Jump to content

[SOLVED] The following URLs seem to be vulnerable to various SQL injection

ikmyer

By ikmyer
in PHP Coding Help

 Share

Recommended Posts

ikmyer Member

ikmyer

Posted
Posted

Would like some help on this one...

 

So i have this script that deals with some data being pulled from a database and the server the script runs on get scanned for security issues...

 

Here is the code:

 

a normal file name path...    user_view_site_data.php?site_id=12


<?php require_once('../Connections/traceroute.php'); ?>
<?php require_once('includes/functions.php'); ?>
<?php

if(isset($_GET['year']))
{
$date_this_year = $_GET['year'];
}
else
{
$date_this_year = date("Y");
}

if (isset($_GET['site_id'])) {

$site_id = $_GET['site_id'];
//Array of special charecters you want to replace
$special = array('/','!','&','*','%','$','#','OR','=','+'); //here you can add as many char. you want
$replacements = "";

$site_id = str_replace($special,'',$site_id);
}
mysql_select_db($database_traceroute, $traceroute);
$query_view_by_site = "SELECT data.date, data.trace_time, data.hops, center.center FROM data INNER JOIN Switch_site ON data.trace_to=Switch_site.ip INNER JOIN types ON Switch_site.type=types.id INNER JOIN center ON data.trace_from=center.id WHERE Switch_site.id = '$site_id' AND data.date LIKE '$date_this_year%' ORDER BY center.center ASC, data.date  DESC;";
$view_by_site = mysql_query($query_view_by_site, $traceroute) or die(); //mysql_error()
$row_view_by_site = mysql_fetch_assoc($view_by_site);
$totalRows_view_by_site = mysql_num_rows($view_by_site);

$colname_site_data = "1";
if (isset($site_id)) {
  $colname_site_data = (get_magic_quotes_gpc()) ? $site_id : addslashes($site_id);
}
mysql_select_db($database_traceroute, $traceroute);
$query_site_data = sprintf("SELECT * FROM Switch_site WHERE id = %s LIMIT 0,1", $colname_site_data);
$site_data = mysql_query($query_site_data, $traceroute) or die(); //mysql_error()
$row_site_data = mysql_fetch_assoc($site_data);
$totalRows_site_data = mysql_num_rows($site_data);

  if(isset($totalRows_view_by_site) && $totalRows_view_by_site < 1)
{
	echo "There is no data for the Option you selected.  <a href=\"user_view_site.php\">Better Start Over</a><br>";
	//echo "Date: " . $date_this_year;
	//echo "Site id: " . $site_id;
	exit();
}
?>
<?php
mysql_select_db($database_traceroute, $traceroute);
$query_year_list = "SELECT `date` FROM `data` GROUP BY date ORDER BY `date` ASC";
$year_list = mysql_query($query_year_list, $traceroute) or die(mysql_error());
$row_year_list = mysql_fetch_assoc($year_list);
$totalRows_year_list = mysql_num_rows($year_list);

?>
<?php
// -----------------------   List the Years in the Database  --------------------
$i = 0;
$previous = "";
do {

	$current  = substr($row_year_list['date'],0,4);

if($current != $previous)
{
	$yearlist[$i] = $current;
	$i = $i + 1;
}
$previous = $current;

} while ($row_year_list = mysql_fetch_assoc($year_list)); 

$totalyears = count($yearlist);

// -----END---------------   List the Years in the Database  --------------------
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Trace Route -</title>
<link href="../style/style2.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="1000" border="0">
  <tr>
    <td colspan="2"><?php include('user_header.php'); ?></td>
  </tr>
  <tr>
    <td width="115" valign="top" class="nav"><?php include('user_menu.php'); ?></td>
    <td width="881" valign="top"><h4 class="subtitle">Traces to <?php echo $row_site_data['site']; ?></h4>
      <p>
  <b>Currently Viewing Year - <?php echo $date_this_year; ?></b>           View - 
<?php
if($totalRows_year_list != 0)
{
$i = 0;
echo " |  ";
do { 
echo "<a href=\"user_view_site_data.php?site_id=$site_id&year=$yearlist[$i]\">$yearlist[$i]</a>  |  ";
$i = $i + 1;
} while ($totalyears != $i );
}
?>
</p>
      <table border="1" cellpadding="0" cellspacing="0">
        <tr>
          <td width="100"><div align="center"><strong>Date</strong></div></td>
          <td width="75"><div align="center"><strong>Trace Time (ms) </strong></div></td>
          <td width="50"><div align="center"><strong>Hops</strong></div></td>
          <td width="100"><div align="center"><strong>Trace From </strong></div></td>
        </tr>
        <?php do { ?>
        <tr>
          <td><div align="center"><?php echo $row_view_by_site['date']; ?></div></td>
          <td><div align="center"><?php echo $row_view_by_site['trace_time']; ?></div></td>
          <td><div align="center"><?php echo $row_view_by_site['hops']; ?></div></td>
          <td><div align="center">  <?php echo $row_view_by_site['center']; ?></div></td>
        </tr>
        <?php } while ($row_view_by_site = mysql_fetch_assoc($view_by_site)); ?>
      </table></td>
  </tr>
</table>
<?php include('user_footer.php'); ?>

</body>
</html>
<?php
mysql_free_result($site_data);
mysql_free_result($view_by_site);

?>

 

 

And here is the scanners remarks..

