piciui Posted August 22, 2018 Share Posted August 22, 2018 Hi, is it a sql injection? /mobile_product_info.php?cPath=500&products_id=78295'+and(%2f*%2fsElEcT+1+%2f%2ffRoM(%2f%2fsElEcT+count(),%2f*%2fcOnCaT((%2f%2fsElEcT(%2f%2fsElEcT+%2f%2fcOnCaT(0x217e21,%2f%2fvErSiOn(),0x217e21))+%2f%2ffRoM+information_schema.%2f%2ftAbLeS+%2f%2flImIt+0,1),floor(rand(0)*2))x+%2f%2ffRoM+information_schema.%2f%2ftAbLeS+%2f%2fgRoUp%2f*%2fbY+x)a)+and+'1'='1 HTTP/1.0" 200 2659 Link to comment Share on other sites More sharing options...
♥kymation Posted August 22, 2018 Share Posted August 22, 2018 It's certainly an attempt at one. I don't have the Mobile site addon installed to test it, so I have no idea if it would work. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
Jack_mcs Posted August 23, 2018 Share Posted August 23, 2018 I don't recall mobile_product_info.php being part of the mobile addon, though I may be mistaken. If not, then was the file added by the hacker? How did you discover the url? Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥raiwa Posted August 23, 2018 Share Posted August 23, 2018 3 hours ago, Jack_mcs said: I don't recall mobile_product_info.php being part of the mobile addon, though I may be mistaken. If not, then was the file added by the hacker? How did you discover the url? This file was used in the first mobile versions before I redesigned it to use a subdirectory for the mobile files. About Me: http://www.oscommerce.com/forums/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets Link to comment Share on other sites More sharing options...
♥JcMagpie Posted August 23, 2018 Share Posted August 23, 2018 looks to be serching and looking for somthing in the tables. Posiable injection looking for weekness in your site. /mobile_product_info.php?cPath=500&products_id=78295'+and(/*/select+1+//from(//select+count(),/*/contact((//select(//select+//contact(0x217e21,//version(),0x217e21))+//from+information_schema.//tables+//lImIt+0,1),floor(rand(0)*2))x+//from+information_schema.//tables+//groups/*/bY+x)a)+and+'1'='1 HTTP/1.0" 200 2659 Link to comment Share on other sites More sharing options...
piciui Posted August 23, 2018 Author Share Posted August 23, 2018 Yes, I think it's sql injection. Just update htaccess and add: RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] but I think htaccess work only for standard site and not for mobile version, right? Link to comment Share on other sites More sharing options...
MrPhil Posted August 23, 2018 Share Posted August 23, 2018 By the way, if you are using this old (?) mobile add-on on an old osC base, you should consider dumping the whole thing and going to the osC 2.3.4.1BS Edge/CE/Frozen community-supported version. It comes mobile-ready out of the box, and is much more secure and up to date (including PHP 7.1+). At least, take a look at it. This is a fresh install (with database migration), not an upgrade. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted August 23, 2018 Share Posted August 23, 2018 6 hours ago, piciui said: but I think htaccess work only for standard site and not for mobile version, right? It will work for anything on your server mobile or not, Unfortunately its not 100%! you need to update to the latest PHP and code to be safe. Below is a comprehensive list for sql blocking, just backup and check before using. # Block MySQL injections, RFI, base64, etc. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] Link to comment Share on other sites More sharing options...
piciui Posted August 24, 2018 Author Share Posted August 24, 2018 Yes it's work. 16 hours ago, JcMagpie said: RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] this one cause a error on FCK editor (file attached). Do you know how to fix ? Link to comment Share on other sites More sharing options...
piciui Posted August 24, 2018 Author Share Posted August 24, 2018 I think because source have [ ]: src="includes/fckeditor/editor/fckeditor.html?InstanceName=products_description[6]&Toolbar=osCPRO" Link to comment Share on other sites More sharing options...
♥JcMagpie Posted August 24, 2018 Share Posted August 24, 2018 You don’t need every line, if one conflicts with your code remove it. It's always going to be a balancing act. Too many locks on your door what happens if you lose a key! 😊 Link to comment Share on other sites More sharing options...
piciui Posted August 24, 2018 Author Share Posted August 24, 2018 thank you @JcMagpie work in this way: Quote # Block MySQL injections, RFI, base64, etc. RewriteEngine On RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] #RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] Link to comment Share on other sites More sharing options...
Rwe Posted August 24, 2018 Share Posted August 24, 2018 This week i started to notice this in my error logs: Fri Aug 24 17:27:50.185002 2018] [proxy_fcgi:error] [pid 87397:tid 139653059434240] [client xxx] Premature end of script headers: index.php [Fri Aug 24 17:27:50.192088 2018] [proxy_fcgi:error] [pid 87397:tid 139653059434240] [client xxx ] AH01070: Error parsing script headers above 30 times the same in a row access.log: xxx-c-211.html?osCsid=prvpp15vi15v0vrkm88rele6qc&view=all%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27A%3D0 HTTP/1.0" 301 1010 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)" This is only one entry from maybe hundred after eachoter, all with the "view=all" parameter in it and they get longer by each line. i blocked already several ip's but they keep comming, what are they trying ...anyone ? Link to comment Share on other sites More sharing options...
♥JcMagpie Posted August 24, 2018 Share Posted August 24, 2018 Nothing good I would imagine, Question is what is xx-c-211.html 😂 xxx-c-211.html?osCsid=prvpp15vi15v0vrkm88rele6qc&view=all///////////////////////////////////////////////////////////////'£208 HTTP/1.0" 301 1010 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)" Link to comment Share on other sites More sharing options...
Rwe Posted August 24, 2018 Share Posted August 24, 2018 Just a normal url on my live site , nothing that you often look at 😜 Link to comment Share on other sites More sharing options...
joycehess Posted June 10, 2019 Share Posted June 10, 2019 Yes, I think it is SQL injection in order to prevent this just go through this. https://www.indusface.com/blog/how-to-stop-sql-injection/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.