/    Sign up×
Community /Pin to ProfileBookmark

Advance SQL Injection Attacks

Copy linkTweet thisAlerts:
Oct 29.2008

Hi,

I was going through my site stats and found some sql injections have been passed through my site’s querystring.

This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

[CODE]?action=show&id=-5 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login–[/CODE]

I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

[CODE] function antisql($data){
if(get_magic_quotes_gpc){
$data1 = stripslashes($data);
}else{
$data1 = $data;
}
return mysql_real_escape_string($data1);
}[/CODE]

I am not posting this thread to know what SQL Injection is. I know what is it. ?

Few things I want to know are:

[B]1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?[/B]

[B]2) Why didn’t the antisql() function prevent from that sql injection attack?[/B]

[B]3) What is the above querystring actually doing?[/B]

[I]Some Info:[/I]
My Site is made in PHP MySQl and running on CentOS.

Thank you so much for your help in advance.

to post a comment
PHP

9 Comments(s)

Copy linkTweet thisAlerts:
@scragarOct 29.2008 — Hi,

I was going through my site stats and found some sql injections have been passed through my site's querystring.

This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

[CODE]?action=show&id=88 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--[/CODE]


I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

[CODE] function antisql($data){
if(get_magic_quotes_gpc){
$data1 = stripslashes($data);
}else{
$data1 = $data;
}
return mysql_real_escape_string($data1);
}[/CODE]



I am not posting this thread to know what SQL Injection is. I know what is it. ?

Few things I want to know are:

[B]1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?[/B]
[/quote]I can't say, but normaly they deliberately force errors, which then causes trace back information for you to find the problem, but they can also use this information to try and find information on your tables.
[B]2) Why didn't the antisql() function prevent from that sql injection attack?[/B][/quote]because there is nothing(other than the left slash) that MySQL sees as being unsafe

[B]3) What is the above querystring actually doing?[/B]
[/quote]http://dev.mysql.com/doc/refman/5.0/en/union.html

by using union they can return their own set of fields in the same result set(where normaly it would count as a second result set which wouldn't be returned), I'm assuming that attack is done because you are calling results without testing them first, which can be used to throw users usernames and passwords out.

[I]Some Info:[/I]

My Site is made in PHP MySQl and running on CentOS.


Thank you so much for your help in advance.[/QUOTE]

The solution as I see it is to take the type you are trying to use, and cast to it, so after running it through your function you are cleaning it to be safe:
[code=php]$theId = (int) antisql($_GET['id']);[/code]
or start using quotes around strings(it's perfectly fine for equal comparisons, but falls apart for less than or greater than comparisons)
Copy linkTweet thisAlerts:
@NogDogOct 29.2008 — 2) Why didn't the antisql() function prevent from that sql injection attack?[/quote]
How do you know it didn't? The fact that someone [i]tried[/i] to submit a query string to generate a SQL injection attack does not necessarily mean that it worked, just that they tried. Did anything happen to the database? Did you try (after doing a complete DB backup or -- much better -- on a separate test "sandbox" using the same database/code) accessing the same URL with that query string to see what happened?
Copy linkTweet thisAlerts:
@phantom007authorOct 29.2008 — How do you know it didn't? The fact that someone [i]tried[/i] to submit a query string to generate a SQL injection attack does not necessarily mean that it worked, just that they tried. Did anything happen to the database? Did you try (after doing a complete DB backup or -- much better -- on a separate test "sandbox" using the same database/code) accessing the same URL with that query string to see what happened?[/QUOTE]

Hi,

Thanx for the reply.

I know the function didnt worked because I tried it on the same page and it DID revealed my admin username/password.
Copy linkTweet thisAlerts:
@scragarOct 29.2008 — As I said, mysql_real_escape_string doesn't see any part of it as unsafe, everything in it is safe under normal cases(where it's a string, like the function assumes).

The problem is that you assume a number, and the input is not(far from it). As I said, either cast it to int, or test it using a simple regExp to check for invalid characters.
Copy linkTweet thisAlerts:
@phantom007authorOct 29.2008 — You mean I have to add something like this in my PHP page
[CODE]
$theId = (int) antisql($_GET['id']); [/CODE]
Copy linkTweet thisAlerts:
@scragarOct 29.2008 — That would work, but it might be better to go for something more like:

[code=php]$theId = antisql($_GET['id']);
if( ! is_numeric($theId) ){/// bad ID
echo "Invalid ID, please try again, or some other generic text here";
$theId = 0;// will match nothing most of the time anyway
}[/code]
Copy linkTweet thisAlerts:
@phantom007authorOct 29.2008 — ok thanx

But what is the diff b/w what I posted and what u posted?


Thanx
Copy linkTweet thisAlerts:
@scragarOct 29.2008 — Mine let's you add an error message, so if it's a legit problem the user is notified, it also comes in handy if you want to log suspicious activity like I do, you do something like:
[code=php]
$theId = antisql($_GET['id']);
if( ! is_numeric($theId) ){/// bad ID
echo "Invalid ID, please try again, or some other generic text here";
//////
add2log('suspect', 'bad item id', __FILE__, Array('theID'=>$theId));
//////
$theId = 0;// will match nothing most of the time anyway
}[/code]
my add2log function looks something like:
[code=php]function add2log($prefix, $description, $origins, $dataDump){
ob_start(); /// get better info
var_dump($dataDump);
$dataDump=ob_get_contents();
ob_end_clean(); /// get better info

file_put_contents(LOGS.$prefix.date('Ymd'),
'Date/Time: ' . date('r') . "nFile: {$origins}nMsg: $descriptionnData: {$dataDump}
----- END -------", FILE_APPEND);
}[/code]PS: "LOGS" is a constant I define, don't go using it without setting it yourself :p

PPS: I have removed a fair bit from this function including sections where I grab the users IP, back up their session data for extra analysis if needed and a fair bit more(emails etc), so I would make your own, I'm just providing this as an example.
Copy linkTweet thisAlerts:
@phantom007authorOct 29.2008 — That helped.


Thanx
×

Success!

Help @phantom007 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.3,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...