(Versione Italiana: vedi articoli)

This extension is also published on http://extensions.joomla.org , if you like, it vote it or write a review, thank you.

sql injecton, local file inclusion protection

SQL Injection and Local file Inclusion Protection

This plugin adds a simple but, in most cases, fondamental protection against SQL injection and LFI (local files inclusion) attacks by checking data sent to Joomla and intercept a lot of common exploits, saving your site from hackers.

  • Filters requests in POST, GET, REQUEST. and blocks SQL injection / LFI  attempts
  • Notifies you by e-mail when a alert is generated
  • Protect also from unKnown 3rd Party extensions vulnerability.
  • White list for safe components (at your risk ;) )

Enable mail report and prepare yourself to be scared!


Anyway remember that security it is a 'forma mentis', not a plugin!

Standard Set up

  • Works on Front End only:
    ignore request (auto disable plugin) when sent to /administrator
  • NameSpaces inspected
    options are:
    • Get
    • Get, Post
    • Request
    • Get, Post, Request

    • Select which superglobal arrays to inspec.
  • Ignored Extension
    comma separed list of ignored components (es: com_content, com_dumper , com_weblinks)

Important,pay attention, please!
PHP parses requests and populates the superglobal arrays by copying values into each array. So $_GET['varName'] and $_REQUEST['varName'] are not reference to the same object!
Changing $_GET to sanitize the query string is not enough  if the program reads $_REQUEST.

Notification

  • Send Email Alert on injection/inclusion
    if 'Yes' send a mail alert on attack/malformed url
  • Mail to notify attack
    mail to which send alert, if blank is set to 'mailfrom'

Advanced Set up

  • Raise Error on Fault
    if 'YES' stops Joomla! and return an error (usefull for debug pourpose), if 'No' cleans up the request and passes it to Joomla!
  • Http Error Code
    HTTP error code to return (40x, 50x)
  • Http Error Message
    a message for error page

Local File Inclusion parameters

  • LFI check only on canonical
    if 'Yes' checks LFI only on model, view, controller, template parameters
  • Max number of consecutive '../'
    how many consecutive '../' can be present in the url

IP Blocking

(from version 1.1)

  • Enable temporary IP block
    Enable/Disable IP Banning
  • Seconds to hold ip banned
    How many seconds hold ip block enabled
  • Max hacks attempt
    Max hacks attempt before ip block starts

Caution: Make sure the 'Debug ' Joomla! be disabled before you enable the IP blocking.

  1. make sure theJoomla! 'Debug' is disabled
  2. enable IP blocking
  3. reactivate the 'Debug' (if you need it, of course)

The 'Debug' Joomla! catches database errors and prevents the plugin to create the table for storing ips.

 

Recovery of improper installation

This plugin is working on many hundred sites, but it was not tested with all the most common extensions. Please, check that most important functions of your website are running correctly.

Tested (almost) with:

.ckForms
.virtuemart
.joomfish
.PhocaDownload
.PhocaGallery
.RokDownloads
.AcyMailing
.ccnews
.AlphaRegistration
.Chrono Contact
.SOBI2

and others.

It's never happened , but better cautious than sorry: if something goes wrong you can easily restore the site by following the instructions below.

Blank page after install

Typically you tried to install  on PHP4

Joomla 1.5!
Use phpmyadmin (or whatelse sql editor you use), select the #__plugins (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "published" field to "0". now plugin is disabled.

Joomla 1.6!, Joomla 1.7!
Use phpmyadmin (or whatelse sql editor you use), select the #__extensions (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "enabled" field to "0". now plugin is disabled.

JDatabaseMySQL::query: 1146 - Table 'xxx.yyy_mi_iptable' doesn't exist

Debug was enabled when you activated IP-Blocking;

Disable plugin
see above

Disable Debug
access, via ftp, configuration.php and set
var $debug = '0';
reload the page.


