RE: MySQL being hacked with commands through URL
I have tried that many times over and have found no way to get it to work, keep getting unexpected T_Variable and I cannot find out whats wrong with what you sent. -Original Message- From: Michael Dykman [mailto:mdyk...@gmail.com] Sent: Wednesday, November 18, 2009 3:49 PM To: James Coffman Cc: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL The bits in your date_format call are confusing your sprintf call date_format(updated, '%W, %M %D, %Y %r' ) elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } This should get you around it: $sid = mysql_real_escape_string($item) $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='$sid', $rs = mysql_query($newsSql); ... On Thu, Nov 19, 2009 at 4:33 PM, James Coffman webmas...@cadc.com wrote: I have narrowed the problem down to the code as I have been referenced to a million times and I thank you all a million times over on helping me out thus far. Here is where it gets down to the hard part for me (PHP code).. The error is within: elseif ($pageID == ss $item != mostCurrent) { $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId= $item; } So I have done some research and found that it needs to be structured somewhat as such: elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } I cannot seem to get the problem narrowed down with this though. As you see I am trying to impliment the mysql_real_escape_string but I am unfamiliar with how to integrate it into code that I did not write. Is there anyone out there that may have some insight to this problem? -Original Message- From: Wm Mussatto [mailto:mussa...@csz.com] Sent: Wednesday, November 18, 2009 11:55 AM To: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL On Thu, November 19, 2009 09:47, James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? Looks like a SQL injection attack. You should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. In perl you should also either $dbh-quote($inputString) or use the '?' place holder mechanism. For example if I'm expecting a page number (or other whole number) from form variable PAGEID I do something like this. ($pid) = $q-param('PAGEID') =~/(\d+)/; Basically it will only accept 0-9s as input. Hope this helps. How do you have your database server setup? How are the commands being passed to the database? SOURCE IP FROM HEADER: *Please block this account's access to the * *internet until its cleaned up. We are basing * *this on an analysis of the header NOT the FROM* *address. * -- William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=webmas...@cadc.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=mdyk...@gmail.com -- - michael dykman - mdyk...@gmail.com May you live every day of your life. Jonathan Swift Larry's First Law of Language Redesign: Everyone wants the colon. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=webmas...@cadc.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: MySQL being hacked with commands through URL
Not sure exactly what you mean by 'setting date/time right'. Mind clarifying a little? -Original Message- From: Pintér Tibor [mailto:tib...@tibyke.hu] Sent: Thursday, November 19, 2009 9:10 AM To: James Coffman Subject: Re: MySQL being hacked with commands through URL James Coffman wrote: I have tried that many times over and have found no way to get it to work, keep getting unexpected T_Variable and I cannot find out whats wrong with what you sent. -Original Message- From: Michael Dykman [mailto:mdyk...@gmail.com] Sent: Wednesday, November 18, 2009 3:49 PM To: James Coffman Cc: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL The bits in your date_format call are confusing your sprintf call date_format(updated, '%W, %M %D, %Y %r' ) elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } This should get you around it: $sid = mysql_real_escape_string($item) $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='$sid', $rs = mysql_query($newsSql); ... On Thu, Nov 19, 2009 at 4:33 PM, James Coffman webmas...@cadc.com wrote: I have narrowed the problem down to the code as I have been referenced to a million times and I thank you all a million times over on helping me out thus far. Here is where it gets down to the hard part for me (PHP code).. The error is within: elseif ($pageID == ss $item != mostCurrent) { $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId= $item; } So I have done some research and found that it needs to be structured somewhat as such: elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } I cannot seem to get the problem narrowed down with this though. As you see I am trying to impliment the mysql_real_escape_string but I am unfamiliar with how to integrate it into code that I did not write. Is there anyone out there that may have some insight to this problem? -Original Message- From: Wm Mussatto [mailto:mussa...@csz.com] Sent: Wednesday, November 18, 2009 11:55 AM To: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL On Thu, November 19, 2009 09:47, James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? Looks like a SQL injection attack. You should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. In perl you should also either $dbh-quote($inputString) or use the '?' place holder mechanism. For example if I'm expecting a page number (or other whole number) from form variable PAGEID I do something like this. ($pid) = $q-param('PAGEID') =~/(\d+)/; Basically it will only accept 0-9s as input. Hope this helps. How do you have your database server setup? How are the commands being passed to the database? SOURCE IP FROM HEADER: *Please block this account's access to the * *internet until its cleaned up. We are basing * *this on an analysis of the header NOT the FROM* *address. * -- William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=webmas...@cadc.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=mdyk...@gmail.com would you mind setting your time/date correctly? t -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
MySQL being hacked with commands through URL
Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue?
RE: MySQL being hacked with commands through URL
From: James Coffman [mailto:webmas...@cadc.com] Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),passw ord),4,5,6%20f rom%20users-- . Without more information, it sounds like simple SQL insertion. The information contained in this message and any attachment may be proprietary, confidential, and privileged or subject to the work product doctrine and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it and all copies and backups thereof. Thank you. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: MySQL being hacked with commands through URL
On Thu, November 19, 2009 09:47, James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? Looks like a SQL injection attack. You should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. In perl you should also either $dbh-quote($inputString) or use the '?' place holder mechanism. For example if I'm expecting a page number (or other whole number) from form variable PAGEID I do something like this. ($pid) = $q-param('PAGEID') =~/(\d+)/; Basically it will only accept 0-9s as input. Hope this helps. How do you have your database server setup? How are the commands being passed to the database? SOURCE IP FROM HEADER: *Please block this account's access to the * *internet until its cleaned up. We are basing * *this on an analysis of the header NOT the FROM* *address. * -- William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: MySQL being hacked with commands through URL
From: James Coffman [mailto:webmas...@cadc.com] Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),passw ord),4,5,6%20f rom%20users-- . Without more information, it sounds like simple SQL insertion. The information contained in this message and any attachment may be proprietary, confidential, and privileged or subject to the work product doctrine and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it and all copies and backups thereof. Thank you. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: MySQL being hacked with commands through URL
James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? The term you're looking for is SQL injection. Pop that into Google and you'll get a shedload of stuff. Gary -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: MySQL being hacked with commands through URL
Hi First things first - prevent access apart from r...@localhost to the users table Neil On Wed, Nov 18, 2009 at 5:50 PM, Gary Smith li...@l33t-d00d.co.uk wrote: James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? The term you're looking for is SQL injection. Pop that into Google and you'll get a shedload of stuff. Gary -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=neil.tompk...@googlemail.com
Re: MySQL being hacked with commands through URL
With respect, denying all access to 'users' for anything except r...@localhost sounds like trying to cure dandruff by decapitation. Firstly your web app shouldn't be using root to access your data tables and secondly there's every chance his web server is seperate from his db server. You should have a restricted account your web app uses to connect that has the bare minimum permissions required to perform the operations you need, such as SELECT/INSERT/UPDATE and such like. You can also isolate access to this account by specifying a host - either by IP or hostname. Your major problem sounds like query structure and how you process your forms. Filter your input and structure your queries correctly to prevent this from happening. Run SQL Injection through any search engine and you should have no problem finding resources to cover yourself against this kind of vulnerability. Johan 2009/11/18 Tompkins Neil neil.tompk...@googlemail.com: Hi First things first - prevent access apart from r...@localhost to the users table Neil On Wed, Nov 18, 2009 at 5:50 PM, Gary Smith li...@l33t-d00d.co.uk wrote: James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? The term you're looking for is SQL injection. Pop that into Google and you'll get a shedload of stuff. Gary -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=neil.tompk...@googlemail.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: MySQL being hacked with commands through URL
On Thu, November 19, 2009 09:47, James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? Looks like a SQL injection attack. You should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. Update to our phone conversation looks like id value is NOT a number (ss looks like 55 in my web font, sorry). In perl you should also either $dbh-quote($inputString) or use the '?' place holder mechanism. For example if I'm expecting a page number (or other whole number) from form variable PAGEID I do something like this. ($pid) = $q-param('PAGEID') =~/(\d+)/; Basically it will only accept 0-9s as input. Hope this helps. How do you have your database server setup? How are the commands being passed to the database? -- William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: MySQL being hacked with commands through URL
James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? http://en.wikipedia.org/wiki/SQL_injection its not a mysql issue, but an application issue t -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: MySQL being hacked with commands through URL
I have narrowed the problem down to the code as I have been referenced to a million times and I thank you all a million times over on helping me out thus far. Here is where it gets down to the hard part for me (PHP code).. The error is within: elseif ($pageID == ss $item != mostCurrent) { $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId= $item; } So I have done some research and found that it needs to be structured somewhat as such: elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } I cannot seem to get the problem narrowed down with this though. As you see I am trying to impliment the mysql_real_escape_string but I am unfamiliar with how to integrate it into code that I did not write. Is there anyone out there that may have some insight to this problem? -Original Message- From: Wm Mussatto [mailto:mussa...@csz.com] Sent: Wednesday, November 18, 2009 11:55 AM To: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL On Thu, November 19, 2009 09:47, James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? Looks like a SQL injection attack. You should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. In perl you should also either $dbh-quote($inputString) or use the '?' place holder mechanism. For example if I'm expecting a page number (or other whole number) from form variable PAGEID I do something like this. ($pid) = $q-param('PAGEID') =~/(\d+)/; Basically it will only accept 0-9s as input. Hope this helps. How do you have your database server setup? How are the commands being passed to the database? SOURCE IP FROM HEADER: *Please block this account's access to the * *internet until its cleaned up. We are basing * *this on an analysis of the header NOT the FROM* *address. * -- William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=webmas...@cadc.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: MySQL being hacked with commands through URL
The bits in your date_format call are confusing your sprintf call date_format(updated, '%W, %M %D, %Y %r' ) elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } This should get you around it: $sid = mysql_real_escape_string($item) $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='$sid', $rs = mysql_query($newsSql); ... On Thu, Nov 19, 2009 at 4:33 PM, James Coffman webmas...@cadc.com wrote: I have narrowed the problem down to the code as I have been referenced to a million times and I thank you all a million times over on helping me out thus far. Here is where it gets down to the hard part for me (PHP code).. The error is within: elseif ($pageID == ss $item != mostCurrent) { $newsSql = SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId= $item; } So I have done some research and found that it needs to be structured somewhat as such: elseif ($pageID == ss $item != mostCurrent) { $newsSql = sprintf(SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s', mysql_real_escape_string($item)); mysql_query($newsSql); } I cannot seem to get the problem narrowed down with this though. As you see I am trying to impliment the mysql_real_escape_string but I am unfamiliar with how to integrate it into code that I did not write. Is there anyone out there that may have some insight to this problem? -Original Message- From: Wm Mussatto [mailto:mussa...@csz.com] Sent: Wednesday, November 18, 2009 11:55 AM To: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL On Thu, November 19, 2009 09:47, James Coffman wrote: Hello all, My website has been hacked using a url such as: -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f rom%20users-- . I have been searching on the web for a solution/fix to this issue and I cannot seem to find one. The command above is showing all usernames and passwords (in hashes) and I am not comfortable with that at all! Is there anyone out there that may be able to help or may be able to point me in the direction that I need to go in order to correct this issue? Looks like a SQL injection attack. You should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. In perl you should also either $dbh-quote($inputString) or use the '?' place holder mechanism. For example if I'm expecting a page number (or other whole number) from form variable PAGEID I do something like this. ($pid) = $q-param('PAGEID') =~/(\d+)/; Basically it will only accept 0-9s as input. Hope this helps. How do you have your database server setup? How are the commands being passed to the database? SOURCE IP FROM HEADER: *Please block this account's access to the * *internet until its cleaned up. We are basing * *this on an analysis of the header NOT the FROM* *address. * -- William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=webmas...@cadc.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=mdyk...@gmail.com -- - michael dykman - mdyk...@gmail.com May you live every day of your life. Jonathan Swift Larry's First Law of Language Redesign: Everyone wants the colon. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org