Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

$ GET Hacking techniques

What are they trying to do?

3:33 pm on Feb 28, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 16, 2007
votes: 0

Hey everyone. I run a small website using a CMS. This CMS has a feature that alerts me (via email) when someone enters bogus data in the $_GET. Last month I got about 600 alerts from one user within 5 minutes. Today, I got 60 alerts from a user also within that time frame. Thankfully, they both gave up. I'm going to list some of the things they had in the $_GET array on each attempt. I really don't know what the goal is, so if anyone has an idea, please let me know. Maybe this information will be useful in trying to combat this type of attack. Each line represents one attack. The name of the $_GET key is after the star(*).

GET * name : \' or 1=1
GET * name : \" or 1=1--
GET * name : \' or \'a\'=\'a
GET * name : \" or \"a\"=\"a
GET * startrow : \' or 1=1
GET * startrow : \" or 1=1--
GET * name : \') or (\'a\'=\'a
GET * startrow : \" or \"a\"=\"a
GET * startrow : \') or (\'a\'=\'a
GET * req : \' or 1=1
GET * req : \" or 1=1--
GET * lid : \" or 1=1--
GET * lid : \') or (\'a\'=\'a
GET * sid : \' or 1=1
GET * sid : \" or 1=1--
GET * topic : \" or 1=1--
GET * op : \" or 1=1--
GET * topic : \" or \"a\"=\"a
GET * module : \') or (\'a\'=\'a

You know, after looking at these after I pasted them here, they look awfully like sql injection attempts. what do you guys think?

4:58 pm on Feb 28, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member whoisgregg is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 9, 2003
votes: 0

That many attempts in that short a time means automated attack. So they have a script with all these different variations then record the result of each test.

> sql injection attempts

Definitely. Worth re-reading every so often, the php manual section on sql injection attacks [us2.php.net].

Any other attack attempts? They try to sneak in any <script> elements?

5:58 pm on Feb 28, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 16, 2007
votes: 0

oh yeah. this is from one attempt as recorded. These were a few weeks back.

GET * module : </title><ScRiPt
GET * func : search
GET * tplview : default
GET * viewtype : day
GET * Date : 20080205000000
GET * pc_username : 111-222-1933email@address.com
GET * pc_category : 111-222-1933email@address.com
GET * pc_topic : 111-222-1933email@address.com
GET * print : 1
and heres another.
GET * name : <DIV
GET * action : search
GET * active_stories : 1
GET * stories_author :
GET * stories_cat%5B%5D :
GET * stories_topics%5B%5D :
GET * bool : AND
GET * q : 111-222-1933email@address.com
GET * startnum : 11
GET * total : 80
they even tampered with the COOKIE!
COOKIE * POSTNUKESID : </textarea><ScRiPt

7:04 pm on Feb 28, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 12, 2007
votes: 0

GET's and cookies...someone doesnt like you very much.

When I started coding I had always thought that the \ was the correct escape character, however it appears that I am wrong for the generic SQL standards. The generic SQL says that quotes should be escaped by doubling them up, so ' becomes '' and " becomes "". While that is not so interesting the reason for not using \ as the escape character is quite interesting.

This problem with all multibyte characters was reported in postgresql a while ago. However the problem has also been reported in mysql and in theory resides in every sql complaint database.
There are loads of links but the only one I could quickly find that I can post on the forum was -

Have a read of it as it is quite interesting that people may well be able to break into a database simply by using a multibyte character.

Both mysql and postgresql have been updated so that this problem is lessened. Although this is a good reason for using prepaired statements and mysql_real_escape_string (or the appropriate database specific escape_string function).
For those that are not as successful at stopping attacks have a look at the Improved mysql functions [us3.php.net].

10:58 pm on Feb 28, 2008 (gmt 0)


WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
votes: 0

nice list d40sithui, I haven't seen a little attack list like that in a while

out of interest you can probably search most of those to find packages that use those names, some are just nicely generic

there is a case for using long stupid names for your dbs, tables, columns etc

3:37 pm on Feb 29, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 16, 2007
votes: 0

lol yeah thanks i guess.
someone's def out to get me =(
I don't think they got anywhere although I haven't manualy checked all the entries they tried. Still working on it. Here's what I use to filter out stuff in addition to mysql_real_escape_string(). Is this enough you think?
function clean_var($var){

//bad objects
$search = array('¦</?\s*SCRIPT.*?>¦si',

$replace = array(''); //replace with empty string
$var = preg_replace($search, $replace, $var); //removing bad objects
return $var;


1:00 pm on Apr 6, 2008 (gmt 0)

New User

10+ Year Member

joined:Mar 20, 2008
posts: 21
votes: 0

What about something like this?


6:47 pm on Apr 7, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 16, 2007
votes: 0

what is this suppose to do?