SQL injection?

piciui · August 22, 2018

Hi,

is it a sql injection?

/mobile_product_info.php?cPath=500&products_id=78295'+and(%2f*%2fsElEcT+1+%2f%2ffRoM(%2f%2fsElEcT+count(),%2f*%2fcOnCaT((%2f%2fsElEcT(%2f%2fsElEcT+%2f%2fcOnCaT(0x217e21,%2f%2fvErSiOn(),0x217e21))+%2f%2ffRoM+information_schema.%2f%2ftAbLeS+%2f%2flImIt+0,1),floor(rand(0)*2))x+%2f%2ffRoM+information_schema.%2f%2ftAbLeS+%2f%2fgRoUp%2f*%2fbY+x)a)+and+'1'='1 HTTP/1.0" 200 2659

♥kymation · August 22, 2018

It's certainly an attempt at one. I don't have the Mobile site addon installed to test it, so I have no idea if it would work.

Regards

Jim

Jack_mcs · August 23, 2018

I don't recall mobile_product_info.php being part of the mobile addon, though I may be mistaken. If not, then was the file added by the hacker? How did you discover the url?

♥raiwa · August 23, 2018

3 hours ago, Jack_mcs said:

I don't recall mobile_product_info.php being part of the mobile addon, though I may be mistaken. If not, then was the file added by the hacker? How did you discover the url?

This file was used in the first mobile versions before I redesigned it to use a subdirectory for the mobile files.

♥JcMagpie · August 23, 2018

looks to be serching and looking for somthing in the tables. Posiable injection looking for weekness in your site.

/mobile_product_info.php?cPath=500&products_id=78295'+and(/*/select+1+//from(//select+count(),/*/contact((//select(//select+//contact(0x217e21,//version(),0x217e21))+//from+information_schema.//tables+//lImIt+0,1),floor(rand(0)*2))x+//from+information_schema.//tables+//groups/*/bY+x)a)+and+'1'='1 HTTP/1.0" 200 2659

piciui · August 23, 2018

Yes, I think it's sql injection.

Just update htaccess and add:

RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

but I think htaccess work only for standard site and not for mobile version, right?

MrPhil · August 23, 2018

By the way, if you are using this old (?) mobile add-on on an old osC base, you should consider dumping the whole thing and going to the osC 2.3.4.1BS Edge/CE/Frozen community-supported version. It comes mobile-ready out of the box, and is much more secure and up to date (including PHP 7.1+). At least, take a look at it. This is a fresh install (with database migration), not an upgrade.

♥JcMagpie · August 23, 2018

6 hours ago, piciui said:

but I think htaccess work only for standard site and not for mobile version, right?

It will work for anything on your server mobile or not, Unfortunately its not 100%! you need to update to the latest PHP and code to be safe.

Below is a comprehensive list for sql blocking, just backup and check before using.

# Block MySQL injections, RFI, base64, etc.

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]

RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]

RewriteCond %{QUERY_STRING} ftp\: [NC,OR]

RewriteCond %{QUERY_STRING} http\: [NC,OR]

RewriteCond %{QUERY_STRING} https\: [NC,OR]

RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]

RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*$[^)]*$ [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>).* [NC,OR]

RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]

RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]

RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]

piciui · August 24, 2018

Yes it's work.

16 hours ago, JcMagpie said:

RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>).* [NC,OR]

this one cause a error on FCK editor (file attached).

Do you know how to fix ?

piciui · August 24, 2018

I think because source have [ ]:

src="includes/fckeditor/editor/fckeditor.html?InstanceName=products_description[6]&Toolbar=osCPRO"

♥JcMagpie · August 24, 2018

You don’t need every line, if one conflicts with your code remove it. It's always going to be a balancing act. Too many locks on your door what happens if you lose a key! 😊

piciui · August 24, 2018

thank you @JcMagpie

work in this way:

Quote

# Block MySQL injections, RFI, base64, etc.
RewriteEngine On
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*$[^)]*$ [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^$]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|$|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

Rwe · August 24, 2018

This week i started to notice this in my error logs:

Fri Aug 24 17:27:50.185002 2018] [proxy_fcgi:error] [pid 87397:tid 139653059434240] [client xxx] Premature end of script headers: index.php
[Fri Aug 24 17:27:50.192088 2018] [proxy_fcgi:error] [pid 87397:tid 139653059434240] [client xxx ] AH01070: Error parsing script headers

above 30 times the same in a row

access.log:

xxx-c-211.html?osCsid=prvpp15vi15v0vrkm88rele6qc&view=all%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27A%3D0 HTTP/1.0" 301 1010 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"

This is only one entry from maybe hundred after eachoter, all with the "view=all" parameter in it and they get longer by each line.

i blocked already several ip's but they keep comming, what are they trying ...anyone ?

♥JcMagpie · August 24, 2018

Nothing good I would imagine, Question is what is xx-c-211.html 😂

xxx-c-211.html?osCsid=prvpp15vi15v0vrkm88rele6qc&view=all///////////////////////////////////////////////////////////////'£208 HTTP/1.0" 301 1010 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"

Rwe · August 24, 2018

Just a normal url on my live site , nothing that you often look at 😜

joycehess · June 10, 2019

Yes, I think it is SQL injection in order to prevent this just go through this.

https://www.indusface.com/blog/how-to-stop-sql-injection/

Archived

SQL injection?

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites