SQL injection problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
markg85
Forum Commoner
Posts: 32
Joined: Sat Dec 03, 2005 6:49 pm

SQL injection problem

Post by markg85 »

Hello,

today i visited securityfocus.com to see if there where any exploits for the script where i made a big addon for (total conversion) and i was pritty surprised when i saw my script there :S

http://www.securityfocus.com/bid/15912/info

so now i want to fix that exploit (that`s not a problem) but i also want to know how the **** you abuse exploits like that... i tried serveral things like this:

http://www.example.com/pafiledb.php...c ... id="DELETE FROM pafiledb_comments WHERE news_id = 5

with the quotes on all different kind of places and without quotes but nothing gets deleted in the database... so i`m really wondering how those exploits work...

NOTE!! this is not to abuse!! this is to learn from and make my script exploit free (as free as possible)
so.. how do i use that exploit that it actually DELETES something from the database... or alters something.. i just can`t get it working so to me it looks like the script is safe because i can`t delete a thing :P

Help would be verry nice.
Thanx Alot.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

well i am positive that everyone is quite uncertain that you actually own the script so almost everyone is going to be shady about a actual answer to a actual exploit.

if you are just looking for the news id, why not just make sure that it is a integer with some preg_match() then if it is, pass it through, and if it is not ONLY number then just default to a number or throw a error saying 'hack attempt' or somthing.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

how bout just... is_numeric($id);?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

If anyone decides to answer the question on how to abuse this script, you deserve a slap with a wet kipper.

As for fixing it:

SQL injection is one of, if not the most talked about security subject in the PHP world.

Look at the function mysql_real_escape_string for a start.
markg85
Forum Commoner
Posts: 32
Joined: Sat Dec 03, 2005 6:49 pm

Post by markg85 »

i think i start using is_numeric() :)

but because i really want to know how to use those infections in order to prevent them i will try and give you guys some info to believe that the script is mine....

http://pafiledb.byethost15.com/pafiledb.php
that`s the homepage

if you download RC5 and open pafiledb.php you will see this in the first few lines:

Code: Select all

/*
  paFileDB 3.1
  ©2001/2002 PHP Arena
  Written by Todd
  todd@phparena.net
  http://www.phparena.net
  Keep all copyright links on the script visible
  Please read the license included with this script for more information.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Modded by Mark
  Markg852@hotmail.com
  Markg85@gmail.com
  ©2005 paFileDB Extreme Edition
   - - - - - - - - - - -
<<the php tage are not working :S>>
looks like me doesn`t it :P

on http://www.pamods.net (the place where i release the new versions... now also on pafiledb.byethost15.com) you can see that the releases are done by markg85 (that`s me)

do i need to proof more? :)
User avatar
waradmin
Forum Contributor
Posts: 240
Joined: Fri Nov 04, 2005 2:57 pm

Post by waradmin »

Im always skeptical of people who use more than 1 emoticon in their posts.

So if I email markg85 it will be you responding?
markg85
Forum Commoner
Posts: 32
Joined: Sat Dec 03, 2005 6:49 pm

Post by markg85 »

just replied your e-mail... and for the smiles.. i kinda overuse them, sorry for that
User avatar
trukfixer
Forum Contributor
Posts: 174
Joined: Fri May 21, 2004 3:14 pm
Location: Miami, Florida, USA

Post by trukfixer »

I dont see why everyone is so hot and bothered about keeping "how to" sql inject a secret - it's very public (do a little google work, perhaps?) anhow - here's some examples..

http://www.unixwiz.net/techtips/sql-injection.html

http://www.securiteam.com/securityrevie ... 1P76E.html
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

waradmin wrote:Im always skeptical of people who use more than 1 emoticon in their posts.
8O :D Same here :wink: :wink: :wink:

But then, I'm also very sceptical of people who smile in general. ;)
markg85
Forum Commoner
Posts: 32
Joined: Sat Dec 03, 2005 6:49 pm

Post by markg85 »

thanx for the links.. now i can finally start on ways to prevent it since i know how to do them :D

btw for the sql injection in my script.. i have no idea why the person that published the "SQL Injection Vulnerability" because a sql infection isn`t even possible!!!

it would be possible if this check wasn`t done:

Code: Select all

function is_num($var) {
   for ($i=0;$i<strlen($var);$i++) {
	   $ascii_code=ord($var[$i]);
	   if (intval($ascii_code) >=48 && intval($ascii_code) <=57) {
		   continue;
	   } else {         
		   return false;
	   }
   }
   return true;
}
if you know a bit of coding you see that FALSE is returned
so this piece of code:

Code: Select all

if (is_num($_REQUEST['newsid']) == TRUE) $id = $_REQUEST['newsid'];
now just doesn`t fill $id and therefore a sql injection isn`t possible because $id is empty.

But this still is a "bug" bacause it`s better to display a error like: the newsid is not valid or something like that.
This will be "fixed" in a future release (v 1.0.0) and will be logged as a hack attempt. the url will be logged to and i think i will also write a extra e-mail function that mails the administrator if the same user/ip has more than 3 hack attempts.

Conclusion: this sql injection isn`t a injection vulnerability at all. Though a error message will be displayed next time and the ip will be logged with the action he did..

Thanx alot for the help guys/girls.. and btw.. it must be clear now that i`m the creator of this script :)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Pimptastic wrote:Read my blog

http://www.mark-beech.co.uk/?page_id=8
Should post that in the Tutorials forum :wink:
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I would suggest avoiding self coded integer checking functions. There is already a tried and testing selection including is_numeric() and ctype_digit() which are not only more secure (they're very very well tested) but probably a wee bit faster and dependable. You can even cast the incoming input variable as an integer to start with intval() or even (int) $var; Doing both (redundant measures - Defense in Depth) makes it almost foolproof...

Why the complicated gymnastics with ord()? The ASCII ranges?
markg85
Forum Commoner
Posts: 32
Joined: Sat Dec 03, 2005 6:49 pm

Post by markg85 »

Maugrim_The_Reaper wrote:I would suggest avoiding self coded integer checking functions. There is already a tried and testing selection including is_numeric() and ctype_digit() which are not only more secure (they're very very well tested) but probably a wee bit faster and dependable. You can even cast the incoming input variable as an integer to start with intval() or even (int) $var; Doing both (redundant measures - Defense in Depth) makes it almost foolproof...

Why the complicated gymnastics with ord()? The ASCII ranges?
i want to keep it controlled in a function so that i can output anything i want if it`s FALSE :)
but i will use is_numeric() in the function to check if it`s TRUE or FALSE :)
Post Reply