Support

Admin Tools

#30750 SQLi protection

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 14 February 2019 17:17 CST

Monday, 07 January 2019 12:45 CST

adoucette
Hi,
First, thank you for providing a great product in AdminTools.
I've been getting SQLi block notifications for the past couple months, about once daily, and they always come in pairs and they always come from a fresh IP address. Who (or what) is doing this thus avoids auto-blacklisting. (currently set to block after 3 attacks in 1 day, and block for 40 days, permanently blacklist after 3 IP blocks)
The url strings look like:
https://mysite.com/mysite-info?catid=0&id=4699999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x

and

https://mysite.com/mysite-info?catid=0&id=46999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1

They change just a little bit incrementally with each attack, again same basic pattern with a new IP address each time.
So, to me, this looks like a fairly deliberate attempt to either get in to - or just get information from - the website. It looks like this site is being targeted, albeit patiently.

Are there any additional things I could be doing to prevent these attacks from eventually someday working?
Is it, for example, safe to auto-ban after a single SQLi match in AdminTools?

Thank you for any advice, and thanks again for supplying a great product.

Ari

Monday, 07 January 2019 22:05 CST

nicholas
What you see is the result of a fuzzying script, i.e. a script designed to deliberately probe for the existence of an array of vulnerabilities in software. Think of it as spray shooting in the hopes that you hit someone.

The payload is rather innocuous at first glance. It merely tries (AND FAILS because Admin Tools kicks its sorry miscreant ass to the curb every single time) to get the MySQL server version.

Moreover, it seems to be run by a newbie. They run the same ineffective probe millions and millions of times over as if anything would change (spoiler alert: it won't). If they had a shred of common sense they'd have stopped these attempts by now.

There is a way to block this very specific attack at the .htaccess level so that your server doesn't waste resources on this attack. It won't even start PHP, let alone run Joomla! and Admin Tools. It simply denies access with a 403. The code which will do that is:
RewriteCond %{QUERY_STRING} id=\S*[\.0-9]*\S*union\S*select\S*unhex\S*\(\S*hex\S*\( [NC]
RewriteRule .* - [F]

and should be put right after the RewriteBase line in your .htaccess file. If you are using .htaccess Maker put this in the "Custom .htaccess rules at the top of the file" and regenerate the .htaccess file.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 14 January 2019 13:43 CST

adoucette
OK, I have done that and will see how it goes.

Thanks for the assist.
Edited by nicholas on 2019-01-15 00:35 CST

Thursday, 14 February 2019 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2019-02-14 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!