Advance SQL Injection Attacks

  • cancer10
  • Proficient
  • Proficient
  • cancer10
  • Posts: 268

Post 3+ Months Ago

Hi,

I was going through my site stats and found some sql injections have been passed through my site's querystring.

This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

Code: [ Select ]
?action=show&id=88 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--



I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

Code: [ Select ]
    function antisql($data){
        if(get_magic_quotes_gpc){
        $data1 = stripslashes($data);
        }else{
        $data1 = $data;
        }
        return mysql_real_escape_string($data1);
    }
  1.     function antisql($data){
  2.         if(get_magic_quotes_gpc){
  3.         $data1 = stripslashes($data);
  4.         }else{
  5.         $data1 = $data;
  6.         }
  7.         return mysql_real_escape_string($data1);
  8.     }




I am not posting this thread to know what SQL Injection is. I know what is it. :)

Few things I want to know are:

1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

2) Why didn't the antisql() function prevent from that sql injection attack?

3) What is the above querystring actually doing?


Some Info:
My Site is made in PHP MySQl and running on CentOS.


Thank you so much for your help in advance.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

I see that all your questions were already answered in the other forum. They provided good information.

http://www.webdeveloper.com/forum/showt ... p?t=194396
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

Quote:
1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

Could be any number of ways, from paying attention to support request forum threads you've made using actual table names to an educated guess based on knowing about an opensource library you use, to perhaps a friend who's familiar with your project just watching your back.

One of the tasks involved in runing a website is being able to determine that by looking at logs/etc and without asking anyone else. :)

Quote:
2) Why didn't the antisql() function prevent from that sql injection attack?

Because all it's doing is removing quotes.

You need to do two things to prevent SQL injection.

1) Make sure every piece of request data you obtain from $_GET/$_POST/etc is checked against the expected format before doing anything with it. This is the most important.

2) Make sure quotes in data destined for text columns are properly escaped.

Quote:
3) What is the above querystring actually doing?

Without seeing the code that works with it, it's tough to tell. But at first glance it appears to append someones username/password to the results of a query which already prints data to the screen.

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.