 

.

Details about Vulnerability
Severity: High   (port: 80/tcp)  
Short Desc: wpoison (nasl version) 
Long Desc: 
The following URLs seem to be vulnerable to various SQL injection
techniques : 

/traceroutes/user_view_site_data.php?-=&site_id='UNION'
/traceroutes/user_view_site_data.php?-=&site_id='
/traceroutes/user_view_site_data.php?-=&site_id='%22
/traceroutes/user_view_site_data.php?-=&site_id=9%2c+9%2c+9
/traceroutes/user_view_site_data.php?-=&site_id='bad_bad_value
/traceroutes/user_view_site_data.php?-=&site_id=bad_bad_value'
/traceroutes/user_view_site_data.php?-=&site_id='+OR+'
/traceroutes/user_view_site_data.php?-=&site_id='WHERE
/traceroutes/user_view_site_data.php?-=&site_id=%3B
/traceroutes/user_view_site_data.php?-=&site_id='OR
/traceroutes/user_view_site_data.php?-=&site_id=' or 1=1-- 
/traceroutes/user_view_site_data.php?-=&site_id= or 1=1-- 
/traceroutes/user_view_site_data.php?-=&site_id=' or 'a'='a
/traceroutes/user_view_site_data.php?-=&site_id=') or ('a'='a
/traceroutes/user_view_site_data.php?-=&site_id=%27
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1)
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1))
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1#
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1)#
/traceroutes/user_view_site_data.php?-=&site_id='+OR+1=1))#
/traceroutes/user_view_site_data.php?-=&site_id='+OR+'a'<'b
/traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b
/traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b')/*
/traceroutes/user_view_site_data.php?-=&site_id=')+OR+('a'<'b'))/*
/traceroutes/user_view_site_data.php?-=&site_id='+or+1=1/*
/traceroutes/user_view_site_data.php?-=&site_id='+or+1=1)/*
/traceroutes/user_view_site_data.php?-=&site_id='+or+1=1))/*
/traceroutes/user_view_site_data.php?-=&site_id=--+
/traceroutes/user_view_site_data.php?-=&site_id=#
/traceroutes/user_view_site_data.php?-=&site_id=/*
/traceroutes/user_view_site_data.php?-=&site_id="
/traceroutes/user_view_site_data.php?-=&site_id=%22
/traceroutes/user_view_site_data.php?-=&site_id=%2527
/traceroutes/user_view_site_data.php?-=&site_id='+convert(int,convert(varchar,0x7b5d))+'
/traceroutes/user_view_site_data.php?-=&site_id=convert(int,convert(varchar,0x7b5d))
/traceroutes/user_view_site_data.php?-=&site_id='+convert(varchar,0x7b5d)+'
/traceroutes/user_view_site_data.php?-=&site_id=convert(varchar,0x7b5d)
/traceroutes/user_view_site_data.php?-=&site_id='%2Bconvert(int,convert(varchar%2C0x7b5d))%2B'
/traceroutes/user_view_site_data.php?-=&site_id='%2Bconvert(varchar%2C0x7b5d)%2B'
/traceroutes/user_view_site_data.php?-=&site_id=convert(int,convert(varchar%2C0x7b5d))
/traceroutes/user_view_site_data.php?-=&site_id=convert(varchar%2C0x7b5d)



An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.


Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High

 

I have read over stuff about SQL injection but i just can't seem to get my head around it...  any ideas on how to make those issues go away ?

Link to comment
Share on other sites
ikmyer Member

ikmyer

Posted
  • Author
Posted

so i replaced my sql with the following...

 


$query_view_by_site = sprintf("SELECT data.date, data.trace_time, data.hops, center.center FROM data INNER JOIN Switch_site ON data.trace_to=Switch_site.ip INNER JOIN types ON Switch_site.type=types.id INNER JOIN center ON data.trace_from=center.id WHERE Switch_site.id = '%s' AND data.date LIKE '%s%' ORDER BY center.center ASC, data.date  DESC;",
mysql_real_escape_string($site_id),
mysql_real_escape_string($date_this_year));

 

But that breaks my LIKE clause... how can i get around that  being it must thinkg the last % is another $var?

Link to comment
Share on other sites
teng84 Member

teng84

Posted
Posted

mysql_real_escape_string  escapes special characters of SQL

addslashes  add slashes that php treat as special char so this are not included *#^%() there could me more

im not 100 percent sure but i think i read that somewhere in the past lol

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.