Marco's SQL Injection - LFI protection

sql injecton, local file inclusion protectionMany attacks are occurring because of sites' extensions vulnerable to SQL injection or LFI (local file inclusion); this simple plugin increases the level of protection, intercepting the most common types of attack on the site..

Security of your site is not an option, and protect it is an activity that will save you a considerable amount of problems.

 

Versione Italiana: Protezione del sito da SQL injection e local file inclusion
Questo articolo, con le istruzioni in lingua italiana, è disponibile al link sopra indicato.

 

This extension is also published on http://extensions.joomla.org , if you like, it vote it or write a review, thank you.

sql injecton, local file inclusion protection

SQL Injection and Local file Inclusion Protection

This plugin adds a simple but, in most cases, fondamental protection against SQL injection and LFI (local files inclusion) attacks by checking data sent to Joomla and intercept a lot of common exploits, saving your site from hackers.

  • Filters requests in POST, GET, REQUEST. and blocks SQL injection / LFI attempts
  • Notifies you by e-mail when a alert is generated
  • Protect also from unKnown 3rd Party extensions vulnerability.
  • White list for safe components (at your risk ;) )

Enable mail report and prepare yourself to be scared!


Anyway remember that security it is a 'forma mentis', not a plugin!

Standard Set up

  • Works on Front End only:
    ignore request (auto disable plugin) when sent to /administrator
    Be sure all works fine before enable on back end too! especially if you enable IP blocking, or you will not able to access yuor site.
  • NameSpaces inspected:
    Select which superglobal arrays to inspect, options are:
    • Get
    • Get, Post
    • Request
    • Get, Post, Request
  • Ignored Extension
    comma separed list of ignored components (es: com_content, com_dumper , com_weblinks)

Important,pay attention, please!
PHP parses requests and populates the superglobal arrays by copying values into each array. So $_GET['varName'] and $_REQUEST['varName'] are not reference to the same object!
Changing $_GET to sanitize the query string is not enough if the program reads $_REQUEST.

Notification

  • Send Email Alert on injection/inclusion
    if 'Yes' send a mail alert on attack/malformed url
  • Mail to notify attack
    mail to which send alert, if blank is set to 'mailfrom'

Advanced Set up

  • Raise Error on Fault
    if 'YES' stops Joomla! and return an error (set generic error, don't give hints to an attacker), if 'No' cleans up the request and passes it to Joomla!
  • Http Error Code
    HTTP error code to return (40x, 50x)
  • Http Error Message
    a message for error page

Local File Inclusion parameters

  • LFI check only on canonical
    if 'Yes' checks LFI only on model, view, controller, template parameters
  • Max number of consecutive '../'
    how many consecutive '../' can be present in the url

IP Blocking

(from version 1.1)

  • Enable temporary IP block
    Enable/Disable IP Banning
  • Seconds to hold ip banned
    How many seconds hold ip block enabled
  • Max hacks attempt
    Max hacks attempt before ip block starts

Caution: Make sure the 'Debug ' Joomla! be disabled before you enable the IP blocking (only for pre 1.4 versions).

  • make sure theJoomla! 'Debug' is disabled
  • enable IP blocking
  • reactivate the 'Debug' (if you need it, of course)

The 'Debug' Joomla! catches database errors and prevents the plugin to create the table for storing ips.
There is no need to disable debug with version 1.4+ .

DON'T TRY ANY ATTACK after enabling 'IP blocking' and backend's protection! If you do so, you will not able to access your site for the time set in 'Seconds to hold ip banned'.

 

An useful addition

Not all hacks pass through the framework of joomla: the jce editor docet!
So you can add this code to your .htaccess file, paste it just after "RewriteEngine On" :

RewriteCond %{REQUEST_URI}  ^/images/  [NC,OR]
RewriteCond %{REQUEST_URI}  ^/media/  [NC,OR]
RewriteCond %{REQUEST_URI}  ^/logs/  [NC,OR]
RewriteCond %{REQUEST_URI}  ^/tmp/
RewriteRule .*\.(phps?|sh|pl|cgi|py)$ - [F]

This code will block all attempts to run scripts outside the joomla control. May be you have to add other paths depending on components installed.
 

 

Recovery of improper installation

This plugin is working on many hundred sites, but it was not tested with all the most common extensions. Please, check that most important functions of your website are running correctly.

Tested (almost) with:

.ckForms
.virtuemart
.joomfish
.PhocaDownload
.PhocaGallery
.RokDownloads
.AcyMailing
.ccnews
.AlphaRegistration
.
Chrono Contact
.SOBI2

and others.

