## Disable file injection 
set $block_file_injections 0; 
if ($query_string ~ "[a-zA-Z0-9_]=http://") { 
set $block_file_injections 1; 
} 
if ($query_string ~ "[a-zA-Z0-9_]=(..//?)+") { 
set $block_file_injections 1; 
} 
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { 
set $block_file_injections 1; 
} 
if ($block_file_injections = 1) { 
return 444; 
} 
  
## Disable overflow attacks 
set $block_common_exploits 0; 
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { 
set $block_common_exploits 1; 
} 
if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") { 
set $block_common_exploits 1; 
} 
if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") { 
set $block_common_exploits 1; 
} 
if ($query_string ~ "proc/self/environ") { 
set $block_common_exploits 1; 
} 
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { 
set $block_common_exploits 1; 
} 
if ($query_string ~ "base64_(en|de)code(.*)") { 
set $block_common_exploits 1; 
} 
if ($block_common_exploits = 1) { 
return 444; 
} 
  
## Forbid the spam field 
set $block_spam 0; 
if ($query_string ~ "b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)b") { 
set $block_spam 1; 
} 
if ($query_string ~ "b(erections|hoodia|huronriveracres|impotence|levitra|libido)b") { 
set $block_spam 1; 
} 
if ($query_string ~ "b(ambien|bluespill|cialis|cocaine|ejaculation|erectile)b") { 
set $block_spam 1; 
} 
if ($query_string ~ "b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)b") { 
set $block_spam 1; 
} 
if ($block_spam = 1) { 
return 444; 
} 
  
## Disable user-agents 
set $block_user_agents 0; 
  
# Don't disable wget if you need it to run cron jobs! 
#if ($http_user_agent ~ "Wget") { 
# set $block_user_agents 1; 
#} 
  
# Disable Akeeba Remote Control 2.5 and earlier 
if ($http_user_agent ~ "Indy Library") { 
set $block_user_agents 1; 
} 
  
# Common bandwidth hoggers and hacking tools. 
if ($http_user_agent ~ "libwww-perl") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "GetRight") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "GetWeb!") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "Go!Zilla") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "Download Demon") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "Go-Ahead-Got-It") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "TurnitinBot") { 
set $block_user_agents 1; 
} 
if ($http_user_agent ~ "GrabNet") { 
set $block_user_agents 1; 
} 
  
if ($block_user_agents = 1) { 
return 444; 
} 
}

copy

Publisher: full-stack programmer, please indicate the source: https://javaforall.cn/109273.html Original link: https://javaforall.cn

Posted by bryanptcs on Tue, 05 Jul 2022 13:12:39 +0930

Programs Wiki

The eighth web attack: overflow attack (nginx server anti-sql injection/overflow attack/spam and ban User-agents)

Popular Tags