I'm seeing a weird url repeatedly in my logs and I'm wondering if someone is able to understand what this user was attempting to do. I'm a little familiar with the basics of MySQL, however, I'm lost with this one (especially the 0x7e parts), and want to prevent future possible vulnerabilities. I've found and am correcting the vulnerability in my script, however I'd really like to know what this person was doing. Any insight you can offer would be greatly appreciated. Thank you.
Note: I replaced my actual database and table names below with DatabaseName.TableName to make it clearer.
Here's the weird url:
photo.php?member_id=11616%27+AND+(SELECT+7509+FROM(SELECT+COUNT(*),CONCAT(0x7e,0x7e,0x7e,0x27,(SELECT+CONCAT(MID((IFNULL(CAST(member_id+AS+CHAR),0x20)),1,50),0x3A,MID((IFNULL(CAST(email_address+AS+CHAR),0x20)),1,50),0x3A,MID((IFNULL(CAST(password+AS+CHAR),0x20)),1,50))+FROM+DatabaseName.TableName+ORDER+BY+member_id+LIMIT+81947,1),0x27,0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+%27FtCw%27=%27FtCw&name=1392855.jpg
I believe so. They're testing to see if you are susceptible to SQL injection.
The INFORMATION_SCHEMA.CHARACTER_SETS table is tested because all users have read privilege to this table regardless of what privileges you otherwise give them. I can't imagine the attacker is really interested in how many character sets you have, so they're probably just seeing if they can get that query to run. If they confirm this, it means that they can proceed to use other attacks.
You need to block that attacker's IP address ASAP. Then review your code to make sure you are safe from SQL injection vulnerabilities.
well i have been through penetration testing and testing these kind of attacks.. this query is generated by SQLMap a penetration testing tool (written on python) to check if the link is vulnerable to Sql Injection or Not.. bt make sure if its only testing mean u r conducting this urself.. if he managed to access ur database he can compromise the server even..
u can check more on sql map here..
Project Sql Map
Related
I recently had to investigate an SQL incursion and noticed how -- is a great help for an attacker. Considering it's not a very useful instrument in many web environments, but seems to add to the damage potential of such vulnerabilities, why not disable it? I couldn't find a way, hence the question.
It is not possible to disable SQL comment parsing.
The correct solution is to ensure your application does not allow it to occur by always escaping user input, or better yet by using parametrised queries of some kind whether directly through the MySQL server API or through a user library that does it client-side.
Disabling comments may help a little, but it is very easy to do SQL injection without them, they can simply write the start of another complete query instead of commenting out the remainder of the statement.
If that is not practical for some reason, you may be able to consider the MySQL Enterprise Firewall (this is a commercial product and not open source) which allows you to setup a query whitelist:
https://www.mysql.com/products/enterprise/firewall.html
The tables in the database i use for my website was dropped in some way. I didn't do it, but i don't know who did it. My hosting company says we didn't do either. So is there a way to know who did it? If there is a solution for it, i'll be grateful. My website is offline now.
Thanks
Provided you do not have a backup: as Stanley has pointed out, your code might have been vulnerable. This is just one out of many possible solutions.
Small checklist:
Check whether the DB is accessible from outside localhost (usually it should not)
Check password security
Check who has access to your DB and whether you can trust them
Check your code for SQL injection vulnerability: What is SQL injection?
I record the search terms in on my e-commerce site and I the term
function.mysql connect
appears frequently. Immediately it concerns me that there may be some kind of automated bot looking for holes? SQL injection perhaps?
Could some one please explain what people are trying to do, and if this is indeed a signature of dodgy activity how can I check that I am protected against it?
Many thanks in advance
Most likely the search initiator is looking for dynamic pages that are displaying as plain text. Ie. if a webserver is misconfigured and displaying php files as plain text. In this case, there is a good chance that the mysql database credentials are exposed. This is a common way for malicious users/bots to search for database passwords and this is not SQL injection. For SQL injection, there would be part of a SQL query.
Sorry for a badly-phrased question. I have a requirement coming from a non-technical person that I need to make sense of. I am basically told: "Here use 'Driver={SQL Server};Server=SERVERNAME\INSTANCENAME;Database=DATABASENAME;Uid=UNAME;Pwd=PASSWORD;'; and here use Server=SERVERNAME\INSTANCENAME;Database=DATABASENAME;Uid=UNAME;Pwd=PASSWORD;';.
I am getting no additional help here.
While this seems to miraculously fix a bug, I want to understand what is it that I am changing, so I can leave a proper comment for the next developer, plus I can structure the code and name variables differently, depending on the meaning of the change.
The work revolves around ASP.net, reporting, SQL Server 2008.
Please give me some examples about when you would use one connection string over another. Feel free to edit the question if you can see a way to improve it.
When can you lose a 'Driver={SQL Server};?
Thank you.
EDIT: SQL Server 2008 is the target database, but other can be used ... or maybe will be used in the future.
www.connectionstrings.com is your friend here. You will find a large explanation on almost any connection string that you can think of.
A good resource you may want to read up on is:
connectionstrings.com
Is there any software for Windows that allows you to setup your tables and then tell the software what you want to SELECT given the conditions and it will tell you the SQL query that you need? Thanks.
Probably you'll find software that will do this for you in a GUI, but eventually you will be required to write the queries yourself, unless you're developing something really trivial.
A GUI tool for SELECT statements is a too-high level of abstraction for most scenarios, and you would have to face the "Law of Leaky Abstractions" eventually.
Visualization tools are quite handy for defining the database schema, and there are some very good tools for that. However queries remain quite tricky to visualize, in my opinion. I think you'll be able to mentally visualize queries, given enough practice. Nevertheless, I'm quite sure you will be able to get started doing SQL queries within a few days, even non-trivial ones.
In addition, you can use Stackoverflow if you require assistance with complicated queries. I'm quite sure that the community here will suggest better SQL than any GUI tool!
These sound like they will do what you want:
SQL Maestro
dbForge Query Builder for MySQL
Having said that, I do agree with the other answers here - learning to manually write SQL will give you a lot more control. I highly recommend the (free) MySQL Workbench for that.
The people at sqlmanager.net build some tools to deal with databases, but I agree with Daniel: if you have very complex queries to work with, it's probably more work telling the tool what to do that creating the queries manually - especially as you'll have to verify what the tool did, so if you can do that, you could have done it by hand in the first place :)
As said before by daniel vassallo, you should learn how to create those sql queries "by hand". where i work we use a program that does exactly this (it's used by accountants only) and it creates horrible sql select statements and we have constantly whining accountants that think that the problem is allways on the server side even when we show them that those queries get them the wrong data... it's a never ending circle :(
Use HeidiSQL to manage your database, and keep an eye on what's going on in the SQL log. You'll soon pick it up.