It's never happened , but better cautious than sorry: if something goes wrong you can easily restore the site by following the instructions below.

Manually disable the plugin

Joomla 1.5!
Use phpmyadmin (or whatelse sql editor you use), select the #__plugins (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "published" field to "0". now plugin is disabled.

Joomla 2.5! , Joomla 3.x!
Use phpmyadmin (or whatelse sql editor you use), select the #__extensions (#_ it is a random string. see other tables prefix) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "enabled" field to "0". now plugin is disabled.

JDatabaseMySQL::query: 1146 - Table 'xxx.yyy_mi_iptable' doesn't exist

Debug was enabled when you activated IP-Blocking;

Disable plugin
see above

Disable Debug
access, via ftp, configuration.php and set

  • J1.5:
    var $debug = '0';
  • J2.5, J3.x:
    public $debug = '0';

reload the page.

Create table manually

Use phpmyadmin (or whatelse sql editor you use), select the sql tab and insert.

CREATE TABLE `#__mi_iptable` (
`ip` VARCHAR(40) NOT NULL COMMENT 'ip to char',
`firsthacktime` DATETIME NOT NULL ,
`lasthacktime` DATETIME NOT NULL ,
`hackcount` INT NOT NULL DEFAULT '1',
`autodelete` TINYINT NOT NULL DEFAULT '1',
PRIMARY KEY ( `ip` )
);
 

"#_" is the table prefix. from J2.5 it is a random string. see other tables.

Blank page after install

Typically you tried to install on PHP4, J1.5 only. no way disable the plugin and upgrade joomla.

 

 

HISTORY

Version 1.6 (14th Nov 2015)

  • better pattern matching
  • IP v6 support
  • various code improvements
  • array inspection
  • unified j2.5 / 3.x version
  • translation support

 

Version 1.4 (Apr 28th, 2014)

  • minor code fixes (not security related)
  • default table type set by DB engine
  • table creation by sql install file

Version Apr 5th, 2013

  • .php 5.3 strict
  • minor code improvements

Version 1.2 (Mar 26th, 2013)

  • Joomla! 3.0 coding style
  • try - catch table checking
  • InnoDB table support

Version 1.1.1 (Mar 23rd, 2013)

  • Joomla! 3.0 compatibility
  • it works fine, nothing else to do ;)

Version 1.1 (Mar 10th, 2011)

  • added auto banning ip (ip blocking)
  • RegEx improvements to intercept more SQL attacks

Version 1.0 (Jan 5th, 2011)

  • Joomla! v1.6 compatibility
  • send mail also when error is raised
  • minor code optimization
  • no bug fix, so you do not need to upgrade

Version .98a (Jun 1st, 2010) Thanks to Jeff

  • fixed backtics matching
  • fixed union all matching
  • fixed ....// exploit
  • added more info to report mail

 

 

Download Marco's SQL Injection - LFI Interceptor Plugin for Joomla!

Please, keep in mind, I repeat: this plugin intercepts a lot of common exploits, not ALL!! this should be intended as an help, this is not "THE SOLUTION".

Joomla! 2.5 & Joomla! 3.x

 

 


 Previous versions (compatibility versions)

(works also on Joomla! 1.6 & Joomla! 1.7, Doesn't work on Joomla! 3.0)

Commenti   

0 #112 Daniel 2016-07-31 17:31
Citazione Daniel:
Hello Marco, I was wondering if there will be more updates of this amazing extension. I'm using php y now and I'm getting this error too:

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; plgSystemMarcosinterceptor has a deprecated constructor in ***/plugins/system/marcosinterceptor/marcosinterceptor.php on line 13

Thanks in advance!!


I meant *php 7*
Citazione
0 #111 Daniel 2016-07-31 17:30
Hello Marco, I was wondering if there will be more updates of this amazing extension. I'm using php y now and I'm getting this error too:

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; plgSystemMarcos interceptor has a deprecated constructor in ***/plugins/sys tem/marcosinter ceptor/marcosin terceptor.php on line 13

Thanks in advance!!
Citazione
+2 #110 Etitek 2016-04-13 17:17
Hello, when you update to php 7?
Citazione
+2 #109 Topaz 2016-03-24 23:20
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; plgSystemMarcos interceptor has a deprecated constructor in .../plugins/sys tem/marcosinter ceptor/marcosin terceptor.php on line 13
with php 7

