ikmyer Posted December 6, 2007 Share Posted December 6, 2007 Would like some help on this one... So i have this script that deals with some data being pulled from a database and the server the script runs on get scanned for security issues... Here is the code: a normal file name path... user_view_site_data.php?site_id=12 <?php require_once('../Connections/traceroute.php'); ?> <?php require_once('includes/functions.php'); ?> <?php if(isset($_GET['year'])) { $date_this_year = $_GET['year']; } else { $date_this_year = date("Y"); } if (isset($_GET['site_id'])) { $site_id = $_GET['site_id']; //Array of special charecters you want to replace $special = array('/','!','&','*','%','$','#','OR','=','+'); //here you can add as many char. you want $replacements = ""; $site_id = str_replace($special,'',$site_id); } mysql_select_db($database_traceroute, $traceroute); $query_view_by_site = "SELECT data.date, data.trace_time, data.hops, center.center FROM data INNER JOIN Switch_site ON data.trace_to=Switch_site.ip INNER JOIN types ON Switch_site.type=types.id INNER JOIN center ON data.trace_from=center.id WHERE Switch_site.id = '$site_id' AND data.date LIKE '$date_this_year%' ORDER BY center.center ASC, data.date DESC;"; $view_by_site = mysql_query($query_view_by_site, $traceroute) or die(); //mysql_error() $row_view_by_site = mysql_fetch_assoc($view_by_site); $totalRows_view_by_site = mysql_num_rows($view_by_site); $colname_site_data = "1"; if (isset($site_id)) { $colname_site_data = (get_magic_quotes_gpc()) ? $site_id : addslashes($site_id); } mysql_select_db($database_traceroute, $traceroute); $query_site_data = sprintf("SELECT * FROM Switch_site WHERE id = %s LIMIT 0,1", $colname_site_data); $site_data = mysql_query($query_site_data, $traceroute) or die(); //mysql_error() $row_site_data = mysql_fetch_assoc($site_data); $totalRows_site_data = mysql_num_rows($site_data); if(isset($totalRows_view_by_site) && $totalRows_view_by_site < 1) { echo "There is no data for the Option you selected. <a href=\"user_view_site.php\">Better Start Over</a><br>"; //echo "Date: " . $date_this_year; //echo "Site id: " . $site_id; exit(); } ?> <?php mysql_select_db($database_traceroute, $traceroute); $query_year_list = "SELECT `date` FROM `data` GROUP BY date ORDER BY `date` ASC"; $year_list = mysql_query($query_year_list, $traceroute) or die(mysql_error()); $row_year_list = mysql_fetch_assoc($year_list); $totalRows_year_list = mysql_num_rows($year_list); ?> <?php // ----------------------- List the Years in the Database -------------------- $i = 0; $previous = ""; do { $current = substr($row_year_list['date'],0,4); if($current != $previous) { $yearlist[$i] = $current; $i = $i + 1; } $previous = $current; } while ($row_year_list = mysql_fetch_assoc($year_list)); $totalyears = count($yearlist); // -----END--------------- List the Years in the Database -------------------- ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Trace Route -</title> <link href="../style/style2.css" rel="stylesheet" type="text/css"> </head> <body> <table width="1000" border="0"> <tr> <td colspan="2"><?php include('user_header.php'); ?></td> </tr> <tr> <td width="115" valign="top" class="nav"><?php include('user_menu.php'); ?></td> <td width="881" valign="top"><h4 class="subtitle">Traces to <?php echo $row_site_data['site']; ?></h4> <p> <b>Currently Viewing Year - <?php echo $date_this_year; ?></b> View - <?php if($totalRows_year_list != 0) { $i = 0; echo " | "; do { echo "<a href=\"user_view_site_data.php?site_id=$site_id&year=$yearlist[$i]\">$yearlist[$i]</a> | "; $i = $i + 1; } while ($totalyears != $i ); } ?> </p> <table border="1" cellpadding="0" cellspacing="0"> <tr> <td width="100"><div align="center"><strong>Date</strong></div></td> <td width="75"><div align="center"><strong>Trace Time (ms) </strong></div></td> <td width="50"><div align="center"><strong>Hops</strong></div></td> <td width="100"><div align="center"><strong>Trace From </strong></div></td> </tr> <?php do { ?> <tr> <td><div align="center"><?php echo $row_view_by_site['date']; ?></div></td> <td><div align="center"><?php echo $row_view_by_site['trace_time']; ?></div></td> <td><div align="center"><?php echo $row_view_by_site['hops']; ?></div></td> <td><div align="center"> <?php echo $row_view_by_site['center']; ?></div></td> </tr> <?php } while ($row_view_by_site = mysql_fetch_assoc($view_by_site)); ?> </table></td> </tr> </table> <?php include('user_footer.php'); ?> </body> </html> <?php mysql_free_result($site_data); mysql_free_result($view_by_site); ?> And here is the scanners remarks.. . Details about Vulnerability Severity: High (port: 80/tcp) Short Desc: wpoison (nasl version) Long Desc: The following URLs seem to be vulnerable to various SQL injection techniques : /traceroutes/user_view_site_data.php?-=&site_id='UNION' /traceroutes/user_view_site_data.php?-=&site_id=' /traceroutes/user_view_site_data.php?-=&site_id='%22 /traceroutes/user_view_site_data.php?-=&site_id=9%2c+9%2c+9 /traceroutes/user_view_site_data.php?