Menu
I am looking at my apache server logs and almost always when someone is scanning the server for vulnerabilities I always see this in their query strings...
+--+
like in the various examples below...
.
.
.
/includes/usercp_register.php?phpbb_root_path=1'+--+?
/includes/profilcp_constants.php?module_root_path=1'+--+?
/includes/functions_user_viewed_posts.php?phpbb_root_path=1'+--+?
/includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob[rootDir]=1'+--+
.
.
.
I know they are scanning for popular vulnerabilities but what Im wondering is whats the purpose of +--+?
Im thinking of using that as something I can filter for using fail2ban
292
In query strings, the plus character is shorthand notation for a space. Remember that spaces are not allowed in URLs, so they must either be percent-encoded (%20) or, only in the query string portion of a URL, represented with a plus. (As a consequence, this means actual pluses must be percent-encoded in the query string but not elsewhere in a URL.)
In this case, the attacker is attempting simple SQL injection. The ' is a quote ('), and the + URL-decodes to a space. So ultimately this happens:
phpbb_root_path=1' --
(The -- is a SQL comment.)
Be careful banning requests with +--+ in the URL; that could be legitimate input -- ie, https://www.google.com/search?q=dash+--+separated
174
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