HISTORY

Version 1.1 (Mar 10th, 2011)

  • added auto banning ip (ip blocking)
  • RegEx improvements to intercept more SQL attacks

Version 1.0 (Jan 5th, 2011)

  • Joomla! v1.6 compatibility
  • send mail also when error is raised
  • minor code optimization
  • no bug fix, so you do not need to upgrade

Version .98a (Jun 1st, 2010) Thanks to Jeff

  • fixed backtics matching
  • fixed union all matching
  • fixed ....// exploit
  • added more info to report mail

 

Download Marco's SQL Injection - LFI Interceptor Plugin for Joomla!

Please, keep in mind, I repeat: this plugin intercepts a lot of common exploits, not ALL!! this should be intended as an help, this is not "THE SOLUTION".

Joomla! 1.5

Marco's SQL Injection - LFI Interceptor v1.1 j15

Marco's SQL Injection - LFI Interceptor v1.0 j15

Joomla! 1.6 & Joomla! 1.7

Marco's SQL Injection - LFI Interceptor v1.1 j16

Marco's SQL Injection - LFI Interceptor v1.0 j16

Previous versions

Marco's SQL Injection - LFI Interceptor v0.98a

 

Commenti  

 
0 #51 railer 2012-01-31 13:26
Ciao Marco,

Will this run on J 2.5?

Thanks,
railer

===Answer
Hi railer
yes it does.
really: there is no difference between Joomla version 1.7 and 2.5..

imho: J2.5 should be J1.6.3

bye,
marco
Citazione
 
 
0 #50 ciccio 2012-01-22 15:04
ciao,
sto cercando di installare il plugin su un sito joomla 1.5.23 ma appena lo attivo ricevo un parse error a devo rinominare il file marcosintercept or.php affinchè il sito torni a funzionare.
Come posso risolvere ?

grazie

===Risposta:
in questi casi è utile ed opportuno indicare il messaggio d'errore comunque:
1. verifica di avere php5
2. verifica che il debug di joomla sia disattivato.

ciao,
marco
Citazione
 
 
0 #49 Dave 2012-01-16 06:22
Will this plugin work on Joomla 1.5 running in 1.0 Legacy Mode?

===Answer:
It should work, but I've never tested it :(

bye,
marco
Citazione
 
 
0 #48 railer 2012-01-04 15:35
@nedzad: I've been getting these intrusion attempts too, recently, from the same IP as yours and others in the neighborhood. It looks like the attacker is trying to export the Joomla Users table. I traced the IP address to Network Operations Center, Inc., which is also part of Burst.net and I called them up and was told to send an email to containing my site's server access logs for the IPs in question and they would look into it. They need proof to confront their clients with. Burst.net resells Internet services. Hope something comes of it.
Citazione
 
 
0 #47 nedzad 2012-01-04 13:33
folks, what does this means:
** -- [GET:id] => -999 -- 0,0x33633273366962,0,0,0,0,0 ,0,0,0,0x33633273366962,0,0 from --jos_users--
** Table name in url [GET:id] => -999 -- 0,0x33633273366962,0,0,0,0,0 ,0,0,0,0x33633273366962,0,0 from --jos_users--
** -- [REQUEST:id] => -999 -- 0,0x33633273366962,0,0,0,0,0 ,0,0,0,0x33633273366962,0,0 from --jos_users--
** Table name in url [REQUEST:id] => -999 -- 0,0x33633273366962,0,0,0,0,0 ,0,0,0,0x33633273366962,0,0 from --jos_users--

**PAGE / SERVER INFO


*REMOTE_ADDR :
96.9.149.70

*HTTP_USER_AGEN T :
Mozilla/5.2 (Windows; U; Windows NT 5.2; en-EN) Gecko/20080919 Firefox/3.5.6

*REQUEST_METHOD :
GET

*QUERY_STRING :
option=com_jphoto&view=category&id=-999%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsEleCt%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users--

===Answer:
Hi nedzad,
this is an attempt to get e-mail of admin users, to force a password reset. this kind of attack does not work (should not work) with joomla 1.5.16+.

bye,
marco
Citazione
 
 
0 #46 Ralier 2011-12-17 13:42
Very interesting...

I had been receiving hundreds of notices from my Marco's Interceptor plugins on about 20 Joomla 1.5 sites 24/7 over a period of about 5 days. (Thanks to Marco for a great plugin!)

I added code to all my template head areas to set the generator metatag to "null" and the intrusion attempt notices have completely stopped.

It would appear that the script kiddie probing my sites was looking for sites with the Joomla generator tag.

Thought I'd share that here. If anybody else makes the same mod and can confirm that the probes stop, please post here.

Couldn't paste the code here so Google "joomla generator metatag remove" and you get to it.

Hope this helps someone... Good luck!
Railer

====Answer
this is a great example of what a script kid is: search the head of the html for the string "Joomla" is the most curious way to see if it is a site based on our CMS ... (would you be sure? check for com_content).

anyway: security through obscurity is not security...

thank you for your report Railer, other reports about this header hack are welcome!

bye, marco
Citazione
 
 
0 #45 Yurii 2011-11-10 08:35
Citazione:
'select union' when joomla expects an ID (an integer gotten with getVar instead of getInt).
...
comments like # or -- are not a problem because they act till the end of line (they can't be closed)

bye,
marco



oh, got your point, unquoted int, like
user_id = 222

but example, will it catch
user_id = 2 and email = 'aaa'

i will hack
user_id = 1;delete from users;--

uh?

==== Answer

This is the reason why I told this is not THE solution but only one help (and I have repeated this more times in the instructions).
Also: this is not a commercial software so I have not to tell you how wonderfull it is, only to sell it ;)


I'm a sysadmin with 20+ years of experience and I can hack your site or your server in half an hour, what ever it is... I know there are a lot of sysadmin like me, so it's impossible to ensure full protection with a simple plugin, but a plugin can stop script kiddies and almost all attack come from this kind of hackers.


Anyway the goal of an hacker is to take the control over your site, so it's very difficult that he uses something like 'delete all': this is a revenge, not an hack.

BTW:
I forgot an important thing to say...

user_id = 1;delete from xxx_users;--

DOES NOT WORK, when this plugin is installed; does someone know why?

bye,
marco
Citazione
 
 
0 #44 Yurii 2011-11-09 14:17
Citazione Mark:
Hi,
... As I said, emails can be sent from Admin console and other plugins are sending email okay.
Any ideas?
Thanks!


replace with
JUtility::sendM ail( $app->getCfg('mailfrom'), $app->getCfg('mailfrom'), $p_sendTo, $app->getCfg('sitename') . ' Marco's interceptor warning ', $warning, false);

code

jimport('joomla.mail.mail');
$mail = new JMail();
$mail->setsender($app->getCfg('mailfrom'));
$mail->addRecipient($p _sendTo);
$mail->setSubject($app ->getCfg('sitename') . ' Marco's interceptor warning ' );
$mail->setbody($warnin g);
$mail->send();

==== Answer
Thanx a lot Yuri :)

bye,
marco
Citazione
 
 
+2 #43 Mark 2011-11-09 12:44
Hi,
Great plugin Marco.
We have SMTP email configured and it works fine, but the plugin is failing to send the warning email: 'Could not instantiate mail function.'. As I said, emails can be sent from Admin console and other plugins are sending email okay.
Any ideas?
Thanks!
Citazione
 
 
+1 #42 Yurii 2011-11-09 11:57
your comment security just ate
S-E-L-E-C-T U-N-I-O-N and probably something more..

maybe wrong, type here again
select
SELECT

==== Answer
Hi Yuri, you found a way to check the plugin!
select union on users' table is a typical SQLI attack.

bye,
marco
Citazione
 

Aggiungi commento


Codice di sicurezza
Aggiorna