-=&site_id='bad_bad_value /traceroutes/user_view_site_data.php?-=&site_id=bad_bad_value' /traceroutes/user_view_site_data.php?-=&site_id='+OR+' /traceroutes/user_view_site_data.php?-=&site_id='WHERE /traceroutes/user_view_site_data.php?-=&site_id=%3B /traceroutes/user_view_site_data.php?-=&site_id='OR /traceroutes/user_view_site_data.php?-=&site_id=' or 1=1-- /traceroutes/user_view_site_data.php?-=&site_id= or 1=1-- /traceroutes/user_view_site_data.php?-=&site_id=' or 'a'='a /traceroutes/user_view_site_data.php?-=&site_id=') or ('a'='a /traceroutes/user_view_site_data.php?-=&site_id=%27 /traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1) /traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1)) /traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1# /traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1)# /traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1))# /traceroutes/user_view_site_data.php?-=&site_id='+OR+'a'<'b /traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b /traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b')/* /traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b'))/* /traceroutes/user_view_site_data.php?-=&site_id='+or+1=1/* /traceroutes/user_view_site_data.php?-=&site_id='+or+1=1)/* /traceroutes/user_view_site_data.php?-=&site_id='+or+1=1))/* /traceroutes/user_view_site_data.php?-=&site_id=--+ /traceroutes/user_view_site_data.php?-=&site_id=# /traceroutes/user_view_site_data.php?-=&site_id=/* /traceroutes/user_view_site_data.php?-=&site_id=" /traceroutes/user_view_site_data.php?-=&site_id=%22 /traceroutes/user_view_site_data.php?-=&site_id=%2527 /traceroutes/user_view_site_data.php?-=&site_id='+convert(int,convert(varchar,0x7b5d))+' /traceroutes/user_view_site_data.php?-=&site_id=convert(int,convert(varchar,0x7b5d)) /traceroutes/user_view_site_data.php?-=&site_id='+convert(varchar,0x7b5d)+' /traceroutes/user_view_site_data.php?-=&site_id=convert(varchar,0x7b5d) /traceroutes/user_view_site_data.php?-=&site_id='%2Bconvert(int,convert(varchar%2C0x7b5d))%2B' /traceroutes/user_view_site_data.php?-=&site_id='%2Bconvert(varchar%2C0x7b5d)%2B' /traceroutes/user_view_site_data.php?-=&site_id=convert(int,convert(varchar%2C0x7b5d)) /traceroutes/user_view_site_data.php?-=&site_id=convert(varchar%2C0x7b5d) An attacker may exploit this flaws to bypass authentication or to take the control of the remote database. Solution : Modify the relevant CGIs so that they properly escape arguments Risk factor : High I have read over stuff about SQL injection but i just can't seem to get my head around it... any ideas on how to make those issues go away ? Quote Link to comment Share on other sites More sharing options...
trq Posted December 6, 2007 Share Posted December 6, 2007 Take a look at mysql_real_escape_string for starters. Quote Link to comment Share on other sites More sharing options...
teng84 Posted December 6, 2007 Share Posted December 6, 2007 like thorpe's suggestion you can prevent them if you don't directly use the variables i mean clean it first before using Quote Link to comment Share on other sites More sharing options...
revraz Posted December 6, 2007 Share Posted December 6, 2007 Is there an equivelant to mysql_real_escape_string that you don't need a connection to use? Quote Link to comment Share on other sites More sharing options...
ikmyer Posted December 6, 2007 Author Share Posted December 6, 2007 so i replaced my sql with the following... $query_view_by_site = sprintf("SELECT data.date, data.trace_time, data.hops, center.center FROM data INNER JOIN Switch_site ON data.trace_to=Switch_site.ip INNER JOIN types ON Switch_site.type=types.id INNER JOIN center ON data.trace_from=center.id WHERE Switch_site.id = '%s' AND data.date LIKE '%s%' ORDER BY center.center ASC, data.date DESC;", mysql_real_escape_string($site_id), mysql_real_escape_string($date_this_year)); But that breaks my LIKE clause... how can i get around that being it must thinkg the last % is another $var? Quote Link to comment Share on other sites More sharing options...
Distant_storm Posted December 6, 2007 Share Posted December 6, 2007 thropes is the best idea, forget addslashes when it comes to database connections it only escapes \ " the major questionable characters. Whilst although you need your database connection with mysql_real_escape it escapes all characters to make your mysql queries safe as phpfreaks ! Quote Link to comment Share on other sites More sharing options...
teng84 Posted December 6, 2007 Share Posted December 6, 2007 mysql_real_escape_string escapes special characters of SQL addslashes add slashes that php treat as special char so this are not included *#^%() there could me more im not 100 percent sure but i think i read that somewhere in the past lol Quote Link to comment Share on other sites More sharing options...
ikmyer Posted December 7, 2007 Author Share Posted December 7, 2007 Thanks everyone. I have made the suggested changes and well see what the next scan brings. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.