Monkuar Posted February 18, 2012 Share Posted February 18, 2012 and doing sql injections i have enabled mysql logging and i can find where they did the query, but it only shows the query, it doesn't show what location or what url or how they did it so how can i fix it? thx also lighttpd logs doesn't show... this sucks Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/ Share on other sites More sharing options...
PaulRyan Posted February 18, 2012 Share Posted February 18, 2012 You've been on this forum long enough to have at least read something about query sanitization. You'll need to go and check your queries, to make sure you are making them safe, such as using mysql_real_escape_string or mysqli_real_escape_string aswell as validating the incoming data to make sure it is exactly what it should be. Do a quick search on the forum, there are alot of threads about this. Regards, PaulRyan. Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/#findComment-1318585 Share on other sites More sharing options...
PFMaBiSmAd Posted February 18, 2012 Share Posted February 18, 2012 If you want our specific help, you would need to post the code getting the data for and building the the query statement along with the offending query. Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/#findComment-1318586 Share on other sites More sharing options...
Monkuar Posted February 18, 2012 Author Share Posted February 18, 2012 If you want our specific help, you would need to post the code getting the data for and building the the query statement along with the offending query. i have tons of queries as this forum software is from 2001 here is a random code that works to pull all the data from the index to show the forum categorys $DB->query("SELECT f.*, f.name as forum_name, f.id as forum_id, f.posts as forum_posts, f.topics as forum_topics, t.*, c.name as cat_name, c.id as cat_id, c.state as cat_state FROM ibf_topics t, ibf_forums f , ibf_categories c WHERE t.tid=".$ibforums->input['t']." and f.id = t.forum_id and f.category=c.id"); $ibforums is a global var: $ibforums->input = $std->parse_incoming(); parse_incoming is: function parse_incoming() { global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_CLIENT_IP, $REQUEST_METHOD, $REMOTE_ADDR, $HTTP_PROXY_USER, $HTTP_X_FORWARDED_FOR; $return = array(); if( is_array($HTTP_GET_VARS) ) { while( list($k, $v) = each($HTTP_GET_VARS) ) { //-- mod_sec_update_131 begin if (strpos($k, "amp;") === 0) $k = substr($k, 4); //-- mod_sec_update_131 end if ( $k == 'INFO' ) { continue; } if( is_array($HTTP_GET_VARS[$k]) ) { while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) ) { $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2); } } else { $return[$k] = $this->clean_value($v); } } } // Overwrite GET data with post data if( is_array($HTTP_POST_VARS) ) { while( list($k, $v) = each($HTTP_POST_VARS) ) { if ( is_array($HTTP_POST_VARS[$k]) ) { while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) ) { $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2); } } else { $return[$k] = $this->clean_value($v); } } } //---------------------------------------- // Sort out the accessing IP // (Thanks to Cosmos and schickb) //---------------------------------------- $addrs = array(); foreach( array_reverse( explode( ',', $HTTP_X_FORWARDED_FOR ) ) as $x_f ) { $x_f = trim($x_f); if ( preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $x_f ) ) { $addrs[] = $x_f; } } $addrs[] = $_SERVER['REMOTE_ADDR']; $addrs[] = $HTTP_PROXY_USER; $addrs[] = $REMOTE_ADDR; //header("Content-type: text/plain"); print_r($addrs); print $_SERVER['HTTP_X_FORWARDED_FOR']; exit(); $return['IP_ADDRESS'] = $this->select_var( $addrs ); // Make sure we take a valid IP address $return['IP_ADDRESS'] = preg_replace( "/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/", "\\1.