Suspicious Query Strings in Nginx

Viewing 3 replies - 1 through 3 (of 3 total)

  • Interesting issue.

    I used the Apache to nginx converter at:

    https://timmehosting.de/htaccess-converter

    to convert the Apache .htaccess rules to nginx rules and this is the result:

    [ Moderator note: Code fixed, please wrap code in backticks or use the code button. Not blockquote. ]

    if ($args ~* "\.\.\/"){set $rule_0 1;}
if ($args ~* "^.*\.(bash|git|hg|log|svn|swp|cvs)"){set $rule_0 1;}
if ($args ~* "etc/passwd"){set $rule_0 1;}
if ($args ~* "boot\.ini"){set $rule_0 1;}
if ($args ~* "ftp\:"){set $rule_0 1;}
if ($args ~* "http\:"){set $rule_0 1;}
if ($args ~* "https\:"){set $rule_0 1;}
if ($args ~* "(\<|<).*script.*(\>|>)"){set $rule_0 1;}
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|=)"){set $rule_0 1;}
if ($args ~* "base64_encode.*\(.*\)"){set $rule_0 1;}
if ($args ~* "^.*($&x).*"){set $rule_0 1;}
if ($args ~* "^.*(127\.0).*"){set $rule_0 1;}
if ($args ~* "^.*(globals|encode|localhost|loopback).*"){set $rule_0 1;}
if ($args ~* "^.*(request|concat|insert|union|declare).*"){set $rule_0 1;}
if ($args !~ "^loggedout=true"){set $rule_0 15$rule_0;}
if ($args !~ "^action=jetpack-sso"){set $rule_0 16$rule_0;}
if ($args !~ "^action=rp"){set $rule_0 17$rule_0;}
if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){set $rule_0 18$rule_0;}
if ($http_referer !~ "^https://maps\.googleapis\.com(.*)$"){set $rule_0 19$rule_0;}
if ($rule_0 = "19181716151"){
	break;
}

    As indicated by the author of the converter tool, there may still be errors in the converter result provided.

    Anyway it seems the logic behind the original nginx lines as produced by the iTSec plugin is definately not correct. But I’m not sure just replacing !~ with ~* will solve this properly … I would prefer the lines above (which keeps the Apache .htaccess and nginx logic in sync).

    Also a rule for preventing access to the wp-config.php file is included in the iTSec plugin “Protect System Files” System Tweaks setting.
    I thought I just mention it in case you didn’t know.

    Oh, by the way interesting presentation. Thanks for sharing ??

    dwinden

    Thread Starter Vlada Smitka

    (@smitka)

    Yes, it is pretty complicated logical condition ??

    The rule from converter says:

    any of “bad rules” = 1 AND not loggedout AND not jetpack-sso AND not rp AND not logged_in AND not googleapis => “BLOCK”

    If any of loggedout OR jetpack OR rp OR logged_in OR googleapis is true than the result is NOBLOCK.

    I think this is the same as my ~*, BLOCK from any of “bad rules” can be overwritten by any of the last rules.

    The rule for preventing access to the wp-config.php does something differ than iTSec. iTSec prevent access to this file directly, but my rule block all queries contain “wp-config.php” string:

    e.g. exploit to slider revolution plugin:
    /admin-ajax.php?action=some_action&img=../wp-config.php

    Thanks for the appreciation of my presentation ??

    Ok, I see now … using ~* also works. Thank you for the explanation.

    And I also see the subtle difference regarding wp-config.php rules.
    Usefull post !

    Just for documentation purposes I will repeat the 2 possible solutions:

    set $susquery 0;
if ($args ~* "\.\.\/"){ set $susquery 1; }
if ($args ~* "^.*\.(bash|git|hg|log|svn|swp|cvs)"){ set $susquery 1; }
if ($args ~* "etc/passwd"){ set $susquery 1; }
if ($args ~* "boot\.ini"){ set $susquery 1; }
if ($args ~* "ftp\:"){ set $susquery 1; }
if ($args ~* "http\:"){ set $susquery 1; }
if ($args ~* "https\:"){ set $susquery 1; }
if ($args ~* "(\<|<).*script.*(\>|>)"){ set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|=)"){ set $susquery 1; }
if ($args ~* "base64_encode.*\(.*\)"){ set $susquery 1; }
if ($args ~* "^.*($&x).*"){ set $susquery 1; }
if ($args ~* "^.*(127\.0).*"){ set $susquery 1; }
if ($args ~* "^.*(globals|encode|localhost|loopback).*"){ set $susquery 1; }
if ($args ~* "^.*(request|concat|insert|union|declare).*"){ set $susquery 1; }
if ($args !~ "^loggedout=true"){ set $susquery 15$susquery; }
if ($args !~ "^action=jetpack-sso"){ set $susquery 16$susquery; }
if ($args !~ "^action=rp"){ set $susquery 17$susquery; }
if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 18$susquery; }
if ($http_referer !~ "^https://maps\.googleapis\.com(.*)$"){ set $susquery 19$susquery; }
if ($susquery = "19181716151"){ return 403; }
    set $susquery 0;
if ($args ~* "\.\.\/"){ set $susquery 1; }
if ($args ~* "^.*\.(bash|git|hg|log|svn|swp|cvs)"){ set $susquery 1; }
if ($args ~* "etc/passwd"){ set $susquery 1; }
if ($args ~* "boot\.ini"){ set $susquery 1; }
if ($args ~* "ftp\:"){ set $susquery 1; }
if ($args ~* "http\:"){ set $susquery 1; }
if ($args ~* "https\:"){ set $susquery 1; }
if ($args ~* "(\<|<).*script.*(\>|>)"){ set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|=)"){ set $susquery 1; }
if ($args ~* "base64_encode.*\(.*\)"){ set $susquery 1; }
if ($args ~* "^.*($&x).*"){ set $susquery 1; }
if ($args ~* "^.*(127\.0).*"){ set $susquery 1; }
if ($args ~* "^.*(globals|encode|localhost|loopback).*"){ set $susquery 1; }
if ($args ~* "^.*(request|concat|insert|union|declare).*"){ set $susquery 1; }
if ($args ~* "^loggedout=true"){ set $susquery 0; }
if ($args ~* "^action=jetpack-sso"){ set $susquery 0; }
if ($args ~* "^action=rp"){ set $susquery 0; }
if ($http_cookie ~* "^.*wordpress_logged_in_.*$"){ set $susquery 0; }
if ($http_referer ~* "^https://maps\.googleapis\.com(.*)$"){ set $susquery 0; }
if ($susquery = 1){ return 403; }

    Note the 2 solutions are untested and purely theoretical.
    The nginx rules can be fixed in the build_rewrite_rules() class method as defined in the better-wp-security/modules/free/tweaks/class-itsec-tweaks-admin.php file.

    dwinden

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Suspicious Query Strings in Nginx’ is closed to new replies.