homepage Welcome to WebmasterWorld Guest from 54.147.196.159
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
What's this in my logs.
union+all+select appends to URLs
Xandir

5+ Year Member



 
Msg#: 4616289 posted 9:00 am on Oct 12, 2013 (gmt 0)

I had a recurring hacker on my site that was modifying the .htaccess file to include pharma links for search engine bots. I've since solved that problem by ditching Joomla (although I stress to add it was probably a dodgy Joomla extension rather than Joomla itself).

However I'm still curious to find out how they did it and whether they are still trying. Looking at my raw logs the one thing that really stands out is multiple attempts to load my listings.php script with and awful lot of code added to the query string. It happens hundreds of times in the logs, starting with an innocent looking:

GET /listing.php?id=10749 HTTP/1.1

- which is a valid request, but then shortly after that turns into:

GET /listing.php?id=10749%27+and+%27x%27%3D%27y HTTP/1.1

and then several hits later it can be:

GET /listing.php?id=999999.9+%2F*%2130000union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536*%2F-- HTTP/1.1


What I'm trying to figure out is what are they trying to do? SQL injection attack? Or is this possibly related to the previous attach on .htaccess?

The knowledge of my peers would be appreciated,

Thanks,

Xandir

[edited by: phranque at 11:06 am (utc) on Oct 12, 2013]
[edit reason] fix sidescroll [/edit]

 

bhukkel



 
Msg#: 4616289 posted 10:30 am on Oct 12, 2013 (gmt 0)

If you decode the first url you get:

10749' and 'x'='y

So it looks like a SQL injection but normally a hacker would use the OR function and not the AND...

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4616289 posted 7:34 pm on Oct 12, 2013 (gmt 0)

You can and should add rules that simply block requests like these.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4616289 posted 8:28 pm on Oct 12, 2013 (gmt 0)

I'm still curious to find out how they did it and whether they are still trying.

The format of the request doesn't matter. The absolutely VITAL question is: how did they get into your htaccess, and what did you do to ensure nobody can ever do it again? Do you trust your host?

phranque, I hope you appreciate that your browser window is at least twice as wide as mine :(

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved