LLLLLLL Posted September 16, 2014 Share Posted September 16, 2014 (I'm putting this in PHP since it's not a question specific to MySQL or other DB stuff.) I have a page that uses the GET id to find a product. GET variables are sanitized, and the SQL string is escaped even though it's expecting a number only. So the code seems safe to me. I'm getting some error_log results that appear to be hack attempts: SELECT p.*, t.id as blah FROM some_table p left outer join some_other_table t on p.id = t.product_id WHERE p.id = 139\' and benchmark(20000000,sha1(1))-- Should I be worried about something like this? Anything more (or less) that I should be doing? Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted September 16, 2014 Author Share Posted September 16, 2014 I wasn't clear here. This is the query that WOULD run but the code knows better. Quote Link to comment Share on other sites More sharing options...
Richard_Grant Posted September 16, 2014 Share Posted September 16, 2014 Mysql is depreciated you should use mysqli or PDO in PHP. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted September 16, 2014 Share Posted September 16, 2014 if that's the query statement that was formed, then you are not handling the $_GET variable correct, since it shows injected sql along with the numerical value. that particular sql injection attempt may have failed, but you can inject sql that doesn't contain any characters that are affected by an escape function, that isn't failing, isn't producing any errors, and does allow the hacker to dump the contents of your database tables. short-answer - that the sql statement you posted doesn't have any ' before the number, means that no amount of using an escape function will protect it, and that it shows injected sql with the id number, says you are not handling the value correctly. if you post your code showing how you are handling the $_GET variable before putting it into the sql statement, someone can help with it. an alternative would be to use prepared queries, where values are bound to place holders in the sql query statement, supplied when the query is executed, and cannot be used for sql injection. 1 Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted September 16, 2014 Share Posted September 16, 2014 +1 for prepared statements, which should really be standard operating procedure for any query run. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 16, 2014 Share Posted September 16, 2014 This is an SQL injection, and you can be pretty sure that the next attempt did in fact succeed and gave the attacker direct access to your data. So you must shut down your site immediately and handle this problem in a professional way: If there's any user data in your database (password hashes, addresses, payment information etc.), consider it leaked. You must tell you users about that, because they may have a big problem now. For example, they might have used the same password for other websites. All password hashes must be deleted. I really hope you've used a proper hash algorithm. Check for injected data (new admin accounts, manipulated templates etc.). SQL injections can in fact compromise the entire server (via SELECT ... INTO OUTFILE, for example). Was the MySQL user account of your application able to write external files? If you've used the root account, then the answer is “yes”. Check your entire application as well as the system. Any strange files? Manipulations? Backdoors? This is only the recovery procedure. After this, you need to make sure that the problem doesn't happen again: Learn the basics of security. Seriously. You shouldn't even run a public website without a solid understanding of how to protect it. Since you didn't know how to escape data up until now, you probably have SQL injection vulnerabilities everywhere in your code. The safest solution is to rewrite everything and use prepared statements instead (as already mentioned). Make sure you understand how they work. If in doubt, ask. Secure the MySQL database itself. Keep permissions to the absolute minimum, check the connection settings etc. Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted September 27, 2014 Author Share Posted September 27, 2014 Mysql is depreciated you should use mysqli or PDO in PHP. Um, this adds nothing to the topic. MySQL is the database. I didn't say if I was using mysql_query() (I am not) or mysqli_query() (which I am). Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted September 27, 2014 Author Share Posted September 27, 2014 (edited) Jacques and mac_gyver, as I stated that's the query that WOULD run but the code checks that the $_GET is an int. If it's not, the query doesn't run. I guess I just don't know what is trying to be accomplished by this, had it executed... WHERE p.id = 139\' and benchmark(20000000,sha1(1))-- ... just an attempt to slowdown the server? Jacques, since you didn't read the post that said the query didn't execute, your "I'm smarter than thou" remarks are really, really unwarranted. My gosh, this isn't the first time you've liked to show your arrogance on here. Calm down. This application has been PCI-compliant and is tested monthly. It always passes compliance for injection and other hacks. I should have worded the topic better but the question was really... what does someone gain with this type of hack? Edited September 27, 2014 by timneu22 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 27, 2014 Share Posted September 27, 2014 Gotta love those people who don't manage to write down a simple question and then blame us for not giving them the answers they wanted to hear. Let's summarize: In your first post, you told us that you're seeing failed queries in your error log and that you're scared about “getting hacked”. We gave you the answer to this problem. Now you tell us that you actually generated the errors yourself, that your super-professional application is perfectly secure and that you're just curious how this particular injection technique works. Those are two entirely different stories, and they can't both be true. So what is it? Is the second story now the official version, or will you come up with another one if you don't like what you hear? what does someone gain with this type of hack? Time-based Blind SQL injections. It's a standard method of tools like sqlmap to test whether an application is vulnerable to SQL injections. If there's a delay, then obviously the BENCHMARK() call was executed, and that means the code is vulnerable. This application has been PCI-compliant and is tested monthly. It always passes compliance for injection and other hacks. *lol* Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted September 27, 2014 Author Share Posted September 27, 2014 Did you see the second post, 19 minutes after the first, that says "correction, the query WOULD HAVE RUN."? Lol for Trustwave's PCI compliance tests? What's your point on this thread? To offer help or to show how superior you are, oh god of PHP? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 28, 2014 Share Posted September 28, 2014 Did you see that I answered your question? Or are you just here to whine and complain? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.