Jump to content

Recommended Posts

Hi everyone,

 

I'm hoping someone far more knowledgeable than myself can help out with an issue that has started over the last couple of weeks.

 

I am receiving E-mails generated by my SQL database 'functions.php' file containing what looks to be the results of someone entering spurious search queries on one of my websites. I have included an example below:

 

SELECT p.page_title, p.page_url, COUNT(*) AS occurrences
	FROM search_page p, search_word w, search_occurrence o
	WHERE p.id = o.page AND w.id = o.word AND (w.word = 'xksvonbwfsnbudi' OR w.word = 'href=httpindianautoobservercomfemale' OR w.word = 'viagra' OR w.word = 'alternativea' OR w.word = 'wnwgpop' OR w.word = 'url=httpindianautoobservercomyang' OR w.word = 'mei' OR w.word = 'viagra' OR w.word = ''guangzhou'url' OR w.word = 'ehjwsjg' OR w.word = 'httpindianautoobservercom' OR w.word = 'viagra' OR w.word = 'prescription' OR w.word = 'jajfabw' OR w.word = 'href=httpwwwyaleacsorgbuy' OR w.word = 'viagra' OR w.word = 'interneta' OR w.word = 'hhjuxid' OR w.word = 'url=httpwwwyaleacsorghow' OR w.word = 'viagra' OR w.word = 'worksurl' OR w.word = 'kkwuvbc' OR w.word = 'httpwwwyaleacsorg' OR w.word = 'get' OR w.word = 'viagra' OR w.word = 'wxottqn' OR w.word = 'href=httpksign-mallcomwhat' OR w.word = 'metronidazole' OR w.word = 'used' OR w.word = 'for' OR w.word = 'dogsa' OR w.word = 'uthzket' OR w.word = 'url=httpksign-mallcommetronidazole' OR w.word = 'vaginal' OR w.word = 'gelurl' OR w.
 word = 'qajooff' OR w.word = 'httpksign-mallcom' OR w.word = 'metronidazole' OR w.word = 'dose' OR w.word = 'agdlvut' OR w.word = 'href=httpwwwmetacafecomchannelsjwannrichard' OR w.word = 'jeremiah' OR w.word = 'wanna' OR w.word = 'mpsswty' OR w.word = 'url=httpwwwmetacafecomchannelsjwannrichard' OR w.word = 'jeremiah' OR w.word = 'wannurl' OR w.word = 'qefwnsd' OR w.word = 'httpwwwmetacafecomchannelsjwann' OR w.word = 'richard' OR w.word = 'jeremiah' OR w.word = 'wann' OR w.word = 'svalyyw' OR w.word = 'href=httpgenf20-directcomgenf20' OR w.word = 'hgh' OR w.word = 'releasera' OR w.word = 'rttnfdx' OR w.word = 'url=httpgenf20-directcomgenf20url' OR w.word = 'egjipkc' OR w.word = 'httpgenf20-directcom' OR w.word = 'genf20' OR w.word = 'leading' OR w.word = 'edge' OR w.word = 'herbals' OR w.word = 'tlfsril' OR w.word = 'href=httphidecornetanyoption-reviewany' OR w.word = 'optiona' OR w.word = 'mvgfgum' OR w.word = 'url=httphidecornetanyoption-reviewanyoption' OR w.word = 'tra  dingurl' OR w.word = 'ovyjjoy' OR w.word = 'httphidecornetanyoption-review' OR w.word = 'anyoption' OR w.word = 'trading' OR w.word = 'vxwmsft')
    GROUP BY p.id
    ORDER BY occurrences DESC
	LIMIT 0 , 10

Can someone please explain what is going on here and, in layman's terms, what actions I need to take.

 

Many thanks in advance,

Ben1uk

Link to comment
https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/
Share on other sites

Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something.

 

Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything.

Edited by requinix

Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something.

 

Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything.

 

Hi requinix,

 

Thank you for the quick response. I've not had experience of anything like this before and having spoken to somebody else about this, they mentioned that the below was an attempt to pull data from the database using the 'SELECT' command???

 

My primary concern is somebody being able to gain access to my SQL data or change the website in any way, shape or form. However, you state above 'they'll leave once they realize they're not accomplishing anything'. Are you saying the 'attack' is not anything to worry about? It has caused me a few sleepless nights over the Easter hols!

 

Can you offer any more of an insight as to what is actually happening, or what the robot is attempting to achieve?

I'm saying it's not an attack. Look at what's in the query.

href=httpindianautoobservercomfemale
url=httpindianautoobservercomyang
httpksign-mallcom
trading
That's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1".

 

I'm saying it's not an attack. Look at what's in the query.

href=httpindianautoobservercomfemale
url=httpindianautoobservercomyang
httpksign-mallcom
trading
That's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1".

 

Hi requinix,

Thanks again for your help and advise. However, the above example I posted originally did contain 'SELECT', but it doesn't appear to have been entered by the 'bot'. If I'm understanding it correctly (I'm new to PHP and SQL driven websites), the 'SELECT' command has been generated by the 'functions.php' file working on the database..?

 

So long as my SQL database isn't at risk from this 'attack'...

...

 

What you posted is way too specific to be actual input from a user. Also doesn't make sense to enter search terms like that when you can run arbitrary SQL.

So that's the SQL generated by your site, which you are supposed to be familiar with, including information provided by the user. The spam information.

 

I can't know more about your site than you do but I can tell you with reasonable certainty that it was neither an attack nor was putting your site at risk.

 

With that said, go learn how your own site works.

  • 8 months later...

Hello again,

 

Following on from the above series of posts, I received a series of emails yesterday containing the below:

SELECT p.id as parentID, p.name as parentName, p.description,  p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p
              LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
              WHERE p.id = '56' and 5=6 union select concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char(9),0x2A5B7D2F),2 from `maver_user`.`users`  where email like 0x25676F6F676C656D61696C2E25 limit 86,1  --  And '6'='6'

Can anyone please advise what is happening in the above example?

 

Thank you,

Ben_1uk

0x... is a way of getting a string into SQL without needing quotes.

mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ;
+------------+------------+------------+------------------------------+
| 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 |
+------------+------------+------------+------------------------------+
| ^%$!       | NULL       | *[}/       | %googlemail.%                |
+------------+------------+------------+------------------------------+
What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table.

 

The SQL injection is with the 56 in

WHERE p.id = '56'

0x... is a way of getting a string into SQL without needing quotes.

mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ;
+------------+------------+------------+------------------------------+
| 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 |
+------------+------------+------------+------------------------------+
| ^%$!       | NULL       | *[}/       | %googlemail.%                |
+------------+------------+------------+------------------------------+
What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table.

 

The SQL injection is with the 56 in

WHERE p.id = '56'

Thank you for your response requinix,

 

Next question is what can I do to prevent this information falling into the wrong hands?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.