Jump to content

Recommended Posts

Please help, this site keeps getting hacked, I have escaped all my sql input, as well as applying intval() to almost all input variable, I have hit a brick wall, I can always use PDO, but that would be a monumental task, and it may be something simple that I am missing.

 

link to my verifying txt file : http://www.apdec.org.za/phpfreaks.txt

 

link to the site : http://www.apdec.org.za/

 

specifically I have been hacked on the branch names and page content.

 

 

I have a full backup of code as well as the database.

 

I would really appreciate any help.

 

thanks

Craig

 

 

Link to comment
https://forums.phpfreaks.com/topic/255224-this-site-keeps-getting-hacked/
Share on other sites

Strictly database hacks, nothing serious, the hacker keeps putting a "fix your security fail" message on the home page, and changing branch names.

 

all that information is stored in the database, so it would appear to be an sql attack of some sort.

 

 

Thanks for the help so far, it is much appreciated

 

You keep saying "branch names" like we know what that term means. 

 

basically it is a non-profit organisation and they have different branches, these branches are stored in a database.

 

sorry my bad, everything being edited by the hacker is stored in the database.

 

code seems to stay in place.

 

Thanks again, I am not a hacker or a security specialist, and this was my first project (the code is not the best).

 

 

 

 

 

  • 1 month later...

seems like as mentioned secure against SQL exploits either using PDO or mysql_real_escape_string

 

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

 

also if you have server access to your VPN or SVN might look into getting and installing some freesource anti DDOS software.

 

 

 

 

 

  • 4 months later...

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /events.php,searchresults.php

Discovered by: Scripting (XSS_in_URI.script).

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

Attack details

URI was set to 'onmouseover=prompt(914554)>

The input is reflected inside a tag element between single quotes.

 

URL encoded GET input Searchterms was set to 1<ScRiPt >prompt(957795)</ScRiPt>

The input is reflected inside <title> tag.

The input is reflected inside a text element.

The input is reflected inside a tag element between double quotes.

 

 

I searched a hacking forum, and found this link:

 

http://www.apdec.org.za/news.php?branch=2'&article=58'

 

Could this be what is causing your problem?

 

when you query is expecting numbers, force the value to a number like this:

 

$branch_id = (int)$_GET['branch'];
$query = "select * from branches where branch_id = $branch_id";

  • 2 weeks later...
  • 3 months later...
  • 2 weeks later...

^^ I usually do like that when I have to get a numerical value from a query string:

 

$category = filter_input(INPUT_GET, 'category', FILTER_SANITIZE_NUMBER_INT);

 

Filter_input is an awesome function for security.

Edited by Stefany93
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.