Should you ever see SELECT in the logs?

Print Thread

Hop To

#265739 10/07/2023 12:15 AM

Joined: Oct 2007

Posts: 361

Likes: 8

Richardson, TX

Baldeagle

Enthusiast

Baldeagle

Enthusiast

Joined: Oct 2007

Posts: 361

Likes: 8

Richardson, TX

I'm seeing this in our logs:

Code

2.59.254.136 - - [06/Oct/2023:16:05:29 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%27%29%29%29%2F%2A%2A%2FaNd%2F%2A%2A%2F8301%2F%2A%2A%2FBeTWEEn%2F%2A%2A%2F%28sELEcT%2F%2A%2A%2FaNd%2F%2A%2A%2F%28sELEcT%28CAsE%2F%2A%2A%2FwhEN%2F%2A%2A%2F%288301%3D8301%29%2F%2A%2A%2FthEn%2F%2A%2A%2F8301%2F%2A%2A%2FelSe%2F%2A%2A%2F%28sELEcT%2F%2A%2A%2F1586%2F%2A%2A%2FuniON%2F%2A%2A%2FsELEcT%2F%2A%2A%2F2377%29%2F%2A%2A%2FenD%29%29--%2F%2A%2A%2Fpkgf&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4%20barrel%20carb&topic=0&Search=true HTTP/1.1" 200 3206 "https://www.stovebolt.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
2.59.254.136 - - [06/Oct/2023:16:05:31 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%%27%2F%2A%2A%2FAnd%2F%2A%2A%2F2508%2F%2A%2A%2FbetWEEn%2F%2A%2A%2F%28SELeCt%2F%2A%2A%2FAnd%2F%2A%2A%2F%28SELeCt%28CasE%2F%2A%2A%2FWHEn%2F%2A%2A%2F%282508%3D4408%29%2F%2A%2A%2FtHen%2F%2A%2A%2F2508%2F%2A%2A%2FElsE%2F%2A%2A%2F%28SELeCt%2F%2A%2A%2F4408%2F%2A%2A%2FuniON%2F%2A%2A%2FSELeCt%2F%2A%2A%2F5903%29%2F%2A%2A%2FENd%29%29--%2F%2A%2A%2FBkhs&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4%20barrel%20carb&topic=0&Search=true HTTP/1.1" 200 3203 "https://www.stovebolt.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"

Here's what it looks like decoded:

Code

2.59.254.136 - - [06/Oct/2023:16:05:29 -0400] &quot;GET /ubbthreads/ubbthreads.php?ubb=showflat')))/**/aNd/**/8301/**/BeTWEEn/**/(sELEcT/**/aNd/**/(sELEcT(CAsE/**/whEN/**/(8301=8301)/**/thEn/**/8301/**/elSe/**/(sELEcT/**/1586/**/uniON/**/sELEcT/**/2377)/**/enD))--/**/pkgf&amp;Board=1&amp;Number=407581&amp;Searchpage=3&amp;Main=56047&amp;Words=4 barrel carb&amp;topic=0&amp;Search=true HTTP/1.1&quot; 200 3206 &quot;https://www.stovebolt.com/ubbthreads/ubbthreads.php&quot; &quot;Opera/9.01 (Windows NT 5.1; U; ru)&quot;
2.59.254.136 - - [06/Oct/2023:16:05:31 -0400] &quot;GET /ubbthreads/ubbthreads.php?ubb=showflat%'/**/And/**/2508/**/betWEEn/**/(SELeCt/**/And/**/(SELeCt(CasE/**/WHEn/**/(2508=4408)/**/tHen/**/2508/**/ElsE/**/(SELeCt/**/4408/**/uniON/**/SELeCt/**/5903)/**/ENd))--/**/Bkhs&amp;Board=1&amp;Number=407581&amp;Searchpage=3&amp;Main=56047&amp;Words=4 barrel carb&amp;topic=0&amp;Search=true HTTP/1.1&quot; 200 3203 &quot;https://www.stovebolt.com/ubbthreads/ubbthreads.php&quot; &quot;Opera/9.01 (Windows NT 5.1; U; ru)&quot;

Would there ever be a legitimate reason to have a select in the query string? I ask because if not, I'm going to block it in the .htacess file.

