| $ GET Hacking techniques
What are they trying to do? |
d40sithui
msg:3587158 | 3:33 pm on Feb 28, 2008 (gmt 0) |
Hey everyone. I run a small website using a CMS. This CMS has a feature that alerts me (via email) when someone enters bogus data in the $_GET. Last month I got about 600 alerts from one user within 5 minutes. Today, I got 60 alerts from a user also within that time frame. Thankfully, they both gave up. I'm going to list some of the things they had in the $_GET array on each attempt. I really don't know what the goal is, so if anyone has an idea, please let me know. Maybe this information will be useful in trying to combat this type of attack. Each line represents one attack. The name of the $_GET key is after the star(*). GET * name : \' or 1=1
GET * name : \" or 1=1--
GET * name : \' or \'a\'=\'a
GET * name : \" or \"a\"=\"a
GET * startrow : \' or 1=1
GET * startrow : \" or 1=1--
GET * name : \') or (\'a\'=\'a
GET * startrow : \" or \"a\"=\"a
GET * startrow : \') or (\'a\'=\'a
GET * req : \' or 1=1
GET * req : \" or 1=1--
GET * lid : \" or 1=1--
GET * lid : \') or (\'a\'=\'a
GET * sid : \' or 1=1
GET * sid : \" or 1=1--
GET * topic : \" or 1=1--
GET * op : \" or 1=1--
GET * topic : \" or \"a\"=\"a
GET * module : \') or (\'a\'=\'a You know, after looking at these after I pasted them here, they look awfully like sql injection attempts. what do you guys think?
|
whoisgregg
msg:3587258 | 4:58 pm on Feb 28, 2008 (gmt 0) |
That many attempts in that short a time means automated attack. So they have a script with all these different variations then record the result of each test. > sql injection attempts Definitely. Worth re-reading every so often, the php manual section on sql injection attacks [us2.php.net]. Any other attack attempts? They try to sneak in any <script> elements?
|
d40sithui
msg:3587330 | 5:58 pm on Feb 28, 2008 (gmt 0) |
oh yeah. this is from one attempt as recorded. These were a few weeks back. GET * module : </title><ScRiPt
>alert(40546,9847403009);</ScRiPt>
GET * func : search
GET * tplview : default
GET * viewtype : day
GET * Date : 20080205000000
GET * pc_username : 111-222-1933email@address.com
GET * pc_category : 111-222-1933email@address.com
GET * pc_topic : 111-222-1933email@address.com
GET * print : 1
------------------------------------------------
and heres another.
GET * name : <DIV
STYLE=\"width:expression(alert(40497,9839767708));\">
GET * action : search
GET * active_stories : 1
GET * stories_author :
111-222-1933email@address.com
GET * stories_cat%5B%5D :
111-222-1933email@address.com
GET * stories_topics%5B%5D :
111-222-1933email@address.com
GET * bool : AND
GET * q : 111-222-1933email@address.com
GET * startnum : 11
GET * total : 80
---------------------
they even tampered with the COOKIE!
COOKIE * POSTNUKESID : </textarea><ScRiPt
>alert(40409,9832515856);</ScRiPt>
|
PHP_Chimp
msg:3587380 | 7:04 pm on Feb 28, 2008 (gmt 0) |
GET's and cookies...someone doesnt like you very much. When I started coding I had always thought that the \ was the correct escape character, however it appears that I am wrong for the generic SQL standards. The generic SQL says that quotes should be escaped by doubling them up, so ' becomes '' and " becomes "". While that is not so interesting the reason for not using \ as the escape character is quite interesting. This problem with all multibyte characters was reported in postgresql a while ago. However the problem has also been reported in mysql and in theory resides in every sql complaint database.
There are loads of links but the only one I could quickly find that I can post on the forum was -
[postgresql.org...] Have a read of it as it is quite interesting that people may well be able to break into a database simply by using a multibyte character. Both mysql and postgresql have been updated so that this problem is lessened. Although this is a good reason for using prepaired statements and mysql_real_escape_string (or the appropriate database specific escape_string function).
For those that are not as successful at stopping attacks have a look at the Improved mysql functions [us3.php.net].
|
jatar_k
msg:3587588 | 10:58 pm on Feb 28, 2008 (gmt 0) |
nice list d40sithui, I haven't seen a little attack list like that in a while out of interest you can probably search most of those to find packages that use those names, some are just nicely generic there is a case for using long stupid names for your dbs, tables, columns etc
|
d40sithui
msg:3588055 | 3:37 pm on Feb 29, 2008 (gmt 0) |
lol yeah thanks i guess.
someone's def out to get me =(
I don't think they got anywhere although I haven't manualy checked all the entries they tried. Still working on it. Here's what I use to filter out stuff in addition to mysql_real_escape_string(). Is this enough you think?
function clean_var($var){ //bad objects
$search = array('¦</?\s*SCRIPT.*?>¦si',
'¦</?\s*FRAME.*?>¦si',
'¦</?\s*OBJECT.*?>¦si',
'¦</?\s*META.*?>¦si',
'¦</?\s*APPLET.*?>¦si',
'¦</?\s*LINK.*?>¦si',
'¦</?\s*IFRAME.*?>¦si',
'¦STYLE\s*=\s*"[^"]*"¦si',
'¦cc:¦si',
'¦bcc:¦si',
'¦to:¦si',
'¦content-type:¦si',
'¦mime-version¦si',
'¦multipart/mixed¦si',
'¦content-transfer-encoding:¦si',
'¦\.exe¦si'); $replace = array(''); //replace with empty string
$var = preg_replace($search, $replace, $var); //removing bad objects
return $var; }
|
rudyten
msg:3620272 | 1:00 pm on Apr 6, 2008 (gmt 0) |
What about something like this? www.example.com?op=add+%5BPLM=0%5D%5BN%5D+POST+/http://www.example.com/guestbook.php?op=add+%5B0,0,0%5D
|
d40sithui
msg:3621127 | 6:47 pm on Apr 7, 2008 (gmt 0) |
what is this suppose to do?
|
|
|
