Eiolon Posted August 21, 2009 Share Posted August 21, 2009 I was running my project through SQL Inject Me and stumbled upon a page that was vulnerable. It only has 2 fields, and interestingly, only 1 of the fields is vulnerable even through they are the exact same type of field and both are being escaped the same way. It is the NAME field that is giving me problems, the DESCRIPTION field seems to be okay. Any ideas? <?php session_start(); function escape_data ($data) { global $dbc; if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } return mysql_real_escape_string (htmlspecialchars(trim(strip_tags($data))), $dbc); } require_once('../includes/mysql.php'); if (isset($_POST['submit'])) { $errors = array(); if (empty($_POST['name'])) { $errors[] = 'Group name must be entered'; } if ($_POST['name']) { $n = escape_data($_POST['name']); } if ($_POST['description']) { $d = escape_data($_POST['description']); } if (empty($errors)) { $insert = "INSERT INTO groups (name, description) VALUES ('$n','$d')"; $result = mysql_query($insert) OR die ('Could not add the group to the database.'); if ($insert) { header('Location: group_added.php'); exit; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/ Share on other sites More sharing options...
PFMaBiSmAd Posted August 21, 2009 Share Posted August 21, 2009 It would take seeing which test failed and results from SQL Inject Me in order to determine if or what the problem is. SQL Inject Me is fairly limited in what it can detect. It is basically looking for the same content in the results as what it injected into the query. If you happen to echo the contents of one of the variables that it injected something into, that is enough for it to report a problem. Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/#findComment-903346 Share on other sites More sharing options...
Eiolon Posted August 21, 2009 Author Share Posted August 21, 2009 Out of 14605 tests, it failed 15: Server Status Code: 302 Moved Temporarily Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 Server Status Code: 302 Moved Temporarily Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Moved Temporarily Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116 Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Server Status Code: 302 Moved Temporarily Tested value: 1' AND non_existant_table = '1 Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND USER_NAME() = 'dbo' Server Status Code: 302 Moved Temporarily Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND 1=1 Server Status Code: 302 Moved Temporarily Tested value: 1 EXEC XP_ Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1 OR 1=1 Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/#findComment-903352 Share on other sites More sharing options...
KevinM1 Posted August 21, 2009 Share Posted August 21, 2009 Are you employing any validation here? Another component in stopping injection attacks is to ensure that the fields contain valid data. A name shouldn't contain an integer, for example. Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/#findComment-903370 Share on other sites More sharing options...
PFMaBiSmAd Posted August 21, 2009 Share Posted August 21, 2009 All of those have a server status code of 302 Moved Temporarily. All that means is your INSERT query worked and caused the header() redirect to be executed. You now have rows in your table with names containing those values that were tried. Your use of mysql_real_escape_string() prevented sql injection, but I'll bet you probably don't want your name column to end up with most of those values in it. Your code does need to validate the actual data to insure it only contains what you expect, but your code is safe from sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/#findComment-903372 Share on other sites More sharing options...
Eiolon Posted August 21, 2009 Author Share Posted August 21, 2009 Thanks for explaining that to me. I will work on better validation. Howver, it is interesting that the description field was not susceptible to any of the attacks. Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/#findComment-903384 Share on other sites More sharing options...
PFMaBiSmAd Posted August 21, 2009 Share Posted August 21, 2009 There could be any number of reasons why the description field did not trigger any failed tests, for example, the name value being used in the test (a fixed value) already existed and your query failed due to a duplicate key/value error and the output on the page was your or die(...) message, which SQL Inject Me would not flag as a failure for the test values. Quote Link to comment https://forums.phpfreaks.com/topic/171294-solved-sql-injection-problem/#findComment-903437 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.