0

Additional /**/OR/**/SLEEP code in MariaDB query

Since I upgrade MariaDB for the 10.5.19-MariaDB-0+deb11u2 - Debian 11, I get some 504 Gateway Time-out. And if I run SHOW PROCESSLIST in MariaDB database, I get this output:

MariaDB [(none)]> SHOW FULL PROCESSLIST;
+-------+-----------------+-----------+------------+---------+------+---------------------------------+--------------------------------------------------------------------------------+----------+
| Id    | User            | Host      | db         | Command | Time | State                           | Info                                                                           | Progress |
+-------+-----------------+-----------+------------+---------+------+---------------------------------+--------------------------------------------------------------------------------+----------+
|   311 | admin           | localhost | psa        | Sleep   |   20 |                                 | NULL                                                                           |    0.000 |
|  8203 | textiles_userdb | localhost | textiles   | Query   | 1114 | User sleep                      | SELECT NOTICE_titre FROM tAfficheNotice WHERE NoticeId = 55/**/OR/**/SLEEP(10) |    0.000 |

My concern is that I dont have written the part /**/OR/**/SLEEP(10) in the code of my query.

How can this part of code appear in my query ? Where does it come from ? How can I prevent it to be added ?

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
Thomas Bijon
  • 1
  • 1
    Looks like application code, maybe injected by your ORM? MySQL didn't do this. – tadman May 31 '23 at 16:14
  • 2
    **Someone is checking your website for vulnerabilities... like SQL injection. In fact, it looks like someone broke through! Take backup ASAP and other necessary precautions.** – Salman A May 31 '23 at 17:20
  • 1
    SLEEP statement is often used with timing attack. If you log queries somewhere, check them for entries containing SUBSTRING and SLEEP together. – Salman A May 31 '23 at 17:24

0 Answers0