[PHP-DB] SQL injection
OK - this had no chance of success since publish_date_desc is processed using the _desc ( or _asc ) and any invalid data stripped sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 The question is more of interest in just what it was trying to achieve? I presume hack MySQL? So Firebird would barf anyway, but just trying to something that has generated some several hundred error log entries in the last two days ... -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL injection
Date: Sunday, June 21, 2015 12:39:06 PM -0400 From: Aziz Saleh azizsa...@gmail.com On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine les...@lsces.co.uk wrote: OK - this had no chance of success since publish_date_desc is processed using the _desc ( or _asc ) and any invalid data stripped sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n ame_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const (CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3 D1 The question is more of interest in just what it was trying to achieve? I presume hack MySQL? So Firebird would barf anyway, but just trying to something that has generated some several hundred error log entries in the last two days ... Lester Caine - G8HFL The sub-query is invalid, if valid it would've been equivalent to: or (1,2)=(select*from(select 'b2xvbG9zaGVy' as 1, 'b2xvbG9zaGVy' as 1))a) -- and 1=1 Seems non threatening to me. Regardless of whether this specific attack could have resulted in harmful sql injection or not, user input should be sanitized so that things never get this far. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL injection
On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine les...@lsces.co.uk wrote: OK - this had no chance of success since publish_date_desc is processed using the _desc ( or _asc ) and any invalid data stripped sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 The question is more of interest in just what it was trying to achieve? I presume hack MySQL? So Firebird would barf anyway, but just trying to something that has generated some several hundred error log entries in the last two days ... -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The sub-query is invalid, if valid it would've been equivalent to: or (1,2)=(select*from(select 'b2xvbG9zaGVy' as 1, 'b2xvbG9zaGVy' as 1))a) -- and 1=1 Seems non threatening to me.
Re: [PHP-DB] SQL injection
But what does your application do when it gets an invalid SQL statement? Maybe it is telling the attacker something important about your database so that they can compromise it with the appropriate injection. On 2:36PM, Sun, Jun 21, 2015 Lester Caine les...@lsces.co.uk wrote: On 21/06/15 18:55, Richard wrote: OK - this had no chance of success since publish_date_desc is processed using the _desc ( or _asc ) and any invalid data stripped sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n ame_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const (CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3 D1 The question is more of interest in just what it was trying to achieve? I presume hack MySQL? So Firebird would barf anyway, but just trying to something that has generated some several hundred error log entries in the last two days ... Lester Caine - G8HFL The sub-query is invalid, if valid it would've been equivalent to: or (1,2)=(select*from(select 'b2xvbG9zaGVy' as 1, 'b2xvbG9zaGVy' as 1))a) -- and 1=1 Seems non threatening to me. Regardless of whether this specific attack could have resulted in harmful sql injection or not, user input should be sanitized so that things never get this far. ? That is taken direct off the URL! Sod all I can do to prevent it, but I was simply asking if I was missing something as it did not make any sense? It got no further than the error log but as I said several hundred attempts via a few different filter options all of which suggested something that was expected to work if the site was a vulnerable mysql powered site ... which it's not. Seems that is just a pointless URL rather than some recently identified potential vulnerability? -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Sent from my android
Re: [PHP-DB] SQL injection
On 21/06/15 20:14, Mark Murphy wrote: But what does your application do when it gets an invalid SQL statement? Maybe it is telling the attacker something important about your database so that they can compromise it with the appropriate injection. It just defaults to the first news article in this case ... and counts it as another hit on that article. We have never allowed free text SQL to be included in any query, and any variable passed via the URL to provide navigation is only ever passed as a parameter, so even if there was no filtering of the parameter it would just fail. I'd only expect a continued 'attack' if the URL was returning something useful so to carry on just did not make sense ... -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL injection
On 21/06/15 18:55, Richard wrote: OK - this had no chance of success since publish_date_desc is processed using the _desc ( or _asc ) and any invalid data stripped sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n ame_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const (CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3 D1 The question is more of interest in just what it was trying to achieve? I presume hack MySQL? So Firebird would barf anyway, but just trying to something that has generated some several hundred error log entries in the last two days ... Lester Caine - G8HFL The sub-query is invalid, if valid it would've been equivalent to: or (1,2)=(select*from(select 'b2xvbG9zaGVy' as 1, 'b2xvbG9zaGVy' as 1))a) -- and 1=1 Seems non threatening to me. Regardless of whether this specific attack could have resulted in harmful sql injection or not, user input should be sanitized so that things never get this far. ? That is taken direct off the URL! Sod all I can do to prevent it, but I was simply asking if I was missing something as it did not make any sense? It got no further than the error log but as I said several hundred attempts via a few different filter options all of which suggested something that was expected to work if the site was a vulnerable mysql powered site ... which it's not. Seems that is just a pointless URL rather than some recently identified potential vulnerability? -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
