 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
My first steps with sql injections |
 |
 Posted: Wed May 11, 2005 1:47 pm |
 |
|
| anselmes |
| Beginner |
 |
|
| Joined: May 11, 2005 |
| Posts: 4 |
| Location: France |
|
|
 |
|
 |
|
Hello everybody
I' discovered this website with a recent advisory .. and i found many things which are very interessant .
Let present my self , I 'm a young french php developper ( I think my english is verry poor but i hope that you will understand me ) .
I principally work on e107 , and my personal Portal (which is no public for the moment maybe soon if i securise it ) .
I try to understand some security advisorys and more precisely when they concern php ...
Maybe you will accept to answer to my beginners questions ..
Indeed i try to learn more about sql injections , try to understand the logic in order to securise my website and my portal ..
2 days ago , someone published on adivsory concerning e107
I was very interessed by this kind of injection
| Quote: |
lets move on
forum_viewforum.php ~196
if($sql -> db_Select("forum_t", "*", "thread_forum_id='".$forum_id."' AND thread_parent='0'
ORDER BY thread_s DESC, thread_lastpost DESC, thread_datestamp DESC LIMIT $from, $view")){
forum_viewforum.php?5.[INJECTION]#
|
So i thinks that the problem is with the variable $from
$from is set at the beginning of forum_viewforum.php by
| Quote: |
else{
$tmp = explode(".", e_QUERY);
$forum_id = $tmp[0]; $from = $tmp[1];
if(!$from){ $from = 0; }
}
|
So we can see that we can enter a sql request (of course if this requires mysql version to support subqueries)
So logically a injection like that sould be ok
http://[target]/forum_viewforum.php?7.0 UNION SELECT user_password FROM e107_user WHERE user_id=1#
But it doesn't work .. so i'm not sur about my logic ... Maybe i'm tottaly wrong with the concept of sql injection ..
If someone could help that will be fine ..
PS :
Maybe i found a solution to resolve this sql injection we can use intval() When we define $forum_id and $from ?
I hope that you understood my message ..
Have a good day |
|
|
|
|
|
|
|
|
| Posted: Wed May 11, 2005 11:46 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Hi and welcome to forum!
First of all, that specific sql injection occurs in "ORDER BY x LIMIT y,z" section, so it is not very dangerous in case of mysql 3.x or 4.x. This is my personal opinion, maybe i am wrong.
Next, that intval() using - yes, this is exactly that, what i will recommend.
If you look to ways, how to secure e107 or some other php script, then you must analyze ALL the input variables, what potential attacker can deliver to script, located in webserver. I mean - GET/POST/COOKIE/USER_AGENT/REFERER. Now if input variable is meant to be integer, then yes, use intval(). If it must be > 0 , use max().
And so on.
Anyway, e107 is not very secure software. Many advisories have been about e107 in the past and still they deliver new versions with lots of security holes. I am not sure, that you can yourself secure that code. So there is my advise - if you put your e107 based website online, then make sql database backups as frequently as possible - every day, twice in day, whatever. You can use cron for this, so it will make backups and upload them for example to some remote ftp server. In this way, if your website will get hacked and/or defaced, you can restore it very quickly and with ease. |
|
|
|
|
|
|
|
|
| Posted: Thu May 12, 2005 7:07 pm |
|
|
| anselmes |
| Beginner |
|
|
| Joined: May 11, 2005 |
| Posts: 4 |
| Location: France |
|
|
|
|
|
|
hi
thanks for your anser waraxe ...
so my logic was not totally wrong .. i prefer that ..
and thanks for your adivses . But as for as i'm concerned i dont use e107 for my website i prefer my personnal code .. but i dont want to make the code public because i know that there is lots of security holes ... Anyway i think that e107 is nice cms which can be very useful very basic needs ...
so for my first lessons with sql injections i learn some useful tips :
UNION can't be used after the LIMIT agument ( Well it looks like a php lessons  ).
Well thank you very much for all this advices ... If i find other questions which deal with that i ill share with you ...
Bye ...
Anselme |
|
|
|
|
|
|
|
|
| Posted: Tue May 17, 2005 7:16 pm |
|
|
| anselmes |
| Beginner |
|
|
| Joined: May 11, 2005 |
| Posts: 4 |
| Location: France |
|
|
|
|
|
|
Well
good afternoon everyone ...
I want to go further with sql injections so i have some other questions , but i think that it's useless to open another topic for that ( I know consequences when a DB is overcrowded  )
So when i code i generally uses this type of syntaxe
example with my forum :
| Quote: |
showpost.php
$thread=$DB_site->query_first("SELECT * FROM thread WHERE threadid=$threadid");
And then
echo " <table><td><tr><a href=showthread.php?$thread[threadid]>$thread[title]</td></tr></table>";
|
It's an example
We will say that $threadid is defined in the URL but when i want to use my result i use in my code $thread[title]
.
For example so if somebody wants to make sql injection he can try to put in the url http://www.example.com/showpost.php?threadid=1 UNION SELECT * FROM users WHERE userid=adminsiteid
But it 's useless because he cannot acess to his results because there isn't a definition of $thread[password] after ... So it will not print the result on the page ..
Am i right ?
I know that my post could appear to be very confusing , because my english is very poor but maybe somebody will understand it , and my question is : IS there some other possibilities to exploit this syntaxes ?
because to my mind , sql injection are used for find admin acess ? no ?
It may exist some other methods more malicious than mine ?
Maybe i'm wrong and i'm sure i'm wrong ..
Thanks for your attention ..
BYe |
|
|
|
|
|
|
|
|
| Posted: Tue May 17, 2005 9:49 pm |
|
|
| d3vilbox |
| Beginner |
|
|
| Joined: May 02, 2005 |
| Posts: 3 |
|
|
|
|
|
|
|
hey anselmes
If RDBMS is MSSQL server , there are some other methods to bypass such problems , for example in ms-sql u can make sql server pass ur wanted data in returned error message.
ex: http://www.example.com/showpost.php?threadid=1 and threadid=convert(SELECT pwd FROM users WHERE userid=adminsiteid,int)
then it returns error message including admin`s pwd
there are nother ways in ms-sql like :
executing system commands by xp_cmdshell (extended stored procedure)
executing T-SQL by using ; character after end of each query statement
brute-forcing DB to find pwd of DBA (DataBase Admin) by using simple T-sql
...
but in MYSQL , as i know there is no way to exploit ur example page,and it`s useless !
maybe using some special SQL commands to writting returned data in bulk-file be usefull but i`m not sure !
Tell me if u found answer , d3vilbox [at] yahoo [d0t] com
tnx |
|
|
|
|
|
|
|
|
| Posted: Wed May 18, 2005 2:19 pm |
|
|
| anselmes |
| Beginner |
|
|
| Joined: May 11, 2005 |
| Posts: 4 |
| Location: France |
|
|
|
|
|
|
thanks for your answer d3vilbox
fortunately for me i only use mysql 
But it's very intersting it give me lots of ideas
But i was wondering .. UNION can be used with an INSERT after ? ..
I will check it after .. but i think it can't ...
Bye |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 59
Members: 0
Total: 59
