Page 1 of 1
SQL injection problem
Posted: Sat Dec 17, 2005 1:25 pm
by markg85
Hello,
today i visited securityfocus.com to see if there where any exploits for the script where i made a big addon for (total conversion) and i was pritty surprised when i saw my script there :S
http://www.securityfocus.com/bid/15912/info
so now i want to fix that exploit (that`s not a problem) but i also want to know how the **** you abuse exploits like that... i tried serveral things like this:
http://www.example.com/pafiledb.php...c ... id="DELETE FROM pafiledb_comments WHERE news_id = 5
with the quotes on all different kind of places and without quotes but nothing gets deleted in the database... so i`m really wondering how those exploits work...
NOTE!! this is not to abuse!! this is to learn from and make my script exploit free (as free as possible)
so.. how do i use that exploit that it actually DELETES something from the database... or alters something.. i just can`t get it working so to me it looks like the script is safe because i can`t delete a thing
Help would be verry nice.
Thanx Alot.
Posted: Sat Dec 17, 2005 4:23 pm
by shiznatix
well i am positive that everyone is quite uncertain that you actually own the script so almost everyone is going to be shady about a actual answer to a actual exploit.
if you are just looking for the news id, why not just make sure that it is a integer with some preg_match() then if it is, pass it through, and if it is not ONLY number then just default to a number or throw a error saying 'hack attempt' or somthing.
Posted: Sat Dec 17, 2005 5:12 pm
by neophyte
how bout just... is_numeric($id);?
Posted: Sun Dec 18, 2005 12:47 am
by Jenk
If anyone decides to answer the question on how to abuse this script, you deserve a slap with a wet kipper.
As for fixing it:
SQL injection is one of, if not the most talked about security subject in the PHP world.
Look at the function
mysql_real_escape_string for a start.
Posted: Sun Dec 18, 2005 8:07 am
by markg85
i think i start using is_numeric()
but because i really want to know how to use those infections in order to prevent them i will try and give you guys some info to believe that the script is mine....
http://pafiledb.byethost15.com/pafiledb.php
that`s the homepage
if you download RC5 and open pafiledb.php you will see this in the first few lines:
Code: Select all
/*
paFileDB 3.1
©2001/2002 PHP Arena
Written by Todd
todd@phparena.net
http://www.phparena.net
Keep all copyright links on the script visible
Please read the license included with this script for more information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modded by Mark
Markg852@hotmail.com
Markg85@gmail.com
©2005 paFileDB Extreme Edition
- - - - - - - - - - -
<<the php tage are not working :S>>
looks like me doesn`t it
on
http://www.pamods.net (the place where i release the new versions... now also on pafiledb.byethost15.com) you can see that the releases are done by markg85 (that`s me)
do i need to proof more?

Posted: Sun Dec 18, 2005 10:51 am
by waradmin
Im always skeptical of people who use more than 1 emoticon in their posts.
So if I email markg85 it will be you responding?
Posted: Sun Dec 18, 2005 10:56 am
by markg85
just replied your e-mail... and for the smiles.. i kinda overuse them, sorry for that
Posted: Mon Dec 19, 2005 12:28 am
by trukfixer
I dont see why everyone is so hot and bothered about keeping "how to" sql inject a secret - it's very public (do a little google work, perhaps?) anhow - here's some examples..
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityrevie ... 1P76E.html
Posted: Mon Dec 19, 2005 3:33 am
by JayBird
Posted: Mon Dec 19, 2005 4:16 am
by patrikG
Posted: Mon Dec 19, 2005 6:17 am
by markg85
thanx for the links.. now i can finally start on ways to prevent it since i know how to do them
btw for the sql injection in my script.. i have no idea why the person that published the "SQL Injection Vulnerability" because a sql infection isn`t even possible!!!
it would be possible if this check wasn`t done:
Code: Select all
function is_num($var) {
for ($i=0;$i<strlen($var);$i++) {
$ascii_code=ord($var[$i]);
if (intval($ascii_code) >=48 && intval($ascii_code) <=57) {
continue;
} else {
return false;
}
}
return true;
}
if you know a bit of coding you see that FALSE is returned
so this piece of code:
Code: Select all
if (is_num($_REQUEST['newsid']) == TRUE) $id = $_REQUEST['newsid'];
now just doesn`t fill $id and therefore a sql injection isn`t possible because $id is empty.
But this still is a "bug" bacause it`s better to display a error like: the newsid is not valid or something like that.
This will be "fixed" in a future release (v 1.0.0) and will be logged as a hack attempt. the url will be logged to and i think i will also write a extra e-mail function that mails the administrator if the same user/ip has more than 3 hack attempts.
Conclusion: this sql injection isn`t a injection vulnerability at all. Though a error message will be displayed next time and the ip will be logged with the action he did..
Thanx alot for the help guys/girls.. and btw.. it must be clear now that i`m the creator of this script

Posted: Mon Dec 19, 2005 10:37 am
by John Cartwright
Should post that in the Tutorials forum

Posted: Mon Dec 19, 2005 10:49 am
by Maugrim_The_Reaper
I would suggest avoiding self coded integer checking functions. There is already a tried and testing selection including is_numeric() and ctype_digit() which are not only more secure (they're very very well tested) but probably a wee bit faster and dependable. You can even cast the incoming input variable as an integer to start with intval() or even (int) $var; Doing both (redundant measures - Defense in Depth) makes it almost foolproof...
Why the complicated gymnastics with ord()? The ASCII ranges?
Posted: Mon Dec 19, 2005 2:01 pm
by markg85
Maugrim_The_Reaper wrote:I would suggest avoiding self coded integer checking functions. There is already a tried and testing selection including is_numeric() and ctype_digit() which are not only more secure (they're very very well tested) but probably a wee bit faster and dependable. You can even cast the incoming input variable as an integer to start with intval() or even (int) $var; Doing both (redundant measures - Defense in Depth) makes it almost foolproof...
Why the complicated gymnastics with ord()? The ASCII ranges?
i want to keep it controlled in a function so that i can output anything i want if it`s FALSE

but i will use is_numeric() in the function to check if it`s TRUE or FALSE