===Answer
Hi Topaz,
you can change line 16 (in latest version):
function plgSystemMarcos interceptor( &$subject, $config ){
with:
function __construct( &$subject, $config ){
but this is not mandatory.
bye,
marco
Citazione
+1 #108 AS 2016-01-06 11:06
Hi Marco!
Several of my joomla websites have been hacked. I restored from backup, cleaned and upgraded joomla and components to latest versions. I installed your plugin and for one site I'm still getting warnings (2 different). I blocked the IP in .htaccess but it doesn't help. I'm not an expert so could you please tell me what it means? Can I send you the warning email(s)?
Thank you for your great work and all the best in the new year!
-- Here is the beginning text of one email --
** PATTERNS MATCHED (possible hack attempts)
* Table name in url $_POST['list'][ 'select'] => (select 1 FROM(select count(*),concat ((select (select concat(LEFT(ses sion_id, 50))) FROM [deleted]_sessi on WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand (0)*2))x FROM information_schema.tables

===Answuer
Hi AS,
this is an exploit for a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4 (fixed in 3.4.5, but 3.4.5 is buggy).

you can use the plugin feature to block (temporary) the IPs, no need to use .htaccess, because, almost sure, they are dynamic IPs.

ps: never post your table prefix!! It must to be a secret (I removed it).

please note that latest joomla fixes are related to session or php's issues, so you can't block them with this plugin, you have to update Joomla and PHP on your server (or ask to your provider to do it).
anyway this plugin still saves from coding error in extensions ;)

bye,
marco
Citazione
+1 #107 JGS 2015-11-12 18:35
Citazione JGS:
Hello Marco,
First, my compliments for this plugin.
On a Windows computer there is not an error message in different browsers. But on a Mac computer, there is the same error message as above. If a disable the IP banning there is no message.
Wkr JGS


Sorry, I mean the same as in case # 104.

=== Answer
upgrade to 1.6+. if the problem is related to ipv6 it should solve.
Citazione
+1 #106 JGS 2015-11-12 15:52
Hello Marco,
First, my compliments for this plugin.
On a Windows computer there is not an error message in different browsers. But on a Mac computer, there is the same error message as above. If a disable the IP banning there is no message.
Wkr JGS
Citazione
+1 #105 Roelof 2015-10-30 19:20
Would this plugin have protected a site from the vulnerability that was fixed in Joomla 3.4.5 security fix?

joomla.org/.../...

=== Answer
lastest version does. previous... don't know
Citazione
+2 #104 Marc Maes 2015-10-07 07:26
Hello Marco,
great plugin. Use it on several Joomla websites.
This week i got a message from 2 of my cliets that a strange message (see below) came onto their website.
Disabling your plugin solved the problem.
Can i do something about this to enable the plugin again but not get this message?

• IP PROTECTION NOT ENABLED! Unexpected mysql error 1064 accessing iptable: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND `hackcount` >= 1' at line 1 SQL=SELECT COUNT(*) from `webs2go_mi_ipt able` WHERE ip = AND `hackcount` >= 1
• IP PROTECTION NOT ENABLED! Unexpected mysql error 1064 accessing iptable: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND `hackcount` >= 1' at line 1 SQL=SELECT COUNT(*) from `webs2go_mi_ipt able` WHERE ip = AND `hackcount` >= 1

===Answer
Hello Marc,
this is strange... look at the sql:
"SELECT COUNT(*) from `webs2go_mi_ipt able` WHERE ip = AND `hackcount` >= 1"
the IP address is missing...

is the server configurated with an IPv6? are you using an IPv6 to access the server?

you should check the value of the $_SERVER['REMOT E_ADDR'] server variable.

ps: you can disable only the ip banning (Enable temporary IP block), no need to disable the pluging

let me know.

bye,
marco
Citazione
+1 #103 Tim 2014-12-23 02:00
This works well. Can you add SMTP support? I don't have PHP mail enabled in my environment and use SMTP in Joomla instead. If you can add support for the selected mail type that would be awesome. Thanks!

===Answer
Hi Tim,
this plugin uses the joomla JMail class to send warnings, so it should work also on your smtp;
check sender and recipient in configuration.

bye,
marco
Citazione

Aggiungi commento

Please note: URL in text are not linked and user's site address is only for internal use and is not published.

Comments are human checked. All spam will be removed, so don't waste your time and, especially, mine!

Codice di sicurezza
Aggiorna

L'estate si avvicina hai già trovato l'albergo per le vacanze? cerca un albergo al mare o un hotel in montagna ove trascorrere le tue vacanze.