NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

David Krings ramons at gmx.net
Wed Nov 7 06:58:31 EST 2007 

mikesz at qualityadvantages.com wrote:

> The question is, actually multiple related questions:
> 
> First how did that bad guy "execute" the query without hitting the
> submit button or entering the captcha code and how did it bypass the
> check function. It seems like the query was sent directly to the
> database though the registration.php program but I have no clue how
> that could have happened. I need to plug this hole but don't have any
> idea where to start looking for it.

First, and easiest thing I'd do is rename registration.php. I assume it took 
about 3 1/2 guesses to find that out. Does the form include the action to be 
registration.php? If yes, you may want to pipe everything through a dummy 
file....or not so dummy file. You could check the input from the text field 
and see if there is
- a semicolon (separates SQL commands)
- if there are any of the common SQL key words used (SELECT, INSERT, UPDATE, 
DROP, DELETE) and based on that reject the entry
- use the prepapre statement or equal mechanism as discussed on this list in 
the past days
- write the input to text file outside of the file system accessible through 
the server, maybe even encrypt it, and use some naming scheme that contains a 
time string, session ID, or such
- have your renamed registration script read only from that file from the 
local system and ignore anything that comes in via POST, GET (should not use 
that in this case anyway), or SESSION
- before you start writing to the db, do the content checks again

The only disadvantage that I see is that one isn't allowed to be called 
me';DROP TABLE 'Users'; or sth like that.

> I have tried running the query like registration.php?query but that
> didn't work.

That is good.

> 
> Any ideas about how I can reproduce this problem would greatly
> appreciate and any suggestions about how to fix it would be even more
> greatly appreciated.            8-)
> 
> Thanks for your attention.

I am sure there are other, better solutions to this. I think my approach would 
make it at least more difficult.


David

More information about the talk mailing list