 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Fighting Sql Injection |
 |
 Posted: Thu May 05, 2005 1:44 pm |
 |
|
| KingOfSka |
| Advanced user |
 |
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
 |
|
 |
|
hi all, i'm building a php script to defend MercuryBoard from sql injections and so on, for now i've done this, just to test injection blocking:
| Code: |
<?php
while (list($key, $value) = each($HTTP_GET_VARS))
{
echo "$value";
$value = urldecode($value);
$value = str_replace("/","","$value");
$value = str_replace("*","","$value");
echo "$value";
if (stristr("$value",'union')) {
echo "don't hack";
}
}
?> |
do you think it's "good" work ?
is there anyway to defeat it ?
thanks in advance |
|
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 2:41 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
shortly: no
consider following query:
| Code: |
select "ahvid" un/**/ion select "monkey";
|
allthough additional measures always provide some protections but sql is too rich language to just "filter" it. |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
| Posted: Thu May 05, 2005 3:35 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
that string gets blocked, in fact my script replaces "*" and "/" with nothing (delete them) so
select "ahvid" un/**/ion select "monkey";
will be processed as
select "ahvid" union select "monkey";
and get caught |
|
|
|
|
| Posted: Thu May 05, 2005 4:11 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
yes, you are absolutely right,
my bad i didnt notice.
but i'm sticking to it:
lets pretend we got a unquoted query (get variables are slashed)
select * from info where id=$_GET['id'];
select * from info where id=1;
select * from info where id=1 or 1=1
now you might want to take "or" out also right?
but what happens when user visits page
index.php?action=viewforum |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 6:14 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Heintz wrote: | yes, you are absolutely right,
my bad i didnt notice.
but i'm sticking to it:
lets pretend we got a unquoted query (get variables are slashed)
select * from info where id=$_GET['id'];
select * from info where id=1;
select * from info where id=1 or 1=1
now you might want to take "or" out also right?
but what happens when user visits page
index.php?action=viewforum |
Yes, this is good example. By the way - i tried to use some times ago protection system "Sentinel" on my phpnuke website. Guess what -
it will analyze GET and POST variables, and if you try to post to forum something about sql injection, then you will get instant ban from Sentinel.
Because he's thinking, that you are potential attacker
Or consider posting about European Union  |
|
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 7:11 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
| ehhehe this moring i thought using the same way to check post method , but then i realized it would block half the post in the forum lol |
|
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 8:21 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I think, that there can be 2 solutions:
1. To handle specific POST variables in special way, and all other variables make go through very restrictive filter.
2. Best method (additional method, or main method) - all the sql queries will be implemented through sql layer class (like in phpnuke for example).
And then sql injection filter will sit in sql abstraction class, right before the mysql_query(). So all the sql queries will go through one point and then this filter will apply some nifty anty-sql injection methods.
Example: if filter will find "union" in sql query, here:
| Code: |
"INSERT INTO xxx VALUES (1,2,3,'European Union history','waraxe',4,5,6) WHERE yyy=zzz"
|
Then breaks that "union" to pieces:
| Code: |
"INSERT INTO xxx VALUES (1,2,3,'European Uni'+'on history','waraxe',4,5,6) WHERE yyy=zzz"
|
Therefore if UNION is in string, meant to be delivered to database, then this query will function as expected. But if UNION is part of sql injection attack, then sql query will just failed and next this error can be catched up by custom error handling function.
Negative side of this method is, that it is usable only, if you are not using UNION functionality at all, or it will fail all the UNION queries, including legal ones.
Ideal solution can be kinda "smart sql injection filter", which will syntactically analyze all the sql queries and handle them adaptive, but this can be hard to implement, i think. |
|
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 9:31 pm |
|
|
| FistFucker |
| Regular user |
|
|
| Joined: May 06, 2005 |
| Posts: 21 |
|
|
|
|
|
|
|
| I think '%252F%252A%252A%252F' instead of '/**/' could bypass your protection. Am I right? |
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 67
Members: 0
Total: 67
