CentOS - Mar 2016 - C5 MySQL injection attack ("Union Select")

mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
readline 5.1


I spotted something strange and immediately installed a routine to
automatically impose an iptables block when the key used for database
access is excessively long.

My URL was something like this

...../...../.....php?key=123456

The injection was something like this

...../...../.....php?key=876711111111111111111111111111' UNION SELECT
13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
order by 'as

There are no user permission on information_schema.

There seems to be 2 versions of the coding floating around on Austrian
and Russian IPs. One is ineffective but the other works. It seems the
author is expert in the intricate structure and design of SQL.



-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.

Am 24.03.2016 um 04:21 schrieb Always Learning <centos at
u64.u22.net>:
> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1


Current version on C5 is mysql55, 5.0 does not get any updates anymore!

--
LF

On 03/23/2016 08:21 PM, Always Learning wrote:
> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
>
>
> I spotted something strange and immediately installed a routine to
> automatically impose an iptables block when the key used for database
> access is excessively long.
>
> My URL was something like this
>
> ...../...../.....php?key=123456
>
> The injection was something like this
>
> ...../...../.....php?key=876711111111111111111111111111' UNION SELECT
> 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
> information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"  
-- /*
> order by 'as
>
> There are no user permission on information_schema.
>
> There seems to be 2 versions of the coding floating around on Austrian
> and Russian IPs. One is ineffective but the other works. It seems the
> author is expert in the intricate structure and design of SQL.
>
>
>
Always use parameterized statements (aka prepared statements) for SQL 
that involves untrusted input.

I like to use them even for input that involves trusted input because it 
is easy to make a change in my code and not think about how it impacts 
the parameters.

-=-

This is an attack on WordPress ??? Or just trying to get WordPress 
database from a different app?

Be careful with WordPress - it's database handler doesn't actually use 
parameterized statements, it emulates them with printf - one (of many) 
reasons I do not like the product.

If it is not an attack on WordPress directly - your WordPress database 
should be using a different uname/pass from anything else, so actual 
queries for data should fail.

This is obviously an application level problem. What is this php file?
You should upgrade wordpress and remove or block access to the plugin or 
custom page which allows sql injections.

> Be careful with WordPress - it's database handler doesn't actually
use
> parameterized statements, it emulates them with printf - one (of many)
> reasons I do not like the product.
This is a rather controversial statement. There's nothing wrong with 
using sprintf when building sql queries. Besides

"Using a prepared statement is not always the most efficient way of 
executing a statement. A prepared statement executed only once causes 
more client-server round-trips than a non-prepared statement."

On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote:
> Always use parameterized statements (aka prepared statements) for SQL 
> that involves untrusted input.
> 
> I like to use them even for input that involves trusted input because it 
> is easy to make a change in my code and not think about how it impacts 
> the parameters.
> 
> -=-
> 
> This is an attack on WordPress ??? Or just trying to get WordPress 
> database from a different app?
> 
> Be careful with WordPress - it's database handler doesn't actually
use
> parameterized statements, it emulates them with printf - one (of many) 
> reasons I do not like the product.
> 
> If it is not an attack on WordPress directly - your WordPress database 
> should be using a different uname/pass from anything else, so actual 
> queries for data should fail.
I write my own database applications (each has its own unique user-id
and password and only essential permissions on tables) and do not use
any packaged solution. Thus no Wordpress or anything like it.

The hacker tried many variants like this - which baffle me.

' UNION SELECT (-x1-Q-,-x2-Q-,-x3-Q-,-x4-Q-,-x5-Q-,-x6-Q-)

' UNION SELECT 1,CONCAT(ddd,[X],file_priv,[XX],3,4,5,6,7,8 FROM
mysql.user limit 0,1  (I do not have mysql.user)

' UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
order by 'as

LIKE "%user%"
LIKE "%usr%"
LIKE "%phpbb%"
LIKE "?%"
LIKE "?m%"
LIKE "%member%"
LIKE "%forum%"
LIKE "%reg%"
LIKE "%moder%"
LIKE "%ftp%"
LIKE "%jos%"
LIKE "?ces%"
LIKE "%wso%"


>> Am 24.03.2016 um 09:54:11 +0100 schrieb Leon Fauster:
>> Current version on C5 is mysql55, 5.0 does not get any updates
anymore!

