Jump to content

SQL vulnerable


JayDz

Recommended Posts

Hallo Iedereen!

 

Mijn redirect bestand is vulnerable voor GET.

Het 1e bestand met een id 'bestand.php?id=184' word geredirect naar redirect.php via een button:

 



<form class="LoginForm" action="redirect1.php?id=<?php echo $_GET['id']; ?>" method="post" autocomplete="off">


 

Het redirect.php bestand ziet er zo uit:


 

Via het programma: SQLMap kwam ik erachter dat mijn form hier vulnerable voor is.

Hiermee kon ik zo'n beetje mijn hele database uitlezen en dit is niet mijn bedoeling!

Ik ben zelf niet een held in SQL maar ziet iemand een oplossing? :)

Link to comment
Share on other sites

 

Hello everyone!

 

My redirect file is vulnerable to GET .

? Bestand.php id = 184 ' 1st row with an identifier is redirected to redirect.php via a button :

<form class="LoginForm" action="redirect1.php?id=<?php echo $_GET['id']; ?>" method="post" autocomplete="off">

The redirect.php file looks like this :

http://pastebin.com/V794s9rU

<?php
error_reporting(0);
$servername = "localhost";
$username = "test_usern";
$password = "test_passwd";
$dbname = "test_db";
 
date_default_timezone_set("Europe/Amsterdam");
 
$ip = 'unknown';
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
   $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
elseif(!empty($_SERVER['REMOTE_ADDR']))
{
   $ip = $_SERVER['REMOTE_ADDR'];
}
else
{
   user_error("Uh-oh! Neither IP variable was set.");
}  
 
 
$fname = $_REQUEST['fname'];
$fname1 = $_REQUEST['fname1'];
$fname2 = $ip;
$fname3 = $_GET['id'];
$fname4 = date('Y/m/d H:i:s');
try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO logs (test, test1, test2, test3, test4)
    VALUES ('$fname', '$fname1', '$fname2', '$fname3', '$fname4')";
    // use exec() because no results are returned
    $conn->exec($sql);
    header("Location: index.php");
    }
catch(PDOException $e)
    {
    header("Location: index.php");
    }
$conn = null;
?>

Through the program : sqlmap I found out that my form is vulnerable here for .

With this , I could pretty much my entire database read and this is not my intention!

I 'm not a hero in SQL but does anyone have a solution ? :)

 

pdo prepared statements

 

You should checking if the request methods are even set and not empty, plus the data you expect.

It's also better to use it's actual method and not $_REQUEST

 

redirect1.php?id=<?php echo $_GET['id']; ?>

How are you protecting the redirect1.php script?

Link to comment
Share on other sites

pdo prepared statements

 

You should checking if the request methods are even set and not empty, plus the data you expect.

It's also better to use it's actual method and not $_REQUEST

 

redirect1.php?id=<?php echo $_GET['id']; ?>

How are you protecting the redirect1.php script?

Im not really thats why I want to make/get a new script, i tried to make another script but it gave an error: Error: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined

<?php
error_reporting(0); 

date_default_timezone_set("Europe/Amsterdam");

$ip = 'unknown'; 
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) 
{ 
   $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; 
} 
elseif(!empty($_SERVER['REMOTE_ADDR'])) 
{ 
   $ip = $_SERVER['REMOTE_ADDR']; 
} 
else 
{ 
   user_error("Uh-oh! Neither IP variable was set."); 
}  

try 
{ 
    $fname = $_REQUEST['fname'];
    $fname1 = $_REQUEST['fname1']; 
    $fname2 = $ip;
    $fname3 = $_GET['id'];
    $fname4 = date('Y/m/d H:i:s');
    
    $db = new PDO('mysql:host=localhost;dbname=test_db','test_usern','test_passwd'); 
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
     
    $sql = " 
        INSERT INTO auth (test, test1, test2, test3, test4) 
        VALUES (:fname,:fname1,:fname2,:fname3,:fname4) 
        "; 
     
    $stmt = $db->prepare($sql); 
    $stmt->bindParam(':test', $fname, PDO::PARAM_STR);
    $stmt->bindParam(':test1', $fname1, PDO::PARAM_STR);
    $stmt->bindParam(':test2', $fname2, PDO::PARAM_STR);
    $stmt->bindParam(':test3', $fname3, PDO::PARAM_STR);
    $stmt->bindParam(':test4', $fname4, PDO::PARAM_STR);
    $stmt->execute(); 
} 
catch(PDOException $e)
{
    header('Location: index.php');
} 
?>
Edited by JayDz
Link to comment
Share on other sites

You bind the values not the columns.

$stmt->bindParam(':fname', $fname, PDO::PARAM_STR);
$stmt->bindParam(':fname1', $fname1, PDO::PARAM_STR);
$stmt->bindParam(':fname2', $fname2, PDO::PARAM_STR);
$stmt->bindParam(':fname3', $fname3, PDO::PARAM_STR);
$stmt->bindParam(':fname4', $fname4, PDO::PARAM_STR);

also there could be multiple ips returned, I explode them and use the first one

if (strstr($ip, ', ')) {
$ip_array = explode(', ', $ip);
$ip = $ip_array[0];
}
Edited by QuickOldCar
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.