[Four0Four]

Hello, I have recently been noted about SQL Injections. What are they? How can I avoid them? Examples of scripts that can be exploited? And if anyone knows any links to some PHP security sites please post them. Thanks.

[Eclipse]

While i can't inform you about SQL injections I can help you prevent php injections which can be much more harmfull to security ie:

PHP Code:

if(isset($_GET["page"])){
$page = $_GET["page"];
$full = $page . '.php';
include($full);
}else{
include(index.php);
} 


That code can will make a url like yourdomain.com/index.php?page=yourpage then it will try to include yourpage.php if it doesn't exist you just get a 404 but using a php interjection you can modify the url to show your passwords from your server. By changing ?page=yourpage to ?page=.../etc/passwd it would normally look for .../etc/passwd.php and it would not find it causing a 404 but if you follow that with a php NULL charecter the signifies the end of the string {i will not write the NULL charecter for security reasons} it will display your password folder on what would normally be inaacessable via HTTP. You can fix this by using

PHP Code:

if(isset($_GET["page"])){
$page = $_GET["page"];
switch($page){
case main:
include(main.php);
break;
case news:
include(newspage.php);
break;
default:
include(index.php);
break;
} 


Hope that helped...

[mikaelf]

hi eclipse,
what you wrote is not actually sql injection. it's just a hacking method using the query string.
this is how your code work:

Code:

//Your browser
http://www.blahblah.com/index.php?page=main
//Your /usr/local/apache/logs/access_log
xxx.xxx.xxx.77 - - [15/Sep/2004:20:05:22 +0700] "GET /index.php?page=main HTTP/1.1" 200 12034 "http://www.blahblah.com/index.php" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

//Your browser
http://www.blahblah.com/index.php?page=../etc/password
//Your /usr/local/apache/logs/access_log
xxx.xxx.xxx.77 - - [15/Sep/2004:20:05:22 +0700] "GET /index.php?page=../etc/password HTTP/1.1" 200 12034 "http://www.blahblah.com/index.php" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

There should be nothing happened for above code, unless there is something special with GET parameter.

Anyway, the logs below supply you examples of hacking attempts:

Code:

[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..<C1>^\../winnt/system32/c
md.exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..<C0><AF>../winnt/system32
/cmd.exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..<C1><9C>../winnt/system32
/cmd.exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..%5c../winnt/system32/cmd.
exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..%2f../winnt/system32/cmd.
exe

Unfortunately, the hacker tries to hack a windows server while the server itself is UNIx. (nice try... get faulty?? try next time, please..)

for sql injection, here is a better example:

Code:

//test.html
<form action="process.php" method="post">
<input name="user" />
<input name="password" type="password" />
</form>

and your process.php

PHP Code:

$check = "select * from user where user='{$_POST['user']}' and password='".encode($_POST['password'])."'";
if(sql_query($check))
 ...authentication ok 


the sql injection:
input value for field user:
h4ck3r' or 1 > 0;

code flow in process.php

PHP Code:

$check = "select * from user where user='h4ck3r' or 1 >0; and password='ga4ef2ga23';
if(mysql_query($check))
  ...authentication ok 


you can see that the hacker "injects" the sql. he manipulates the username and truncate the sql query. mysql will process the query like this:

Code:

mysql > select * from user where user='h4ck3r' or 1 >0;

and... he nicely passes the authentication process.

regarding this fact, it's important to check all user input and query string before processing your query.

[Eclipse]

The first thing I said was that it wasn't a SQL injection and with the code I supplyed it is correct with the NULL charecter \0 also magic_quotes has to be off

[mikaelf]

eh, i miss the introductory part.
anyway, although null is set at the end of the string, it's still be okay if we set proper permission for the files and folders. (if it works as it's supposed to be)
although the script (is supposed to) be truncated after null, it won't work by default. have you tried it by yourself??

[Eclipse]

yes and it I was able to exploit it in version 4.3.1 with magic_qotes off but not when magic_quotes_on which is part of the point of magic_quotes it's in your php.ini

[mikaelf]

it's not php's fault. magic_quotes works by adding single backslash to escape special character. (this bug is actually be used in sql injection). if the exploit works it's the code fault, not php. what's the permission of /etc/passwd ?? it should not be able to be viewed by other users besides root and toor. if you're talking about php "index.php?page=/etc/passwd\0" which will barely include /etc/passwd, it's the author's fault. anyway, if you talk about php "index.php?act=more%20/etc/passwd\0" which will view the content of /etc/passwd, then your script will do nothing.

[Eclipse]

I don't mean to be rude but did you even read my post cause i wrote index.php?page=.../etc/passwd\0 not index.php?page=/etc/passwd and even with permitions the script that's viewing it now the group so permitions don't effect it... What you said index.php?act=more%20/etc/passwd\0 wouldn't do anything at all since there is no act variable in the script, and even if you meant page= not act= it would just try to find "more /etc/passwd" and you would get a 404 since %20 is a space :x

[mikaelf]

eh, i'm sorry if my post harms you. i didn't mean page= whatever is based on your above script. it's another case as with query string act=whatever is another case of hacking attempt via http request to local system function call. although i think that such attempt is worth trying, i try to propose that php paranoia isn't something worth considering too much. the team always do the best to build php including its security. at any case a "very common" bug is revealed (if it's truly bug) and security holes exposed, php snapshot is published immediately for all php users.

so sorry, i'm just php noob.

[Eclipse]

Ahh, i see what you did you just randomly swithed between what I said and some other random topic with out informing anyone but your self