\\2.\\3.\\4", $return['IP_ADDRESS'] ); $return['request_method'] = ( $_SERVER['REQUEST_METHOD'] != "" ) ? strtolower($_SERVER['REQUEST_METHOD']) : strtolower($REQUEST_METHOD); return $return; } Now see $ibforums->input is a cleaned value? But is that query still vulnerable? this is the class for $DB->query: function query($the_query, $bypass=0) { //-------------------------------------- // Change the table prefix if needed //-------------------------------------- if ($bypass != 1) { if ($this->obj['sql_tbl_prefix'] != "ibf_") { $the_query = preg_replace("/ibf_(\S+?)([\s\.,]|$)/", $this->obj['sql_tbl_prefix']."\\1\\2", $the_query); } } if ($this->obj['debug']) { global $Debug, $ibforums; $Debug->startTimer(); } $this->query_id = mysql_query($the_query, $this->connection_id); if (! $this->query_id ) { $this->fatal_error("mySQL query error: $the_query"); } if ($this->obj['debug']) { $endtime = $Debug->endTimer(); if ( preg_match( "/^select/i", $the_query ) ) { $eid = mysql_query("EXPLAIN $the_query", $this->connection_id); $ibforums->debug_html .= "<table width='95%' border='1' cellpadding='6' cellspacing='0' bgcolor='#FFE8F3' align='center'> <tr> <td colspan='8' style='font-size:14px' bgcolor='#FFC5Cb'><b>Select Query</b></td> </tr> <tr> <td colspan='8' style='font-family:courier, monaco, arial;font-size:14px;color:black'>$the_query</td> </tr> <tr bgcolor='#FFC5Cb'> <td><b>table</b></td><td><b>type</b></td><td><b>possible_keys</b></td> <td><b>key</b></td><td><b>key_len</b></td><td><b>ref</b></td> <td><b>rows</b></td><td><b>Extra</b></td> </tr>\n"; while( $array = mysql_fetch_array($eid) ) { $type_col = '#FFFFFF'; if ($array['type'] == 'ref' or $array['type'] == 'eq_ref' or $array['type'] == 'const') { $type_col = '#D8FFD4'; } else if ($array['type'] == 'ALL') { $type_col = '#FFEEBA'; } $ibforums->debug_html .= "<tr bgcolor='#FFFFFF'> <td>$array[table] </td> <td bgcolor='$type_col'>$array[type] </td> <td>$array[possible_keys] </td> <td>$array[key] </td> <td>$array[key_len] </td> <td>$array[ref] </td> <td>$array[rows] </td> <td>$array[Extra] </td> </tr>\n"; } if ($endtime > 0.1) { $endtime = "<span style='color:red'><b>$endtime</b></span>"; } $ibforums->debug_html .= "<tr> <td colspan='8' bgcolor='#FFD6DC' style='font-size:14px'><b>mySQL time</b>: $endtime</b></td> </tr> </table>\n<br />\n"; } else { $ibforums->debug_html .= "<table width='95%' border='1' cellpadding='6' cellspacing='0' bgcolor='#FEFEFE' align='center'> <tr> <td style='font-size:14px' bgcolor='#EFEFEF'><b>Non Select Query</b></td> </tr> <tr> <td style='font-family:courier, monaco, arial;font-size:14px'>$the_query</td> </tr> <tr> <td style='font-size:14px' bgcolor='#EFEFEF'><b>mySQL time</b>: $endtime</span></td> </tr> </table><br />\n\n"; } } $this->query_count++; $this->obj['cached_queries'][] = $the_query; return $this->query_id; } I have these queries like this all over my board , tons of them..... I know it's probably so vulnerable, any "eye" noticable fixes that are vulnerable off the bat? Is there any way I can add the mysql_real_escape string to the global $DB->query function? Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/#findComment-1318587 Share on other sites More sharing options...
PFMaBiSmAd Posted February 18, 2012 Share Posted February 18, 2012 $ibforums->input['t'] is a numerical value, probably an integer. You would need to cast it as an integer at the time you put it into the query statement to prevent whatever sql injection, that you didn't bother to post the example of, is occurring. Using mysql_real_escape_string on an integer value in a query would not prevent sql injection since the type of sql injection that does not use any quotes would not be affected. Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/#findComment-1318593 Share on other sites More sharing options...
