CentOS - Mar 2016 - C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 14:27 +0300, ????????? ???????? wrote:
> This is obviously an application level problem. What is this php file?
> You should upgrade wordpress and remove or block access to the plugin or 
> custom page which allows sql injections.
Yes, my mistake. I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as:-

 UNION SELECT
CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45)
--  /*

and reject any incoming string containing ' or " in addition to
PHP's
strip_tags and (deprecated in later versions)
mysql_real_escape_string($_GET['....'],$link);

I do not use Wordpress or anything like it.



-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.

On 03/24/2016 07:57 AM, Always Learning wrote:
> I should have imposed strict controls on the length of
> parameters passed to programmes via web pages $_GET[] such as...
> and reject any incoming string containing ' or " in addition to
PHP's
> strip_tags and (deprecated in later versions)
> mysql_real_escape_string($_GET['....'],$link);
No.  No.  Nooooooooo.

You're missing the point that everyone is trying to communicate to you.  
Do not use string concatenation.  Do not use sprintf.  Do not use 
mysql_real_escape_string().

Use prepared statements.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:
> On 03/24/2016 07:57 AM, Always Learning wrote:
> > I should have imposed strict controls on the length of
> > parameters passed to programmes via web pages $_GET[] such as...
> > and reject any incoming string containing ' or " in addition
to PHP's
> > strip_tags and (deprecated in later versions)
> > mysql_real_escape_string($_GET['....'],$link);
> 
> No.  No.  Nooooooooo.
> 
> You're missing the point that everyone is trying to communicate to you.
> Do not use string concatenation.  Do not use sprintf.  Do not use 
> mysql_real_escape_string().
I have never (not once) used non-prepared SQL statements, nor string
concatenation, nor sprintf.

mysql_real_escape_string() is useful for storing in tables words with
apostrophes.


-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.