The Stovebolt Geek
https://www.stovebolt.com/ubbthreads/ubbthreads.php

Server Information
UBB.threads Version 7.7.5
Release 20201027
Server OS Linux
Server Load 0.16
Web Server Apache/2.4.6
PHP Version 7.4.33
MYSQL Version 5.7.43
Database Size 1.85 GB

Re: Should you ever see SELECT in the logs? Baldeagle #265740 10/07/2023 1:04 AM
Joined: Apr 2004 Posts: 1,945 Likes: 145 California isaac
isaac Joined: Apr 2004 Posts: 1,945 Likes: 145 California	What is your reasoning for not using Friendly URLs? Quote Enabling Friendly URLs will generate URLs that are easy to read and include words that describe the content of the webpage. This allows most search engines to easily crawl your forum, and also allows for specially formatted URLs. Secondly, if you refuse certain words processing on your domain, you may also be blocking ligetiment links that contain those phrases, such as ones that are contained in discussion topics or user names. Site logs are primarily meant for site admins to use as a tools for debugging and adjusting site issues, as well as for reporting site actions. in this case, you may be better off with finding who the offender is thats attempting to bypass your forums naturally generated URLs, and blocking them by absolutele IP address if its frequent occurrence over a period of time Current developer of UBB.threads PHP Forum Software Current Release: UBBT 7.7.5 // Preview: UBBT 8.0.0 isaac @ id242.com // my forum @ CelicaHobby.com

Re: Should you ever see SELECT in the logs? Baldeagle #265741 10/07/2023 1:30 AM
Joined: Oct 2007 Posts: 361 Likes: 8 Richardson, TX Baldeagle Enthusiast
Baldeagle Enthusiast Joined: Oct 2007 Posts: 361 Likes: 8 Richardson, TX	We are using friendly URLs. For example (from our logs): Code 52.167.144.231 - - [01/Oct/2023:17:37:41 -0400] "GET /ubbthreads/ubbthreads.php/topics/1517985/what-the-heck-do-i-have-canada.html HTTP/1.1" 200 10777 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36" I prefer not to block IPs because attackers will change IPs when blocked. My question was is there ever a legitimate reason to have a select in a query string? I would think not. But I wanted to verify with the developers. AFAIK you will only find select statements in the php files that do the processing of queries sent from a browser. The Stovebolt Geek https://www.stovebolt.com/ubbthreads/ubbthreads.php Server Information UBB.threads Version 7.7.5 Release 20201027 Server OS Linux Server Load 0.16 Web Server Apache/2.4.6 PHP Version 7.4.33 MYSQL Version 5.7.43 Database Size 1.85 GB

Re: Should you ever see SELECT in the logs? Baldeagle #265742 10/07/2023 1:43 AM
Joined: Apr 2004 Posts: 1,945 Likes: 145 California isaac
isaac Joined: Apr 2004 Posts: 1,945 Likes: 145 California	Correct, AND when used for Friendly URLs where ther letters "select" are used for common English words, such as selection, selecting, selector, selected, and select, among others. as for the exact use of SQL selects appearing in URLs - no, for UBB.threads they only exist within with main PHP scripts. SQL queries never are used in the URLs. Current developer of UBB.threads PHP Forum Software Current Release: UBBT 7.7.5 // Preview: UBBT 8.0.0 isaac @ id242.com // my forum @ CelicaHobby.com

Re: Should you ever see SELECT in the logs? Baldeagle #265743 10/07/2023 12:23 PM
Joined: Oct 2007 Posts: 361 Likes: 8 Richardson, TX Baldeagle Enthusiast
Baldeagle Enthusiast Joined: Oct 2007 Posts: 361 Likes: 8 Richardson, TX	Thank you for confirming that. I can use multiple rewriteconds to catch SQL injection without tripping on legitimate words like selection in URLs So, for example Code RewriteCond select [NC] RewriteCond union [NC] RewirteCond else [NC[ RewriteRule ^(.*)$ - [F,L] would reject any sql injection attempt that uses select AND union AND else but would not match on select only Last edited by Baldeagle; 10/07/2023 1:45 PM. The Stovebolt Geek https://www.stovebolt.com/ubbthreads/ubbthreads.php Server Information UBB.threads Version 7.7.5 Release 20201027 Server OS Linux Server Load 0.16 Web Server Apache/2.4.6 PHP Version 7.4.33 MYSQL Version 5.7.43 Database Size 1.85 GB

Re: Should you ever see SELECT in the logs? Baldeagle #265745 10/07/2023 7:10 PM
Joined: Apr 2004 Posts: 1,945 Likes: 145 California isaac
isaac Joined: Apr 2004 Posts: 1,945 Likes: 145 California	SQL injection is already handled within the code by specific php calls, regex, and other means. There is nothing from the url that touches the database without first being cleaned in some manor. and even then, the software uses its own means to trigger SQL interactions, rather than relying on what is coming from URLs. Current developer of UBB.threads PHP Forum Software Current Release: UBBT 7.7.5 // Preview: UBBT 8.0.0 isaac @ id242.com // my forum @ CelicaHobby.com

Link Copied to Clipboard

UBB.threads PHP Forum Software Community Forums UBB.threads 7 Version 7 Support Should you ever see SELECT in the logs?