ben_1uk Posted April 2, 2013 Share Posted April 2, 2013 Hi everyone, I'm hoping someone far more knowledgeable than myself can help out with an issue that has started over the last couple of weeks. I am receiving E-mails generated by my SQL database 'functions.php' file containing what looks to be the results of someone entering spurious search queries on one of my websites. I have included an example below: SELECT p.page_title, p.page_url, COUNT(*) AS occurrences FROM search_page p, search_word w, search_occurrence o WHERE p.id = o.page AND w.id = o.word AND (w.word = 'xksvonbwfsnbudi' OR w.word = 'href=httpindianautoobservercomfemale' OR w.word = 'viagra' OR w.word = 'alternativea' OR w.word = 'wnwgpop' OR w.word = 'url=httpindianautoobservercomyang' OR w.word = 'mei' OR w.word = 'viagra' OR w.word = ''guangzhou'url' OR w.word = 'ehjwsjg' OR w.word = 'httpindianautoobservercom' OR w.word = 'viagra' OR w.word = 'prescription' OR w.word = 'jajfabw' OR w.word = 'href=httpwwwyaleacsorgbuy' OR w.word = 'viagra' OR w.word = 'interneta' OR w.word = 'hhjuxid' OR w.word = 'url=httpwwwyaleacsorghow' OR w.word = 'viagra' OR w.word = 'worksurl' OR w.word = 'kkwuvbc' OR w.word = 'httpwwwyaleacsorg' OR w.word = 'get' OR w.word = 'viagra' OR w.word = 'wxottqn' OR w.word = 'href=httpksign-mallcomwhat' OR w.word = 'metronidazole' OR w.word = 'used' OR w.word = 'for' OR w.word = 'dogsa' OR w.word = 'uthzket' OR w.word = 'url=httpksign-mallcommetronidazole' OR w.word = 'vaginal' OR w.word = 'gelurl' OR w. word = 'qajooff' OR w.word = 'httpksign-mallcom' OR w.word = 'metronidazole' OR w.word = 'dose' OR w.word = 'agdlvut' OR w.word = 'href=httpwwwmetacafecomchannelsjwannrichard' OR w.word = 'jeremiah' OR w.word = 'wanna' OR w.word = 'mpsswty' OR w.word = 'url=httpwwwmetacafecomchannelsjwannrichard' OR w.word = 'jeremiah' OR w.word = 'wannurl' OR w.word = 'qefwnsd' OR w.word = 'httpwwwmetacafecomchannelsjwann' OR w.word = 'richard' OR w.word = 'jeremiah' OR w.word = 'wann' OR w.word = 'svalyyw' OR w.word = 'href=httpgenf20-directcomgenf20' OR w.word = 'hgh' OR w.word = 'releasera' OR w.word = 'rttnfdx' OR w.word = 'url=httpgenf20-directcomgenf20url' OR w.word = 'egjipkc' OR w.word = 'httpgenf20-directcom' OR w.word = 'genf20' OR w.word = 'leading' OR w.word = 'edge' OR w.word = 'herbals' OR w.word = 'tlfsril' OR w.word = 'href=httphidecornetanyoption-reviewany' OR w.word = 'optiona' OR w.word = 'mvgfgum' OR w.word = 'url=httphidecornetanyoption-reviewanyoption' OR w.word = 'tra dingurl' OR w.word = 'ovyjjoy' OR w.word = 'httphidecornetanyoption-review' OR w.word = 'anyoption' OR w.word = 'trading' OR w.word = 'vxwmsft') GROUP BY p.id ORDER BY occurrences DESC LIMIT 0 , 10 Can someone please explain what is going on here and, in layman's terms, what actions I need to take. Many thanks in advance, Ben1uk Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/ Share on other sites More sharing options...
requinix Posted April 2, 2013 Share Posted April 2, 2013 (edited) Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something. Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything. Edited April 2, 2013 by requinix Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1422420 Share on other sites More sharing options...
