Waraxe IT Security Portal
Login or Register
November 21, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 70
Members: 0
Total: 70
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Php -> Fighting Sql Injection
Post new topicReply to topic View previous topic :: View next topic
Fighting Sql Injection
PostPosted: Thu May 05, 2005 1:44 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




hi all, i'm building a php script to defend MercuryBoard from sql injections and so on, for now i've done this, just to test injection blocking:
Code:

<?php

while (list($key, $value) = each($HTTP_GET_VARS))
{
echo "$value";

$value = urldecode($value);
$value = str_replace("/","","$value");
$value = str_replace("*","","$value");
echo "$value";
if (stristr("$value",'union')) {

echo "don't hack";
}



}

?>

do you think it's "good" work ?
is there anyway to defeat it ?
thanks in advance
View user's profile Send private message Visit poster's website
PostPosted: Thu May 05, 2005 2:41 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




shortly: no

consider following query:
Code:

select "ahvid" un/**/ion select "monkey";

Smile

allthough additional measures always provide some protections but sql is too rich language to just "filter" it.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu May 05, 2005 3:35 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




that string gets blocked, in fact my script replaces "*" and "/" with nothing (delete them) so

select "ahvid" un/**/ion select "monkey";

will be processed as

select "ahvid" union select "monkey";

and get caught
View user's profile Send private message Visit poster's website
PostPosted: Thu May 05, 2005 4:11 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




yes, you are absolutely right,
my bad i didnt notice.

but i'm sticking to it:

lets pretend we got a unquoted query (get variables are slashed)
select * from info where id=$_GET['id'];

select * from info where id=1;
select * from info where id=1 or 1=1

now you might want to take "or" out also right?
but what happens when user visits page
index.php?action=viewforum

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu May 05, 2005 6:14 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Heintz wrote:
yes, you are absolutely right,
my bad i didnt notice.

but i'm sticking to it:

lets pretend we got a unquoted query (get variables are slashed)
select * from info where id=$_GET['id'];

select * from info where id=1;
select * from info where id=1 or 1=1

now you might want to take "or" out also right?
but what happens when user visits page
index.php?action=viewforum


Yes, this is good example. By the way - i tried to use some times ago protection system "Sentinel" on my phpnuke website. Guess what -
it will analyze GET and POST variables, and if you try to post to forum something about sql injection, then you will get instant ban from Sentinel.
Because he's thinking, that you are potential attacker Smile
Or consider posting about European Union Laughing
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 05, 2005 7:11 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




ehhehe this moring i thought using the same way to check post method , but then i realized it would block half the post in the forum lol
View user's profile Send private message Visit poster's website
PostPosted: Thu May 05, 2005 8:21 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I think, that there can be 2 solutions:

1. To handle specific POST variables in special way, and all other variables make go through very restrictive filter.

2. Best method (additional method, or main method) - all the sql queries will be implemented through sql layer class (like in phpnuke for example).
And then sql injection filter will sit in sql abstraction class, right before the mysql_query(). So all the sql queries will go through one point and then this filter will apply some nifty anty-sql injection methods.
Example: if filter will find "union" in sql query, here:

Code:

"INSERT INTO xxx VALUES (1,2,3,'European Union history','waraxe',4,5,6) WHERE yyy=zzz"


Then breaks that "union" to pieces:

Code:

"INSERT INTO xxx VALUES (1,2,3,'European Uni'+'on history','waraxe',4,5,6) WHERE yyy=zzz"


Therefore if UNION is in string, meant to be delivered to database, then this query will function as expected. But if UNION is part of sql injection attack, then sql query will just failed and next this error can be catched up by custom error handling function.
Negative side of this method is, that it is usable only, if you are not using UNION functionality at all, or it will fail all the UNION queries, including legal ones.
Ideal solution can be kinda "smart sql injection filter", which will syntactically analyze all the sql queries and handle them adaptive, but this can be hard to implement, i think.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 05, 2005 9:31 pm Reply with quote
FistFucker
Regular user
Regular user
Joined: May 06, 2005
Posts: 21




I think '%252F%252A%252A%252F' instead of '/**/' could bypass your protection. Am I right?
View user's profile Send private message
Fighting Sql Injection
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds