apache-ultimate-bad-bot-blocker icon indicating copy to clipboard operation
apache-ultimate-bad-bot-blocker copied to clipboard

Published 20 hours ago verified publisher icon mitchellkrogza

Addition to prevent Joomla 0day or similar

Open davcpas1234 opened this issue 7 years ago • 7 comments
trafficstars

Opening this as an issue, rather that a PR as it's not a bad bot or referrer, rather a user-agent exploit, but could we add a "bad bot" to capture similar to this:

}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";s:54:\"eval(base64_decode($_POST[111]));JFactory::get();exit;\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}\xf0\x9d\x8c\x86

Maybe something like this:

RewriteCond %{HTTP_USER_AGENT} ^\W [OR]

davcpas1234 avatar Aug 07 '18 09:08 davcpas1234

Thanks @davcpas1234 ^\W seems to give a good clean match and { shouldn't actually be in any domain strings. I will add this, can you test?

mitchellkrogza avatar Aug 07 '18 12:08 mitchellkrogza

@davcpas1234 added in https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/commit/d12edf07c8098ff2c759c0eeff2f569779887edb can you please test.

mitchellkrogza avatar Aug 07 '18 12:08 mitchellkrogza

@mitchellkrogza I've tested, however appears that this exploit still gets around the check:

"GET / HTTP/1.1" 503 299 <URL> "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";s:54:\"eval(base64_decode($_POST[111]));JFactory::get();exit;\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}\xf0\x9d\x8c\x86" "-" Fails and returns 503

"GET / HTTP/1.1" 403 299 <URL> "-" "}__test" "-" Succeeds and returns 403

davcpas1234 avatar Aug 09 '18 00:08 davcpas1234

Thanks for testing David @davcpas1234 we will have to run some more regex tests and try find a good catch for this.

mitchellkrogza avatar Aug 09 '18 07:08 mitchellkrogza

@davcpas1234 can you test this regex on your server?

https://regex101.com/r/euluSl/1

mitchellkrogza avatar Aug 09 '18 13:08 mitchellkrogza

Thanks @mitchellkrogza will update as soon as I can.

davcpas1234 avatar Aug 09 '18 14:08 davcpas1234

Still no luck with the above @mitchellkrogza. Even with .*{.* my server is still generating a 503 Service Unavailable response, which I suppose is positive. Maybe that is stopping the 403 from being generated?

davcpas1234 avatar Aug 16 '18 03:08 davcpas1234