Thank you. That server is the last production server on C5. I need to
shift it to C6 and Maria 10.

I am 'always learning' security is a perpetual task. Thankfully I always
read the daily logs and reports (an arduous task).

Many thanks.

-- 


Paul.
England, EU.      England's place is in the European Union amid our
European brothers and sisters and even our betters.

On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
>
>
> I spotted something strange and immediately installed a routine to
> automatically impose an iptables block when the key used for database
> access is excessively long.
Indeed. There are several flaws in how mysql handles data. This is why to
the best of my ability I am trying to avoid mysql, and use postgresql if
whatever chunk of software I need is designed to work also with
postgresql. And I recommend developers I work with/for the same (to use
postgresql). These are good examples:

https://www.youtube.com/watch?v=1PoFIohBSM4

I know, this may inflame [***]SQL wars here, but I hope, this will help
somewhat those who are not married to mysql (yet).

Just my $0.02

Valeri
>
> My URL was something like this
>
> ...../...../.....php?key=123456
>
> The injection was something like this
>
> ...../...../.....php?key=876711111111111111111111111111' UNION SELECT
> 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
> information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"  
-- /*
> order by 'as
>
> There are no user permission on information_schema.
>
> There seems to be 2 versions of the coding floating around on Austrian
> and Russian IPs. One is ineffective but the other works. It seems the
> author is expert in the intricate structure and design of SQL.
>
>
>
> --
> Regards,
>
> Paul.
> England, EU.      England's place is in the European Union.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Valeri Galtsev wrote:
> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
<snip>>
> Indeed. There are several flaws in how mysql handles data. This is why to
Ok, do you have a link or two to info about that?
> the best of my ability I am trying to avoid mysql, and use postgresql if
> whatever chunk of software I need is designed to work also with
> postgresql. And I recommend developers I work with/for the same (to use
We seem to be moving to postgresql. I find I do not like it - it's much
more of a pain to work with than mysql is. Do you have any opinions about
meria d/b? Are there improvements over the flaws you're aware of with
mysql?
<snip>

        mark

On Thu, 2016-03-24 at 14:27 +0300, ????????? ???????? wrote:
> This is obviously an application level problem. What is this php file?
> You should upgrade wordpress and remove or block access to the plugin or 
> custom page which allows sql injections.
Yes, my mistake. I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as:-

 UNION SELECT
CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45)
--  /*

and reject any incoming string containing ' or " in addition to
PHP's
strip_tags and (deprecated in later versions)
mysql_real_escape_string($_GET['....'],$link);

I do not use Wordpress or anything like it.



-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.

On 03/24/2016 03:54 AM, Leon Fauster wrote:
> Am 24.03.2016 um 04:21 schrieb Always Learning <centos at
u64.u22.net>:
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
> 
> 
> 
> Current version on C5 is mysql55, 5.0 does not get any updates anymore!
> 
Let me reiterate this:

the mysql-5.0.95* packages are not supported.  A very long time ago, Red
Hat upgraded mysql for el5 to an SCL.  The current supported version is:


mysql55-mysql-5.5.45-1.el5*

I guarantee that the 5.0.95 packages have security issues. Here is how
to move to the newer mysql55 packages:

http://red.ht/1pAcb7q

I can't stress enough, mysql-5.0 on el5 is absolutely not updated
security wise.  The last update to it happened on 22-Jan-2013 and was in
CentOS-5.9 .. we are now in 5.11 and there have been upgrades to mysql55
since then to fix security issues.

Here is more info on this MySQL 5.0 to 5.5 upgrade, that was required
starting in CentOS 5.10.

http://red.ht/1o8VkHN

http://red.ht/1UK30hR

http://red.ht/1q48NT5

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20160324/e48c019c/attachment-0001.sig>

> Indeed. There are several flaws in how mysql handles data. This is why 
> to
> the best of my ability I am trying to avoid mysql, and use postgresql 
> if
> whatever chunk of software I need is designed to work also with
> postgresql. And I recommend developers I work with/for the same (to use
> postgresql). These are good examples:
> 
> https://www.youtube.com/watch?v=1PoFIohBSM4
http://dev.mysql.com/doc/refman/5.1/en/sql-mode.html#sql-mode-strict