Monkuar Posted February 18, 2012 Author Share Posted February 18, 2012 $ibforums->input['t'] is a numerical value, probably an integer. You would need to cast it as an integer at the time you put it into the query statement to prevent whatever sql injection, that you didn't bother to post the example of, is occurring. Using mysql_real_escape_string on an integer value in a query would not prevent sql injection since the type of sql injection that does not use any quotes would not be affected. but I have no idea where they are doing the query's from! so Iuno what query to give you!! Here is one from a gold mod I made. function buyticket() { global $ibforums, $DB, $std, $print; // Newmans checker lol if ($ibforums->input['amount'] < 0){ $std->Error2("Stop being nawty"); } /// //Figure out the id and send variables for each if (!$ibforums->input['id']){ $std->Error2("Stop trying to be nawty...."); } switch ($ibforums->input['id']){ case "1"; $name = "100FG Scratch Ticket(s)"; $cost = "10"; $redirect = 'Scratch Ticket'; break; case "2"; $name = "1,000FG Scratch Ticket(s)"; $cost = "125"; $redirect = 'Scratch Ticket'; break; case "3"; $name = "Name Stylizer Ticket"; $cost = "1500"; $redirect = 'Name Stylizer'; break; case "4"; $name = "Goodie Bag"; $redirect = 'Goodie Bag'; $cost = "1699"; break; } If (isset($ibforums->input['amount']) AND $ibforums->input['amount'] > "100"){ $std->Error2("You can only buy a max of 100 Tickets"); }else{ } If (isset($ibforums->input['amount'])){ $amount2 = $ibforums->input['amount']; }else{ $ibforums->input['amount'] = "1"; $amount2 = '1'; } $amount = $cost*$ibforums->input['amount']; $newamount = $amount; if ($ibforums->member['gold'] < $amount) { $std->Error2("You do not have enough Forum Gold you need, $amount"); }else{ //Check if they already have the item $DB->query("SELECT item_id from items where user_id = {$ibforums->member['id']} AND item_id = {$ibforums->input['id']}"); $r2 = $DB->fetch_row(); if ($r2['item_id'] == $ibforums->input['id']){ //Just update and give them quantity +1 $DB->query("UPDATE items SET quantity=quantity+$amount2,comment='Bought $name' WHERE user_id={$ibforums->member['id']} AND item_id = {$ibforums->input['id']}"); $DB->query("UPDATE ibf_members SET gold=gold-$amount WHERE id={$ibforums->member['id']}"); $db_string = $std->compile_db_string( array( 'to_id' => "0", 'from_id' => "{$ibforums->member['id']}", 'comments' => "Bought {$amount2}x $name", //Date 'date' => time(), //0 -> Store 1 -> Receieved 2 -> Sent 'amount' => "$newamount", ) ); $DB->query("INSERT INTO gold_logs (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")"); $print->redirect_screen("$redirect Purchased", 'a=Shop&action=MyItems'); }else{ $DB->query("UPDATE ibf_members SET gold=gold-$amount WHERE id={$ibforums->member['id']}"); $db_string = $std->compile_db_string( array( 'to_id' => "0", 'from_id' => "{$ibforums->member['id']}", 'comments' => "Bought {$amount2}x $name", //Date 'date' => time(), //0 -> Store 1 -> Receieved 2 -> Sent 'amount' => "$newamount", ) ); $DB->query("INSERT INTO gold_logs (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")"); $db_string = $std->compile_db_string( array( 'item_id' => "{$ibforums->input['id']}", 'user_id' => "{$ibforums->member['id']}", 'from_id' => "0", 'date' => time(), 'quantity' => ''.$amount2.'', 'comment' => "{$name}", ) ); $DB->query("INSERT INTO items (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")"); $print->redirect_screen("$redirect Purchased", 'a=Shop&action=MyItems'); } } $this->output .= <<< LOL LOL; } Now, see the problem is, they cant access those queries unless they have gold on there account am I right? the hacker has no gold on his profile so i know he didn't use this okay heres another query in the profile settings //Make sure no1 comes in... //Update the star they chose.. if (isset($ibforums->input['remove'])) { $DB->query("UPDATE ibf_members set star='' WHERE id='".$this->member['id']."'"); $print->redirect_screen("Your star has been removed.", "a=[]&c=Donor"); } if (isset($ibforums->input['star'])) { // Newmans checker lol if ($ibforums->input['star'] < 0){ $std->Error2("Stop being nawty"); } if ($ibforums->input['star'] > $this->member['max_stars']){ //They trying to hack my stars... $std->Error2("You cannot choose a star you don't have access to..."); }else{ $DB->query("UPDATE ibf_members set star='{$ibforums->input['star']}' WHERE id='".$this->member['id']."'"); } would that be vulnerable ? but the hacker had a max_Stars of 0 anyway.... so how could they get in? but in general are queries like this vulnerable? but isnt the $ibforums input alrdy escaped? or should i use mysql_real_escape on it again? i dont get it Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/#findComment-1318594 Share on other sites More sharing options...
livethedead Posted February 18, 2012 Share Posted February 18, 2012 edit: nvm delete please Quote Link to comment https://forums.phpfreaks.com/topic/257240-people-are-hacking-my-forum/#findComment-1318621 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.