ben_1uk Posted April 2, 2013 Author Share Posted April 2, 2013 Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something. Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything. Hi requinix, Thank you for the quick response. I've not had experience of anything like this before and having spoken to somebody else about this, they mentioned that the below was an attempt to pull data from the database using the 'SELECT' command??? My primary concern is somebody being able to gain access to my SQL data or change the website in any way, shape or form. However, you state above 'they'll leave once they realize they're not accomplishing anything'. Are you saying the 'attack' is not anything to worry about? It has caused me a few sleepless nights over the Easter hols! Can you offer any more of an insight as to what is actually happening, or what the robot is attempting to achieve? Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1422423 Share on other sites More sharing options...
requinix Posted April 2, 2013 Share Posted April 2, 2013 I'm saying it's not an attack. Look at what's in the query. href=httpindianautoobservercomfemale url=httpindianautoobservercomyang httpksign-mallcom tradingThat's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1". Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1422485 Share on other sites More sharing options...
ben_1uk Posted April 3, 2013 Author Share Posted April 3, 2013 I'm saying it's not an attack. Look at what's in the query. href=httpindianautoobservercomfemale url=httpindianautoobservercomyang httpksign-mallcom tradingThat's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1". Hi requinix, Thanks again for your help and advise. However, the above example I posted originally did contain 'SELECT', but it doesn't appear to have been entered by the 'bot'. If I'm understanding it correctly (I'm new to PHP and SQL driven websites), the 'SELECT' command has been generated by the 'functions.php' file working on the database..? So long as my SQL database isn't at risk from this 'attack'... Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1422615 Share on other sites More sharing options...
requinix Posted April 3, 2013 Share Posted April 3, 2013 ... What you posted is way too specific to be actual input from a user. Also doesn't make sense to enter search terms like that when you can run arbitrary SQL. So that's the SQL generated by your site, which you are supposed to be familiar with, including information provided by the user. The spam information. I can't know more about your site than you do but I can tell you with reasonable certainty that it was neither an attack nor was putting your site at risk. With that said, go learn how your own site works. Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1422696 Share on other sites More sharing options...
ben_1uk Posted December 5, 2013 Author Share Posted December 5, 2013 Hello again, Following on from the above series of posts, I received a series of emails yesterday containing the below: SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = '56' and 5=6 union select concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char(9),0x2A5B7D2F),2 from `maver_user`.`users` where email like 0x25676F6F676C656D61696C2E25 limit 86,1 -- And '6'='6' Can anyone please advise what is happening in the above example? Thank you, Ben_1uk Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1461323 Share on other sites More sharing options...
requinix Posted December 5, 2013 Share Posted December 5, 2013 0x... is a way of getting a string into SQL without needing quotes. mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ; +------------+------------+------------+------------------------------+ | 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 | +------------+------------+------------+------------------------------+ | ^%$! | NULL | *[}/ | %googlemail.% | +------------+------------+------------+------------------------------+What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table. The SQL injection is with the 56 in WHERE p.id = '56' Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1461394 Share on other sites More sharing options...
ben_1uk Posted December 10, 2013 Author Share Posted December 10, 2013 0x... is a way of getting a string into SQL without needing quotes. mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ; +------------+------------+------------+------------------------------+ | 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 | +------------+------------+------------+------------------------------+ | ^%$! | NULL | *[}/ | %googlemail.% | +------------+------------+------------+------------------------------+What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table. The SQL injection is with the 56 in WHERE p.id = '56' Thank you for your response requinix, Next question is what can I do to prevent this information falling into the wrong hands? Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1461945 Share on other sites More sharing options...
requinix Posted December 10, 2013 Share Posted December 10, 2013 Fix the exploit. Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1462000 Share on other sites More sharing options...
ben_1uk Posted December 11, 2013 Author Share Posted December 11, 2013 Fix the exploit. Well, obviously. However, I'm not much of a PHP buff so any further advice or links to further reading would be appreciated. Thank you, Ben_1uk Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1462050 Share on other sites More sharing options...
requinix Posted December 11, 2013 Share Posted December 11, 2013 OWASP is a good place to start, like their Top Ten Project listing the worst flaws for web applications. Quote Link to comment https://forums.phpfreaks.com/topic/276418-mysql_fetch_array-query/#findComment-1462104 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.