According to this SQL Injection Basics article:
<…> the operations mostly used for breaking\fuzzing the SQL query’s are.
'Single quote"Double Quote\Backslash (MySQL Escape character)
There also are hex-encoded characters (e.g. 0x3a3a) sometimes.
I want to log and drop all requests containing those. Here's where I am so far:
set $susp 0;
if ($request_uri ~ "%27") {
set $susp 1;
}
location ~ \.php {
if ($susp = 1) {
access_log /var/log/nginx/for-review.log;
return 500;
}
# further fastcgi configuration
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
(I understand that if is evil, but it seemed necessary)
This fails to trigger on /foo/ba'r, but at least works fine on /?foo=b'ar. But that's it: the other characters I try aren't triggered either.
Here's what I've tried:
$request_uri ~ "%27|%22": single works, double doesn't$request_uri ~ "%27|\"": single works, double doesn't$request_uri ~ "%27|0x": both work, but0xgets false positives on thumb=230x240
And I'm not even sure how do I approach the backslash.
Do you guys know how to make it work?
P.S. Thought about using Amazon WAS, but it requires another service (Cloudflare or load balancer) which I'm not yet ready for.
P.S. I realise that other measures need to be taken; this is supposed to drop those annoying GET scans. Also I doubt the legit visitors will end up having those while they're browsing. My logic was this: any barrier complicating the hack helps
