[SOLVED] The following URLs seem to be vulnerable to various SQL injection

[ikmyer]

Would like some help on this one...

 

So i have this script that deals with some data being pulled from a database and the server the script runs on get scanned for security issues...

 

Here is the code:

 

a normal file name path...    user_view_site_data.php?site_id=12

<?php require_once('../Connections/traceroute.php'); ?>
<?php require_once('includes/functions.php'); ?>
<?php

if(isset($_GET['year']))
{
$date_this_year = $_GET['year'];
}
else
{
$date_this_year = date("Y");
}

if (isset($_GET['site_id'])) {

$site_id = $_GET['site_id'];
//Array of special charecters you want to replace
$special = array('/','!','&','*','%','$','#','OR','=','+'); //here you can add as many char. you want
$replacements = "";

$site_id = str_replace($special,'',$site_id);
}
mysql_select_db($database_traceroute, $traceroute);
$query_view_by_site = "SELECT data.date, data.trace_time, data.hops, center.center FROM data INNER JOIN Switch_site ON data.trace_to=Switch_site.ip INNER JOIN types ON Switch_site.type=types.id INNER JOIN center ON data.trace_from=center.id WHERE Switch_site.id = '$site_id' AND data.date LIKE '$date_this_year%' ORDER BY center.center ASC, data.date  DESC;";
$view_by_site = mysql_query($query_view_by_site, $traceroute) or die(); //mysql_error()
$row_view_by_site = mysql_fetch_assoc($view_by_site);
$totalRows_view_by_site = mysql_num_rows($view_by_site);

$colname_site_data = "1";
if (isset($site_id)) {
  $colname_site_data = (get_magic_quotes_gpc()) ? $site_id : addslashes($site_id);
}
mysql_select_db($database_traceroute, $traceroute);
$query_site_data = sprintf("SELECT * FROM Switch_site WHERE id = %s LIMIT 0,1", $colname_site_data);
$site_data = mysql_query($query_site_data, $traceroute) or die(); //mysql_error()
$row_site_data = mysql_fetch_assoc($site_data);
$totalRows_site_data = mysql_num_rows($site_data);

  if(isset($totalRows_view_by_site) && $totalRows_view_by_site < 1)
{
	echo "There is no data for the Option you selected.  <a href=\"user_view_site.php\">Better Start Over</a><br>";
	//echo "Date: " . $date_this_year;
	//echo "Site id: " . $site_id;
	exit();
}
?>
<?php
mysql_select_db($database_traceroute, $traceroute);
$query_year_list = "SELECT `date` FROM `data` GROUP BY date ORDER BY `date` ASC";
$year_list = mysql_query($query_year_list, $traceroute) or die(mysql_error());
$row_year_list = mysql_fetch_assoc($year_list);
$totalRows_year_list = mysql_num_rows($year_list);

?>
<?php
// -----------------------   List the Years in the Database  --------------------
$i = 0;
$previous = "";
do {

	$current  = substr($row_year_list['date'],0,4);

if($current != $previous)
{
	$yearlist[$i] = $current;
	$i = $i + 1;
}
$previous = $current;

} while ($row_year_list = mysql_fetch_assoc($year_list)); 

$totalyears = count($yearlist);

// -----END---------------   List the Years in the Database  --------------------
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Trace Route -</title>
<link href="../style/style2.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="1000" border="0">
  <tr>
    <td colspan="2"><?php include('user_header.php'); ?></td>
  </tr>
  <tr>
    <td width="115" valign="top" class="nav"><?php include('user_menu.php'); ?></td>
    <td width="881" valign="top"><h4 class="subtitle">Traces to <?php echo $row_site_data['site']; ?></h4>
      <p>
  <b>Currently Viewing Year - <?php echo $date_this_year; ?></b>           View - 
<?php
if($totalRows_year_list != 0)
{
$i = 0;
echo " |  ";
do { 
echo "<a href=\"user_view_site_data.php?site_id=$site_id&year=$yearlist[$i]\">$yearlist[$i]</a>  |  ";
$i = $i + 1;
} while ($totalyears != $i );
}
?>
</p>
      <table border="1" cellpadding="0" cellspacing="0">
        <tr>
          <td width="100"><div align="center"><strong>Date</strong></div></td>
          <td width="75"><div align="center"><strong>Trace Time (ms) </strong></div></td>
          <td width="50"><div align="center"><strong>Hops</strong></div></td>
          <td width="100"><div align="center"><strong>Trace From </strong></div></td>
        </tr>
        <?php do { ?>
        <tr>
          <td><div align="center"><?php echo $row_view_by_site['date']; ?></div></td>
          <td><div align="center"><?php echo $row_view_by_site['trace_time']; ?></div></td>
          <td><div align="center"><?php echo $row_view_by_site['hops']; ?></div></td>
          <td><div align="center">  <?php echo $row_view_by_site['center']; ?></div></td>
        </tr>
        <?php } while ($row_view_by_site = mysql_fetch_assoc($view_by_site)); ?>
      </table></td>
  </tr>
</table>
<?php include('user_footer.php'); ?>

</body>
</html>
<?php
mysql_free_result($site_data);
mysql_free_result($view_by_site);

?>

 

 

And here is the scanners remarks..

 

.

Details about Vulnerability
Severity: High   (port: 80/tcp)  
Short Desc: wpoison (nasl version) 
Long Desc: 
The following URLs seem to be vulnerable to various SQL injection
techniques : 

/traceroutes/user_view_site_data.php?-=&site_id='UNION'
/traceroutes/user_view_site_data.php?-=&site_id='
/traceroutes/user_view_site_data.php?-=&site_id='%22
/traceroutes/user_view_site_data.php?-=&site_id=9%2c+9%2c+9
/traceroutes/user_view_site_data.php?-=&site_id='bad_bad_value
/traceroutes/user_view_site_data.php?-=&site_id=bad_bad_value'
/traceroutes/user_view_site_data.php?-=&site_id='+OR+'
/traceroutes/user_view_site_data.php?-=&site_id='WHERE
/traceroutes/user_view_site_data.php?-=&site_id=%3B
/traceroutes/user_view_site_data.php?-=&site_id='OR
/traceroutes/user_view_site_data.php?-=&site_id=' or 1=1-- 
/traceroutes/user_view_site_data.php?-=&site_id= or 1=1-- 
/traceroutes/user_view_site_data.php?-=&site_id=' or 'a'='a
/traceroutes/user_view_site_data.php?-=&site_id=') or ('a'='a
/traceroutes/user_view_site_data.php?-=&site_id=%27
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1)
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1))
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1#
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1)#
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1))#
/traceroutes/user_view_site_data.php?-=&site_id='+OR+'a'<'b
/traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b
/traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b')/*
/traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b'))/*
/traceroutes/user_view_site_data.php?-=&site_id='+or+1=1/*
/traceroutes/user_view_site_data.php?-=&site_id='+or+1=1)/*
/traceroutes/user_view_site_data.php?-=&site_id='+or+1=1))/*
/traceroutes/user_view_site_data.php?-=&site_id=--+
/traceroutes/user_view_site_data.php?-=&site_id=#
/traceroutes/user_view_site_data.php?-=&site_id=/*
/traceroutes/user_view_site_data.php?-=&site_id="
/traceroutes/user_view_site_data.php?-=&site_id=%22
/traceroutes/user_view_site_data.php?-=&site_id=%2527
/traceroutes/user_view_site_data.php?-=&site_id='+convert(int,convert(varchar,0x7b5d))+'
/traceroutes/user_view_site_data.php?-=&site_id=convert(int,convert(varchar,0x7b5d))
/traceroutes/user_view_site_data.php?-=&site_id='+convert(varchar,0x7b5d)+'
/traceroutes/user_view_site_data.php?-=&site_id=convert(varchar,0x7b5d)
/traceroutes/user_view_site_data.php?-=&site_id='%2Bconvert(int,convert(varchar%2C0x7b5d))%2B'
/traceroutes/user_view_site_data.php?-=&site_id='%2Bconvert(varchar%2C0x7b5d)%2B'
/traceroutes/user_view_site_data.php?-=&site_id=convert(int,convert(varchar%2C0x7b5d))
/traceroutes/user_view_site_data.php?-=&site_id=convert(varchar%2C0x7b5d)



An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.


Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High

 

I have read over stuff about SQL injection but i just can't seem to get my head around it...  any ideas on how to make those issues go away ?

[trq]

Take a look at mysql_real_escape_string for starters.

[teng84]

like  thorpe's suggestion you can prevent them if you don't directly use the variables i mean clean it first before using

 

[revraz]

Is there an equivelant to mysql_real_escape_string that you don't need a connection to use?

[ikmyer]

so i replaced my sql with the following...

 

$query_view_by_site = sprintf("SELECT data.date, data.trace_time, data.hops, center.center FROM data INNER JOIN Switch_site ON data.trace_to=Switch_site.ip INNER JOIN types ON Switch_site.type=types.id INNER JOIN center ON data.trace_from=center.id WHERE Switch_site.id = '%s' AND data.date LIKE '%s%' ORDER BY center.center ASC, data.date  DESC;",
mysql_real_escape_string($site_id),
mysql_real_escape_string($date_this_year));

 

But that breaks my LIKE clause... how can i get around that  being it must thinkg the last % is another $var?

[Distant_storm]

thropes is the best idea, forget addslashes when it comes to database connections it only escapes \ " the major questionable characters.

 

Whilst although you need your database connection with mysql_real_escape it escapes all characters to make your mysql queries safe as phpfreaks !

[teng84]

mysql_real_escape_string  escapes special characters of SQL

addslashes  add slashes that php treat as special char so this are not included *#^%() there could me more

im not 100 percent sure but i think i read that somewhere in the past lol

[ikmyer]

Thanks everyone.  I have made the suggested changes and well see what the next scan brings.