ben_1uk Posted April 16, 2014 Share Posted April 16, 2014 Hi all, I'm hoping someone can advise on the below MySQL result resource that I'm receiving via Email: SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = '56' and 5=6 union select concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char( 9),0x2A5B7D2F),2 from `maver_user`.`users` where email like 0x252E25 limit 1498,1 -- And '6'='6' My inbox is being spammed with the above message and it's not a query I have ran? Any help would be appreciated. Thank you, Ben_1uk Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/ Share on other sites More sharing options...
adam_bray Posted April 16, 2014 Share Posted April 16, 2014 Is the first part of the query yours? SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = '56' If so then it looks like you need to secure your queries as someone has tried to run a second query to get user details from a user table. union select concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char( 9),0x2A5B7D2F),2 from `maver_user`.`users` where email like 0x252E25 limit 1498,1 -- And '6'='6' Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476330 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 Is the first part of the query yours? SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = '56' If so then it looks like you need to secure your queries as someone has tried to run a second query to get user details from a user table. union select concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char( 9),0x2A5B7D2F),2 from `maver_user`.`users` where email like 0x252E25 limit 1498,1 -- And '6'='6' Thanks for the quick reply adam_bray. I'm receiving literally 80-100 Emails with the same result every 10 minutes or so! What is the best way of making the query more secure? Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476331 Share on other sites More sharing options...
jazzman1 Posted April 16, 2014 Share Posted April 16, 2014 What is the best way of making the query more secure? Prepared statement and change the old mysql_* library to mysqli_* or pdo_mysql if it's possible. Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476332 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 Would it be safe to post the .php file handling the DB query result here for someone to have a look at or not? Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476333 Share on other sites More sharing options...
jazzman1 Posted April 16, 2014 Share Posted April 16, 2014 Yes, of course, just mask your database credentials when posting your script. Also, use the forum's [ code ] code tags when providing code. Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476334 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 Yes, of course, just mask your database credentials when posting your script. Also, use the forum's [ code ] code tags when providing code. I cannot see any database credentials confirmed in the db.php file. I assume you're referring to specifics such as username, password, etc..? Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476338 Share on other sites More sharing options...
jazzman1 Posted April 16, 2014 Share Posted April 16, 2014 A credential is a record that contains the authentication information (credentials) such as a server address, username, password etc... required to connect to a resource outside MySQL. Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476340 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 A credential is a record that contains the authentication information (credentials) such as a server address, username, password etc... required to connect to a resource outside MySQL. Sorry to be thick Jazzman, but could you give me an example of what you mean? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476341 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 The lines from the script mentioned in the email are stated below. function dbQuery ($query) { $result = mysql_query($query); return $result; } function dbAll ($result) { $rows = array(); while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { array_push($rows, $row); } return $rows; } function dbFree ($result) { mysql_free_result($result); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476350 Share on other sites More sharing options...
boompa Posted April 16, 2014 Share Posted April 16, 2014 Jeez, you've been at this for a while! Why haven't you taken requinix's advice and fixed the exploit? Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476362 Share on other sites More sharing options...
jazzman1 Posted April 16, 2014 Share Posted April 16, 2014 My suggestion would be to hire some programmer to replace the old mysql_* library to mysqli_* or pdo_mysql and fixing the issue with sql injection. For the question above it could be much more secure to escape the value in sql statement before to call mysql_query function. $var = 1; $query = sprintf("SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = %u", intval($var)); function dbQuery ($query) { $result = mysql_query($query); return $result; } There is a ton of examples on the web how to prevent a sql injection in php using the mysql server. Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476365 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 Jeez, you've been at this for a while! Why haven't you taken requinix's advice and fixed the exploit? Because I don't know how to. I'm trying! Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476366 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 My suggestion would be to hire some programmer to replace the old mysql_* library to mysqli_* or pdo_mysql and fixing the issue with sql injection. For the question above it could be much more secure to escape the value in sql statement before to call mysql_query function. $var = 1; $query = sprintf("SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = %u", intval($var)); function dbQuery ($query) { $result = mysql_query($query); return $result; } There is a ton of examples on the web how to prevent a sql injection in php using the mysql server. Something like this (placed after the db connection script)? What is WHERE p.id = %u? $var = 1; $query = sprintf("SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = %u", intval($var)); function dbAll ($result) { $rows = array(); while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { array_push($rows, $row); } return $rows; } function dbFree ($result) { mysql_free_result($result); } Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476367 Share on other sites More sharing options...
adam_bray Posted April 16, 2014 Share Posted April 16, 2014 Find where that query is coming from and post the .php file here (in code tags), preferably only the relevant section / lines. The code you posted above is just your query function, it has nothing to do with the problem. Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476368 Share on other sites More sharing options...
ben_1uk Posted April 16, 2014 Author Share Posted April 16, 2014 Find where that query is coming from and post the .php file here (in code tags), preferably only the relevant section / lines. The code you posted above is just your query function, it has nothing to do with the problem. I believe I have found the .php file the query is coming from. However, I'm not sure if I have included the right code as there are a number of similar looking queries contained within the same script (I didn't code this myself). <?php if(isset($_GET['id']) && is_numeric($_GET['id'])) { $query = "SELECT category from com_catalogue WHERE id = '" . mysql_real_escape_string($_GET['id']) . "'"; $result = dbQuery ($query); $itemCategory = dbAll($result); dbFree ($result); foreach ($itemCategory as $i) { $category = $i['category']; } } // ID is a number $query = "SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p LEFT JOIN com_catalogue_category c ON (c.id = p.parent) WHERE p.id = '" . $category . "'"; $result = dbQuery ($query); $currentCategory = dbAll($result); dbFree ($result); Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476380 Share on other sites More sharing options...
mac_gyver Posted April 16, 2014 Share Posted April 16, 2014 (edited) sorry to jump in here, but the code you have on your site has a much more serious problem than just fixing the code above that's selecting information. the code somewhere in it has allowed a bot script/hacker to insert/update the category information in your com_catalogue database table. that injected sql is present in your database table. is this script some sort of open source shopping cart or where/how did you obtain it? the reason i ask is based on the security holes, inefficient/amateurish code, and outdated usage of mysql_ functions, it should be scrapped and replaced or completely rewritten. edit: i guess it's also possible that $category is being set through some other means, like register_globals or via some $_GET logic above the posted code, and is not coming from the first query in the posted code. in any case, this code is not secure and fixing one small part isn't going to make it a secure script. Edited April 16, 2014 by mac_gyver Quote Link to comment https://forums.phpfreaks.com/topic/287810-strange-db-query-result/#findComment-1476387 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.