SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Guru phantom007's Avatar
    Join Date
    May 2008
    Posts
    752
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    Question Advance SQL Injection Attacks

    Hi,

    I was going through my site stats and found some sql injections have been passed through my site's querystring.

    This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

    Code:
    ?action=show&id=-5 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--

    I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

    Code:
    	function antisql($data){
    		if(get_magic_quotes_gpc){
    		$data1 = stripslashes($data);
    		}else{
    		$data1 = $data;
    		}
    		return mysql_real_escape_string($data1);
    	}


    I am not posting this thread to know what SQL Injection is. I know what is it.

    Few things I want to know are:

    1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

    2) Why didn't the antisql() function prevent from that sql injection attack?

    3) What is the above querystring actually doing?


    Some Info:
    My Site is made in PHP MySQl and running on CentOS.


    Thank you so much for your help in advance.

  2. #2
    SitePoint Enthusiast
    Join Date
    Jan 2008
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would use PDO or mysqli prepared statements to prevent these things.
    How they know the table name and columns ? First they get the mysql error where you can mostly see the table name. So you can make further queries and find out column names. Or they just got mysql user and pass somewhere.

  3. #3
    SitePoint Guru phantom007's Avatar
    Join Date
    May 2008
    Posts
    752
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by staar2 View Post
    I would use PDO or mysqli prepared statements to prevent these things.
    How they know the table name and columns ? First they get the mysql error where you can mostly see the table name. So you can make further queries and find out column names. Or they just got mysql user and pass somewhere.

    But I have already have error_reporting turned OFF
    Last edited by phantom007; Oct 29, 2008 at 21:20.

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2006
    Location
    That all-year round sunny Singapore
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cancer10 View Post
    Hi,

    I was going through my site stats and found some sql injections have been passed through my site's querystring.

    This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

    Code:
    ?action=show&id=-5 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--

    I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

    Code:
    	function antisql($data){
    		if(get_magic_quotes_gpc){
    		$data1 = stripslashes($data);
    		}else{
    		$data1 = $data;
    		}
    		return mysql_real_escape_string($data1);
    	}


    I am not posting this thread to know what SQL Injection is. I know what is it.

    Few things I want to know are:

    1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

    2) Why didn't the antisql() function prevent from that sql injection attack?

    3) What is the above querystring actually doing?


    Some Info:
    My Site is made in PHP MySQl and running on CentOS.


    Thank you so much for your help in advance.
    1. Unless your column names and table names are something like "q1w2e3r4", it isn't really that hard to guess or even conduct brute-force against it.

    2. The anti_sql() function you mentioned above merely escapes a limited number of characters, namely the single and double quotes. So it would probably be useful against SQL injections into string fields. The problem is, the user input inserted is expected to be an integer (ID), so there's no quote characters involved - if you didn't call a PHP function to the value like intval(), anyone can just throw in SQL code and it will run unscathed. The simplest solution: use prepared statements.

    3. Well, well, if you know the name of a database table where user account information is stored, its username column, and its password column, what would you do with it? My advice to you: unless you stored the passwords as salted hashes, it's probably a good time to conduct a mass password reset now. Before it's too late.

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's also possible they were able to read your source code to discover the columns names. If you have any code which reads some file from the filesystem and outputs it, espescially if the file to be read is somehow influenced by user input, they may have been successful.

    As far as having error_reporting turned off. If you're doing the typical
    $res = mysql_query($sql) or die(mysql_error());
    Then those errors will still be shown. error_reporting doesn't affect output you directly send.

  6. #6
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,077
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    Also is your site on a dedicated or shared server?
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  7. #7
    SitePoint Zealot
    Join Date
    Oct 2004
    Location
    Sydney, Australia
    Posts
    175
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would suggest doing a global audit thought your application of each SQL statement. Cast values to their correct type (ints, floats, etc), escape special characters on string values. Ensure that date/time values are correct and in a valid format.

    Personally I would recommend something to pre-parse your queries:

    PHP Code:
    $cleanSQL parse("SELECT * FROM `table` WHERE id = %d AND field = '%s'"'1''val');
    function 
    parse()
    {
        
    $args   func_get_args();
        if(
    count($args) == 0) return false;
        
    $sql    array_shift($args);
        return 
    _processArguments($sql$args);
    }

    function 
    _processArguments($sql$args)
    {
        if(
    count($args) > 0) {
            
    // define the marker types
            
    $float          = array('f');
            
    $integer        = array('u''d''b''o');
            
    $string         = array('x''s''e''c');
            
    preg_match_all("/(\%[a-z]{1})/"$sql$_matches);
            
    // check that the number of arguments matches the number of replaces in the sql
            
    if(count($_matches[0]) != count($args)) {
                throw new 
    SQLException('the number of replacement markers doesn\'t match the number of arguments');
            }
            
    // loop through the arguments
            
    foreach($args as $key=>$value) {
                
    $s str_replace('%'''$_matches[0][$key]); // get the replacement marker type
                
    if(in_array($s$float)) {
                    
    $args[$key] = (float)$value;
                } elseif(
    in_array($s$integer)) {
                    
    $args[$key] = (int)$value;
                } elseif(
    in_array($s$string)) {
                    
    $args[$key] = escape($value);
                }
            }
            return 
    vsprintf($sql$args);
        }
        
    // no arguments present...
        
    return $sql;
    }

    function 
    escape($data)
    {
        if (
    function_exists('mysql_real_escape_string')) {
            
    $data mysql_real_escape_string($data);                        
        } else {
            
    $data addslashes($data);
        }
        return 
    $data;


  8. #8
    SitePoint Guru phantom007's Avatar
    Join Date
    May 2008
    Posts
    752
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SpacePhoenix View Post
    Also is your site on a dedicated or shared server?
    Its on a Dedicated VPS. Means I am using this VPS only and only to serve this application.




    @Bling - Your code is quite resource intensive.

  9. #9
    SitePoint Zealot
    Join Date
    Oct 2004
    Location
    Sydney, Australia
    Posts
    175
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sure the code may be 'resource intensive', but that wasn't the point of the code.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •