smith.james0 Posted May 24, 2014 Share Posted May 24, 2014 (edited) Over the last few weeks I have had people trying to access the following urls and some similar index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b by BOT for JCE /includes/exit.php?ID=999999.9 /*!30000union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323 /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b what are these urls trying to do and should I be worried? James Edited May 24, 2014 by requinix unlinking Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/ Share on other sites More sharing options...
requinix Posted May 24, 2014 Share Posted May 24, 2014 (edited) Really shouldn't be putting actual links to potentially bad things in your post. Especially when the links go back to your own site. So I've edited out the linking-ness for you. First one is an attempt at SQL injection, hoping that you did something like "SELECT * FROM table WHERE ID = {$_GET['ID']}"thus resulting in "SELECT * FROM table WHERE ID = 999999.9 /*!30000union all select (hex stuff)"which uses a sort of conditional commenting feature in MySQL that will parse the comment itself for versions of MySQL >= 3.00.00 and become "SELECT * FROM table WHERE ID = 999999.9 union all select (hex stuff)"The second one... could be normal, I don't know your application. If you don't recognize that then it's probably probing for a vulnerability in whatever that JCE thing is I don't know I'm too lazy to Google for what it is at 2am. Edited May 24, 2014 by requinix Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480690 Share on other sites More sharing options...
Jacques1 Posted May 24, 2014 Share Posted May 24, 2014 what are these urls trying to do and should I be worried? If only we could search the Internet and find out what other people have to say about this. It's an automated attack from a certain SQL injection tool trying to get information out of your database. This is nothing spectacular, but it's the right time to check your application and make sure everything is secure. Is your software up to date? Are there any known vulnerabilities? Google will, again, help you with that. If you've have written custom scripts, double-check them for vulnerabilities as well. Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480699 Share on other sites More sharing options...
smith.james0 Posted May 24, 2014 Author Share Posted May 24, 2014 Thanks for the answers for the variable thats passed in the url I have a function to check if it's kosher. function checkID($id){ $ID = mysql_real_escape_string($id); $ID = strip_tags($ID); if (is_numeric($ID) != TRUE){ $return[1] = "false"; }else{ $return[1] = "true"; $return[2] = $ID; } return $return; } Where I use words in a url variable, I check to see if the words appears in a array of allowed words. If it appears then I use the word to query the db. if (in_array($Category, $Category_array)) { $sql_Category = $Category; } What do you think? James Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480701 Share on other sites More sharing options...
Jacques1 Posted May 24, 2014 Share Posted May 24, 2014 This all looks rather weird. What is this awful strip_tags() supposed to do? Why the "true" and the "false" string? Why all this extra code? It's generally not very useful to concentrate on this one variable and spend your time adding all kinds of questionable extra protection. You should check all input and apply standard protection: You escape the value with mysql_real_escape_string() and wrap the result in quotes. This is done right in the SQL query string: $some_query = ' SELECT ... WHERE some_id = "' . mysql_real_escape_string($some_id) . '" '; Don't forget the quotes. The strip_tags() function has nothing to do with SQL. It's supposed to remove HTML tags, but it works so badly that you usually end up mangling your data. Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480704 Share on other sites More sharing options...
smith.james0 Posted May 24, 2014 Author Share Posted May 24, 2014 Thanks for that, I will change it. The "true" and the "false" are used incase "ID" is void, if true select the ID from db, if false pick an ID at random to select from db. James Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480730 Share on other sites More sharing options...
smith.james0 Posted May 26, 2014 Author Share Posted May 26, 2014 Really shouldn't be putting actual links to potentially bad things in your post. Especially when the links go back to your own site. So I've edited out the linking-ness for you. First one is an attempt at SQL injection, hoping that you did something like "SELECT * FROM table WHERE ID = {$_GET['ID']}"thus resulting in "SELECT * FROM table WHERE ID = 999999.9 /*!30000union all select (hex stuff)"which uses a sort of conditional commenting feature in MySQL that will parse the comment itself for versions of MySQL >= 3.00.00 and become "SELECT * FROM table WHERE ID = 999999.9 union all select (hex stuff)"The second one... could be normal, I don't know your application. If you don't recognize that then it's probably probing for a vulnerability in whatever that JCE thing is I don't know I'm too lazy to Google for what it is at 2am. How did you decode that? I have looked on Google but there are no explanations James Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480961 Share on other sites More sharing options...
Jacques1 Posted May 26, 2014 Share Posted May 26, 2014 Let me Google that for you again: “0x31303235343830303536” No explanations? The first page starts with three Stack Overflow threads explaining exactly what this is and even which tool it comes from. What more do you need? Quote Link to comment https://forums.phpfreaks.com/topic/288732-what-is-happening-here/#findComment-1480966 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.