Page 1 of 1

SQL injection problem

Posted: Sat Dec 17, 2005 1:25 pm
by markg85
Hello,

today i visited securityfocus.com to see if there where any exploits for the script where i made a big addon for (total conversion) and i was pritty surprised when i saw my script there :S

http://www.securityfocus.com/bid/15912/info

so now i want to fix that exploit (that`s not a problem) but i also want to know how the **** you abuse exploits like that... i tried serveral things like this:

http://www.example.com/pafiledb.php...c ... id="DELETE FROM pafiledb_comments WHERE news_id = 5

with the quotes on all different kind of places and without quotes but nothing gets deleted in the database... so i`m really wondering how those exploits work...

NOTE!! this is not to abuse!! this is to learn from and make my script exploit free (as free as possible)
so.. how do i use that exploit that it actually DELETES something from the database... or alters something.. i just can`t get it working so to me it looks like the script is safe because i can`t delete a thing :P

Help would be verry nice.
Thanx Alot.

Posted: Sat Dec 17, 2005 4:23 pm
by shiznatix
well i am positive that everyone is quite uncertain that you actually own the script so almost everyone is going to be shady about a actual answer to a actual exploit.

if you are just looking for the news id, why not just make sure that it is a integer with some preg_match() then if it is, pass it through, and if it is not ONLY number then just default to a number or throw a error saying 'hack attempt' or somthing.

Posted: Sat Dec 17, 2005 5:12 pm
by neophyte
how bout just... is_numeric($id);?

Posted: Sun Dec 18, 2005 12:47 am
by Jenk
If anyone decides to answer the question on how to abuse this script, you deserve a slap with a wet kipper.

As for fixing it:

SQL injection is one of, if not the most talked about security subject in the PHP world.

Look at the function mysql_real_escape_string for a start.

Posted: Sun Dec 18, 2005 8:07 am
by markg85
i think i start using is_numeric() :)

but because i really want to know how to use those infections in order to prevent them i will try and give you guys some info to believe that the script is mine....

http://pafiledb.byethost15.com/pafiledb.php
that`s the homepage

if you download RC5 and open pafiledb.php you will see this in the first few lines:

Code: Select all

/*
  paFileDB 3.1
  ©2001/2002 PHP Arena
  Written by Todd
  todd@phparena.net
  http://www.phparena.net
  Keep all copyright links on the script visible
  Please read the license included with this script for more information.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Modded by Mark
  Markg852@hotmail.com
  Markg85@gmail.com
  ©2005 paFileDB Extreme Edition
   - - - - - - - - - - -
<<the php tage are not working :S>>
looks like me doesn`t it :P

on http://www.pamods.net (the place where i release the new versions... now also on pafiledb.byethost15.com) you can see that the releases are done by markg85 (that`s me)

do i need to proof more? :)

Posted: Sun Dec 18, 2005 10:51 am
by waradmin
Im always skeptical of people who use more than 1 emoticon in their posts.

So if I email markg85 it will be you responding?

Posted: Sun Dec 18, 2005 10:56 am
by markg85
just replied your e-mail... and for the smiles.. i kinda overuse them, sorry for that

Posted: Mon Dec 19, 2005 12:28 am
by trukfixer
I dont see why everyone is so hot and bothered about keeping "how to" sql inject a secret - it's very public (do a little google work, perhaps?) anhow - here's some examples..

http://www.unixwiz.net/techtips/sql-injection.html

http://www.securiteam.com/securityrevie ... 1P76E.html

Posted: Mon Dec 19, 2005 3:33 am
by JayBird

Posted: Mon Dec 19, 2005 4:16 am
by patrikG
waradmin wrote:Im always skeptical of people who use more than 1 emoticon in their posts.
8O :D Same here :wink: :wink: :wink:

But then, I'm also very sceptical of people who smile in general. ;)

Posted: Mon Dec 19, 2005 6:17 am
by markg85
thanx for the links.. now i can finally start on ways to prevent it since i know how to do them :D

btw for the sql injection in my script.. i have no idea why the person that published the "SQL Injection Vulnerability" because a sql infection isn`t even possible!!!

it would be possible if this check wasn`t done:

Code: Select all

function is_num($var) {
   for ($i=0;$i<strlen($var);$i++) {
	   $ascii_code=ord($var[$i]);
	   if (intval($ascii_code) >=48 && intval($ascii_code) <=57) {
		   continue;
	   } else {         
		   return false;
	   }
   }
   return true;
}
if you know a bit of coding you see that FALSE is returned
so this piece of code:

Code: Select all

if (is_num($_REQUEST['newsid']) == TRUE) $id = $_REQUEST['newsid'];
now just doesn`t fill $id and therefore a sql injection isn`t possible because $id is empty.

But this still is a "bug" bacause it`s better to display a error like: the newsid is not valid or something like that.
This will be "fixed" in a future release (v 1.0.0) and will be logged as a hack attempt. the url will be logged to and i think i will also write a extra e-mail function that mails the administrator if the same user/ip has more than 3 hack attempts.

Conclusion: this sql injection isn`t a injection vulnerability at all. Though a error message will be displayed next time and the ip will be logged with the action he did..

Thanx alot for the help guys/girls.. and btw.. it must be clear now that i`m the creator of this script :)

Posted: Mon Dec 19, 2005 10:37 am
by John Cartwright
Pimptastic wrote:Read my blog

http://www.mark-beech.co.uk/?page_id=8
Should post that in the Tutorials forum :wink:

Posted: Mon Dec 19, 2005 10:49 am
by Maugrim_The_Reaper
I would suggest avoiding self coded integer checking functions. There is already a tried and testing selection including is_numeric() and ctype_digit() which are not only more secure (they're very very well tested) but probably a wee bit faster and dependable. You can even cast the incoming input variable as an integer to start with intval() or even (int) $var; Doing both (redundant measures - Defense in Depth) makes it almost foolproof...

Why the complicated gymnastics with ord()? The ASCII ranges?

Posted: Mon Dec 19, 2005 2:01 pm
by markg85
Maugrim_The_Reaper wrote:I would suggest avoiding self coded integer checking functions. There is already a tried and testing selection including is_numeric() and ctype_digit() which are not only more secure (they're very very well tested) but probably a wee bit faster and dependable. You can even cast the incoming input variable as an integer to start with intval() or even (int) $var; Doing both (redundant measures - Defense in Depth) makes it almost foolproof...

Why the complicated gymnastics with ord()? The ASCII ranges?
i want to keep it controlled in a function so that i can output anything i want if it`s FALSE :)
but i will use is_numeric() in the function to check if it`s TRUE or FALSE :)