homepage Welcome to WebmasterWorld Guest from 54.163.139.36
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
$ GET Hacking techniques
What are they trying to do?
d40sithui

5+ Year Member



 
Msg#: 3587156 posted 3:33 pm on Feb 28, 2008 (gmt 0)

Hey everyone. I run a small website using a CMS. This CMS has a feature that alerts me (via email) when someone enters bogus data in the $_GET. Last month I got about 600 alerts from one user within 5 minutes. Today, I got 60 alerts from a user also within that time frame. Thankfully, they both gave up. I'm going to list some of the things they had in the $_GET array on each attempt. I really don't know what the goal is, so if anyone has an idea, please let me know. Maybe this information will be useful in trying to combat this type of attack. Each line represents one attack. The name of the $_GET key is after the star(*).

GET * name : \' or 1=1
GET * name : \" or 1=1--
GET * name : \' or \'a\'=\'a
GET * name : \" or \"a\"=\"a
GET * startrow : \' or 1=1
GET * startrow : \" or 1=1--
GET * name : \') or (\'a\'=\'a
GET * startrow : \" or \"a\"=\"a
GET * startrow : \') or (\'a\'=\'a
GET * req : \' or 1=1
GET * req : \" or 1=1--
GET * lid : \" or 1=1--
GET * lid : \') or (\'a\'=\'a
GET * sid : \' or 1=1
GET * sid : \" or 1=1--
GET * topic : \" or 1=1--
GET * op : \" or 1=1--
GET * topic : \" or \"a\"=\"a
GET * module : \') or (\'a\'=\'a

You know, after looking at these after I pasted them here, they look awfully like sql injection attempts. what do you guys think?

 

whoisgregg

WebmasterWorld Senior Member whoisgregg us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3587156 posted 4:58 pm on Feb 28, 2008 (gmt 0)

That many attempts in that short a time means automated attack. So they have a script with all these different variations then record the result of each test.

> sql injection attempts

Definitely. Worth re-reading every so often, the php manual section on sql injection attacks [us2.php.net].

Any other attack attempts? They try to sneak in any <script> elements?

d40sithui

5+ Year Member



 
Msg#: 3587156 posted 5:58 pm on Feb 28, 2008 (gmt 0)

oh yeah. this is from one attempt as recorded. These were a few weeks back.

GET * module : </title><ScRiPt
>alert(40546,9847403009);</ScRiPt>
GET * func : search
GET * tplview : default
GET * viewtype : day
GET * Date : 20080205000000
GET * pc_username : 111-222-1933email@address.com
GET * pc_category : 111-222-1933email@address.com
GET * pc_topic : 111-222-1933email@address.com
GET * print : 1
------------------------------------------------
and heres another.
GET * name : <DIV
STYLE=\"width:expression(alert(40497,9839767708));\">
GET * action : search
GET * active_stories : 1
GET * stories_author :
111-222-1933email@address.com
GET * stories_cat%5B%5D :
111-222-1933email@address.com
GET * stories_topics%5B%5D :
111-222-1933email@address.com
GET * bool : AND
GET * q : 111-222-1933email@address.com
GET * startnum : 11
GET * total : 80
---------------------
they even tampered with the COOKIE!
COOKIE * POSTNUKESID : </textarea><ScRiPt
>alert(40409,9832515856);</ScRiPt>

PHP_Chimp

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3587156 posted 7:04 pm on Feb 28, 2008 (gmt 0)

GET's and cookies...someone doesnt like you very much.

When I started coding I had always thought that the \ was the correct escape character, however it appears that I am wrong for the generic SQL standards. The generic SQL says that quotes should be escaped by doubling them up, so ' becomes '' and " becomes "". While that is not so interesting the reason for not using \ as the escape character is quite interesting.

This problem with all multibyte characters was reported in postgresql a while ago. However the problem has also been reported in mysql and in theory resides in every sql complaint database.
There are loads of links but the only one I could quickly find that I can post on the forum was -
[postgresql.org...]

Have a read of it as it is quite interesting that people may well be able to break into a database simply by using a multibyte character.

Both mysql and postgresql have been updated so that this problem is lessened. Although this is a good reason for using prepaired statements and mysql_real_escape_string (or the appropriate database specific escape_string function).
For those that are not as successful at stopping attacks have a look at the Improved mysql functions [us3.php.net].

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3587156 posted 10:58 pm on Feb 28, 2008 (gmt 0)

nice list d40sithui, I haven't seen a little attack list like that in a while

out of interest you can probably search most of those to find packages that use those names, some are just nicely generic

there is a case for using long stupid names for your dbs, tables, columns etc

d40sithui

5+ Year Member



 
Msg#: 3587156 posted 3:37 pm on Feb 29, 2008 (gmt 0)

lol yeah thanks i guess.
someone's def out to get me =(
I don't think they got anywhere although I haven't manualy checked all the entries they tried. Still working on it. Here's what I use to filter out stuff in addition to mysql_real_escape_string(). Is this enough you think?
function clean_var($var){

//bad objects
$search = array('¦</?\s*SCRIPT.*?>¦si',
'¦</?\s*FRAME.*?>¦si',
'¦</?\s*OBJECT.*?>¦si',
'¦</?\s*META.*?>¦si',
'¦</?\s*APPLET.*?>¦si',
'¦</?\s*LINK.*?>¦si',
'¦</?\s*IFRAME.*?>¦si',
'¦STYLE\s*=\s*"[^"]*"¦si',
'¦cc:¦si',
'¦bcc:¦si',
'¦to:¦si',
'¦content-type:¦si',
'¦mime-version¦si',
'¦multipart/mixed¦si',
'¦content-transfer-encoding:¦si',
'¦\.exe¦si');

$replace = array(''); //replace with empty string
$var = preg_replace($search, $replace, $var); //removing bad objects
return $var;

}

rudyten

5+ Year Member



 
Msg#: 3587156 posted 1:00 pm on Apr 6, 2008 (gmt 0)

What about something like this?

www.example.com?op=add+%5BPLM=0%5D%5BN%5D+POST+/http://www.example.com/guestbook.php?op=add+%5B0,0,0%5D

d40sithui

5+ Year Member



 
Msg#: 3587156 posted 6:47 pm on Apr 7, 2008 (gmt 0)

what is this suppose to do?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved