Jump to content

Recommended Posts

Over the last few weeks I have had people trying to access the following urls and some similar

 

index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b

 

by BOT for JCE

 

/includes/exit.php?ID=999999.9 /*!30000union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323

 

/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b

 

 

what are these urls trying to do and should I be worried?

 

 

James

Edited by requinix
unlinking
Link to comment
https://forums.phpfreaks.com/topic/288732-what-is-happening-here/
Share on other sites

Really shouldn't be putting actual links to potentially bad things in your post. Especially when the links go back to your own site. So I've edited out the linking-ness for you.

 

First one is an attempt at SQL injection, hoping that you did something like

"SELECT * FROM table WHERE ID = {$_GET['ID']}"
thus resulting in

"SELECT * FROM table WHERE ID = 999999.9 /*!30000union all select (hex stuff)"
which uses a sort of conditional commenting feature in MySQL that will parse the comment itself for versions of MySQL >= 3.00.00 and become

"SELECT * FROM table WHERE ID = 999999.9 union all select (hex stuff)"
The second one... could be normal, I don't know your application. If you don't recognize that then it's probably probing for a vulnerability in whatever that JCE thing is I don't know I'm too lazy to Google for what it is at 2am. Edited by requinix

what are these urls trying to do and should I be worried?

 

If only we could search the Internet and find out what other people have to say about this. ::)

 

It's an automated attack from a certain SQL injection tool trying to get information out of your database. This is nothing spectacular, but it's the right time to check your application and make sure everything is secure. Is your software up to date? Are there any known vulnerabilities? Google will, again, help you with that. If you've have written custom scripts, double-check them for vulnerabilities as well.

Thanks for the answers for the variable thats passed in the url I have a function to check if it's kosher.

function checkID($id){

$ID = mysql_real_escape_string($id);
$ID = strip_tags($ID);

if (is_numeric($ID) != TRUE){

$return[1] = "false";


}else{
	
$return[1] = "true";
$return[2] = $ID;

}
return $return;

}

Where I use words in a url variable, I check to see if the words appears in a array of allowed words. If it appears then I use the word to query the db.

if (in_array($Category, $Category_array)) {
   $sql_Category = $Category; 
} 

What do you think?

 

James

 

This all looks rather weird. What is this awful strip_tags() supposed to do? Why the "true" and the "false" string? Why all this extra code?

 

It's generally not very useful to concentrate on this one variable and spend your time adding all kinds of questionable extra protection. You should check all input and apply standard protection: You escape the value with mysql_real_escape_string() and wrap the result in quotes. This is done right in the SQL query string:

$some_query = '
	SELECT
		...
	WHERE
		some_id = "' . mysql_real_escape_string($some_id) . '"
';

Don't forget the quotes.

 

The strip_tags() function has nothing to do with SQL. It's supposed to remove HTML tags, but it works so badly that you usually end up mangling your data.

Really shouldn't be putting actual links to potentially bad things in your post. Especially when the links go back to your own site. So I've edited out the linking-ness for you.

 

First one is an attempt at SQL injection, hoping that you did something like

"SELECT * FROM table WHERE ID = {$_GET['ID']}"
thus resulting in

"SELECT * FROM table WHERE ID = 999999.9 /*!30000union all select (hex stuff)"
which uses a sort of conditional commenting feature in MySQL that will parse the comment itself for versions of MySQL >= 3.00.00 and become

"SELECT * FROM table WHERE ID = 999999.9 union all select (hex stuff)"
The second one... could be normal, I don't know your application. If you don't recognize that then it's probably probing for a vulnerability in whatever that JCE thing is I don't know I'm too lazy to Google for what it is at 2am.

 

 

How did you decode that? I have looked on Google but there are no explanations

 

James

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.