piciui 0 Posted August 22, 2018 Hi, is it a sql injection? /mobile_product_info.php?cPath=500&products_id=78295'+and(%2f*%2fsElEcT+1+%2f%2ffRoM(%2f%2fsElEcT+count(),%2f*%2fcOnCaT((%2f%2fsElEcT(%2f%2fsElEcT+%2f%2fcOnCaT(0x217e21,%2f%2fvErSiOn(),0x217e21))+%2f%2ffRoM+information_schema.%2f%2ftAbLeS+%2f%2flImIt+0,1),floor(rand(0)*2))x+%2f%2ffRoM+information_schema.%2f%2ftAbLeS+%2f%2fgRoUp%2f*%2fbY+x)a)+and+'1'='1 HTTP/1.0" 200 2659 Share this post Link to post Share on other sites
♥kymation 631 Posted August 22, 2018 It's certainly an attempt at one. I don't have the Mobile site addon installed to test it, so I have no idea if it would work. Regards Jim See my profile for a list of my addons and ways to get support. Share this post Link to post Share on other sites
Jack_mcs 1,139 Posted August 23, 2018 I don't recall mobile_product_info.php being part of the mobile addon, though I may be mistaken. If not, then was the file added by the hacker? How did you discover the url? Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Share this post Link to post Share on other sites
♥raiwa 1,472 Posted August 23, 2018 3 hours ago, Jack_mcs said: I don't recall mobile_product_info.php being part of the mobile addon, though I may be mistaken. If not, then was the file added by the hacker? How did you discover the url? This file was used in the first mobile versions before I redesigned it to use a subdirectory for the mobile files. About Me: http://forums.oscommerce.com/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets Share this post Link to post Share on other sites
♥JcMagpie 1,693 Posted August 23, 2018 looks to be serching and looking for somthing in the tables. Posiable injection looking for weekness in your site. /mobile_product_info.php?cPath=500&products_id=78295'+and(/*/select+1+//from(//select+count(),/*/contact((//select(//select+//contact(0x217e21,//version(),0x217e21))+//from+information_schema.//tables+//lImIt+0,1),floor(rand(0)*2))x+//from+information_schema.//tables+//groups/*/bY+x)a)+and+'1'='1 HTTP/1.0" 200 2659 Share this post Link to post Share on other sites
piciui 0 Posted August 23, 2018 Yes, I think it's sql injection. Just update htaccess and add: RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] but I think htaccess work only for standard site and not for mobile version, right? Share this post Link to post Share on other sites
MrPhil 648 Posted August 23, 2018 By the way, if you are using this old (?) mobile add-on on an old osC base, you should consider dumping the whole thing and going to the osC 2.3.4.1BS Edge/CE/Frozen community-supported version. It comes mobile-ready out of the box, and is much more secure and up to date (including PHP 7.1+). At least, take a look at it. This is a fresh install (with database migration), not an upgrade. Share this post Link to post Share on other sites
♥JcMagpie 1,693 Posted August 23, 2018 6 hours ago, piciui said: but I think htaccess work only for standard site and not for mobile version, right? It will work for anything on your server mobile or not, Unfortunately its not 100%! you need to update to the latest PHP and code to be safe. Below is a comprehensive list for sql blocking, just backup and check before using. # Block MySQL injections, RFI, base64, etc. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] Share this post Link to post Share on other sites
piciui 0 Posted August 24, 2018 Yes it's work. 16 hours ago, JcMagpie said: RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] this one cause a error on FCK editor (file attached). Do you know how to fix ? Share this post Link to post Share on other sites
piciui 0 Posted August 24, 2018 I think because source have [ ]: src="includes/fckeditor/editor/fckeditor.html?InstanceName=products_description[6]&Toolbar=osCPRO" Share this post Link to post Share on other sites
♥JcMagpie 1,693 Posted August 24, 2018 You don’t need every line, if one conflicts with your code remove it. It's always going to be a balancing act. Too many locks on your door what happens if you lose a key! 😊 Share this post Link to post Share on other sites
piciui 0 Posted August 24, 2018 thank you @JcMagpie work in this way: Quote # Block MySQL injections, RFI, base64, etc. RewriteEngine On RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] #RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] Share this post Link to post Share on other sites
Rwe 35 Posted August 24, 2018 This week i started to notice this in my error logs: Fri Aug 24 17:27:50.185002 2018] [proxy_fcgi:error] [pid 87397:tid 139653059434240] [client xxx] Premature end of script headers: index.php [Fri Aug 24 17:27:50.192088 2018] [proxy_fcgi:error] [pid 87397:tid 139653059434240] [client xxx ] AH01070: Error parsing script headers above 30 times the same in a row access.log: xxx-c-211.html?osCsid=prvpp15vi15v0vrkm88rele6qc&view=all%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27A%3D0 HTTP/1.0" 301 1010 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)" This is only one entry from maybe hundred after eachoter, all with the "view=all" parameter in it and they get longer by each line. i blocked already several ip's but they keep comming, what are they trying ...anyone ? Share this post Link to post Share on other sites
♥JcMagpie 1,693 Posted August 24, 2018 Nothing good I would imagine, Question is what is xx-c-211.html 😂 xxx-c-211.html?osCsid=prvpp15vi15v0vrkm88rele6qc&view=all///////////////////////////////////////////////////////////////'£208 HTTP/1.0" 301 1010 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)" Share this post Link to post Share on other sites
Rwe 35 Posted August 24, 2018 Just a normal url on my live site , nothing that you often look at 😜 Share this post Link to post Share on other sites
joycehess 0 Posted June 10, 2019 Yes, I think it is SQL injection in order to prevent this just go through this. https://www.indusface.com/blog/how-to-stop-sql-injection/ Share this post Link to post Share on other sites