Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Bash or Cron Script to check for sql injection
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
oldnavy23
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jul 2007
Posts: 86
Location: USA

PostPosted: Wed Jan 09, 2013 6:19 pm    Post subject: Bash or Cron Script to check for sql injection Reply with quote

Is there any way i can make a cron script or bash script to run the following and alert me right away or by email me at the end of the day.


also have the date piece change so its always running yesterday's logged info.

sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*vchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*bchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*char" /var/log/apache2/access_log
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*=-" /var/log/apache2/access_log
sudo grep -iw "08/jan.*1=1" /var/log/apache2/access_log
sudo grep -iw "08/jan.*exec" /var/log/apache2/access_log
sudo grep -iw "08/jan.*declare" /var/log/apache2/access_log

thanks
oldnavy23
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8904

PostPosted: Thu Jan 10, 2013 2:14 am    Post subject: Reply with quote

Why you would do this instead of fixing the vulnerability in your web application? Cron automatically e-mails output to a specified address, and can run the command as a user of your choosing.
Back to top
View user's profile Send private message
dataking
Apprentice
Apprentice


Joined: 20 Apr 2005
Posts: 155

PostPosted: Thu Jan 10, 2013 2:43 am    Post subject: Re: Bash or Cron Script to check for sql injection Reply with quote

Code:

#!/bin/bash
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*vchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*bchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*char" /var/log/apache2/access_log
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*=-" /var/log/apache2/access_log
sudo grep -iw "08/jan.*1=1" /var/log/apache2/access_log
sudo grep -iw "08/jan.*exec" /var/log/apache2/access_log
sudo grep -iw "08/jan.*declare" /var/log/apache2/access_log


Simple as that (note the "shabang" line at the top). As far as the email part, basically what Hu said, except that it goes to local system mail, not gmail or hotmail or whatever (unless the local mail system is configured to forward to external addresses -- IIRC, this can be done via the /etc/mail/aliases file).

Hu wrote:
Why you would do this instead of fixing the vulnerability in your web application?

Maybe he just wants to check for SQL Injection attempts, and there is no vulnerability in the application? Or he doesn't know about the vulnerability and wants to know when/if he gets pwned?
_________________
-= the D@7@k|n& =-
Back to top
View user's profile Send private message
oldnavy23
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jul 2007
Posts: 86
Location: USA

PostPosted: Thu Jan 10, 2013 8:08 pm    Post subject: Reply with quote

Well its a 3rd Party app on my server and also how could i also make it so it just shows the day before or do i need to keep editing the file from 08/jan to 09/jan
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8904

PostPosted: Fri Jan 11, 2013 3:22 am    Post subject: Re: Bash or Cron Script to check for sql injection Reply with quote

dataking wrote:
Code:
#!/bin/bash
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*vchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*bchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*char" /var/log/apache2/access_log
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*=-" /var/log/apache2/access_log
sudo grep -iw "08/jan.*1=1" /var/log/apache2/access_log
sudo grep -iw "08/jan.*exec" /var/log/apache2/access_log
sudo grep -iw "08/jan.*declare" /var/log/apache2/access_log
Please do not advocate something so ugly. First, cron can run the command as a user of sufficient privilege. Second, sudo may require a password, in which case the job would fail with no user around. Third, unless the OP specifically needs to have each search run separately, it would be far better to perform all the searches using a single grep.
dataking wrote:
As far as the email part, basically what Hu said, except that it goes to local system mail, not gmail or hotmail or whatever (unless the local mail system is configured to forward to external addresses -- IIRC, this can be done via the /etc/mail/aliases file).
It goes where you tell it to go. By default, it goes to the local mailbox of the user who owns the crontab. If your crontab specifies to mail the result offsite, and your MDA is configured to support this, then it will happen.
dataking wrote:
Hu wrote:
Why you would do this instead of fixing the vulnerability in your web application?

Maybe he just wants to check for SQL Injection attempts, and there is no vulnerability in the application? Or he doesn't know about the vulnerability and wants to know when/if he gets pwned?
Searching for specific blacklisted strings, although marginally effective in detecting canned exploits, is a terrible way to run a security system.
oldnavy23 wrote:
also how could i also make it so it just shows the day before or do i need to keep editing the file from 08/jan to 09/jan
Derive the grep expression from the preceding date. You may find date useful for this.

You may also wish to add -n to your grep call.
Back to top
View user's profile Send private message
Mad Merlin
Veteran
Veteran


Joined: 09 May 2005
Posts: 1143

PostPosted: Fri Jan 11, 2013 3:44 am    Post subject: Re: Bash or Cron Script to check for sql injection Reply with quote

Hu wrote:
dataking wrote:
Hu wrote:
Why you would do this instead of fixing the vulnerability in your web application?

Maybe he just wants to check for SQL Injection attempts, and there is no vulnerability in the application? Or he doesn't know about the vulnerability and wants to know when/if he gets pwned?
Searching for specific blacklisted strings, although marginally effective in detecting canned exploits, is a terrible way to run a security system.


I just want to reiterate this point. Using a naive approach like the above will miss POSTed injections as well as urlencoded injections and other obfuscated attempts, at the very least. Not to mention the fact that you won't be able to tell from the request alone whether or not you were actually exploited, and experience suggests that you will see a lot of noise, even on software you don't have installed. Additionally, it will probably do more harm than good by instilling a false sense of security.
_________________
Game! - Where the stick is mightier than the sword!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum