-1

I need some help with a strange code that I found in my database. It looks like somebody was trying to submit a GET request. The code I found is:

/news/html/?0'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html/

I understand that they are trying to get some info but what are they trying to get exactly and how to secure my site against such codes?

Thank you very much!

Victor Rusu
  • 107
  • 1
  • 1
  • 9
  • 3
    Looks like they're trying to take advantage of a SQL injection vulnerability. Don't have a SQL injection vulnerability and you'll be fine. This is a good read on the subject: https://secure.php.net/manual/en/security.database.sql-injection.php This is also a good place to start: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – David Apr 22 '17 at 20:35
  • You could also create a whitelist or blacklist and check if any request contains injection code (ei: 1=1, ';) etc. depending on how much 'white' or how much 'black' you need, one or the other can be added as an extra layer. i repeat, ADDED as a EXTRA LAYER, Proper injection security (prepared statement, ..PROPER escaping) is mandatory. Everything is explained in the link posted by @David above. – Louis Loudog Trottier Apr 22 '17 at 20:40

2 Answers2

1

Every parameter from GET request should be escaped before writing into Database, if you're using PDO you can do like this:

$requestedString = $_GET["string_param_1"];
$db -> prepare("INSERT INTO mytable ( name ) VALUES (:name)");
$db -> bindParam(":name", $requestedString);
$db -> execute();

bindParam method will add \ symbols before ' and " But if you're not using PDO, you can do this way: mysql_real_escape_string($requestedString), but this way is already depracated

Arkadi
  • 1,153
  • 1
  • 14
  • 35
  • I use PDO but in a different way than your. $sel = $db->prepare("SELECT id FROM categories WHERE id=:id"); $sel->execute(array('id' => $idcat)); Is this secure? – Victor Rusu Apr 22 '17 at 20:46
  • `"Every parameter from GET request"` - More like *any user-modifiable value*. Where that value immediately came from isn't entirely relevant (and a query string parameter is hardly the only place to check). – David Apr 22 '17 at 20:47
  • So if I use just prepare() and execute() without bindParam() it is still vulnerable. Right? – Victor Rusu Apr 22 '17 at 20:51
  • @VictorRusu: We can't tell you if you're vulnerable without seeing your code. `bindParam()` is not a magic wand, calling it won't make *any* vulnerable code suddenly secure. – David Apr 22 '17 at 20:57
0

This is SQL injection, you need to escape your queries.

getl0st
  • 342
  • 1
  • 10
  • What is the best way to escape my queries? – Victor Rusu Apr 22 '17 at 20:38
  • What do you use ? mysql_ functions, pdo, mysqli? – getl0st Apr 22 '17 at 20:38
  • 3
    @VictorRusu: "Escape your queries" is a bit misleading. The bottom line is that you need to never execute user-modifiable values as SQL code. In the majority of cases, this can be accomplished with prepared statements and query parameters. – David Apr 22 '17 at 20:39
  • @getl0st, I use PDO but in a different way than Arkadi. I use prepare() and execute() without bindParam() and I don't know if this is enough. – Victor Rusu Apr 22 '17 at 20:56
  • 1
    ` $sql = "SELECT * FROM `images` WHERE image_hash=:image_hash"; $query = $db->prepare($sql); $query->execute(array(":image_hash" => $hash)); $image = $query->fetch(PDO::FETCH_ASSOC);` Here is an example of how I use PDO – getl0st Apr 22 '17 at 20:58