I just needed some help regarding validating links for sql injection automatically.
For instance:
There is a site so called as
http://www.example.com/news.php?id=13
After inserting quotation at the end we get an MySql error like this
http://www.example.com/news.php?id=13'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by Sort DESC Limit 0,12' at line 1
So i was wondering is there any way by which i can check these links for errors automated. Like before the injected url execution it should show normal status but after injection it should show abnormal status.
NOTE: I am not talking about my website. I am developing an application online that will be free for developers for checking there site security.
Any help will be appreciated :)
Validating has nothing to do with injections.
Validating and injection protection are completely different tasks.
You may validate your data whatever way you like, but injection protection is completely different matter. It is data independent.
Your code have to be able to insert whatever data - links, numbers, HTML codes, binary objects - whatever.
I've explained the whole matter earlier, so, I won't repeat myself.
As for the validation - you may check your links to be valid - with http:// in front and such. but again, it has nothing to do with injections.
I am developing an application online that will be free for developers for checking there site security.
Gosh! Are you sure you are experienced enough?
Related
I am developing a client-side only web application for learning purpose, using WebSQL to store and query data, and Javascript to process it. WebSQL is not mantained anymore, but the question may be valid for all client side databases.
In the proposed specification for WebSQL from the W3C, §8.5 recommends a specific syntax (parameterized queries using ? as placeholder for values) to avoid SQL injection attacks.
Given that the user is free to modify the Javascript code used in the web page, including SQL statements (or alter the database using the development Console or other browser tools) why should the program be prepared to avoid SQL injections?
I found three StackOverflow questions related to SQL injection in WebSQL, this one, this one and this answer but none of them highlights why SQL injection is a concern on client side databases.
May someone else has a clear motivation, why SQL injection is a concern on client side databases?
SQL injection makes sense when considering unwanted third party operations on the database.
A client-side web application involves:
the developer, who designs the database and SQL statements;
the user, who can modify them using browser tools;
third-party scripts, such as libraries, which cannot access the application database.
Actually, databases are specific to one origin, so that a script cannot open a database belonging to an other origin:
If no database with the given name from the origin origin exists, then create the database
(§4.1 of the WebSQL W3C specification)
A third party attack script may use the DOM of the page to fill in form inputs with attack code, which will be injected when the form is submitted (possibly by the attacker itself, calling the submit() method of the form element). To avoid this, use parameterized queries: user input will never be interpreted as SQL code.
I would say that "an SQL injection attack" is distinct from a "I'm gonna modify the program, or better yet, just write my own" attack.
Yes, you are entirely correct in observing that a user can do anything he wants to, to a database and to software source-code that winds up on his computer. But, this is not an "SQL injection."
"SQL injection," I think, represents any case where an outsider effectively modifies the database structure or content from the outside, and without directly modifying the source-code or supplying new source-code of his own.
It could well be argued, as essentially you just did, that SQL injection is much less likely to occur with regard to a database that exists only on the client computer. I think that your argument is sustained. But, I don't think that this is a successful argument for abandoning the use of parameters. I flatly recommend that one should never insert literal, externally-provided values into any SQL string, "period."
I'm seeing a weird url repeatedly in my logs and I'm wondering if someone is able to understand what this user was attempting to do. I'm a little familiar with the basics of MySQL, however, I'm lost with this one (especially the 0x7e parts), and want to prevent future possible vulnerabilities. I've found and am correcting the vulnerability in my script, however I'd really like to know what this person was doing. Any insight you can offer would be greatly appreciated. Thank you.
Note: I replaced my actual database and table names below with DatabaseName.TableName to make it clearer.
Here's the weird url:
photo.php?member_id=11616%27+AND+(SELECT+7509+FROM(SELECT+COUNT(*),CONCAT(0x7e,0x7e,0x7e,0x27,(SELECT+CONCAT(MID((IFNULL(CAST(member_id+AS+CHAR),0x20)),1,50),0x3A,MID((IFNULL(CAST(email_address+AS+CHAR),0x20)),1,50),0x3A,MID((IFNULL(CAST(password+AS+CHAR),0x20)),1,50))+FROM+DatabaseName.TableName+ORDER+BY+member_id+LIMIT+81947,1),0x27,0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+%27FtCw%27=%27FtCw&name=1392855.jpg
I believe so. They're testing to see if you are susceptible to SQL injection.
The INFORMATION_SCHEMA.CHARACTER_SETS table is tested because all users have read privilege to this table regardless of what privileges you otherwise give them. I can't imagine the attacker is really interested in how many character sets you have, so they're probably just seeing if they can get that query to run. If they confirm this, it means that they can proceed to use other attacks.
You need to block that attacker's IP address ASAP. Then review your code to make sure you are safe from SQL injection vulnerabilities.
well i have been through penetration testing and testing these kind of attacks.. this query is generated by SQLMap a penetration testing tool (written on python) to check if the link is vulnerable to Sql Injection or Not.. bt make sure if its only testing mean u r conducting this urself.. if he managed to access ur database he can compromise the server even..
u can check more on sql map here..
Project Sql Map
I want to check a PHP source code for sql injection without using tools.
I don't want to check a website, I want to check a source in Local host.
Thanks.
Just try to make yourself the inyection.
check here (for theory): http://www.unixwiz.net/techtips/sql-injection.html
Here (for a Walkthrough): http://www.securiteam.com/securityreviews/5DP0N1P76E.html
maybe its a hard way but if you learn to do sql-injection you´ll be able to check the security of your own sites with no external tools.
You also may whant to chek this other question: How can I prevent SQL injection in PHP?
A normal UNION based SQL Injection can be blocked using the WAF, which filter keywords like UNION, SELECT. But I've that it can be bypassed by the inline comment statements of SQL such as /*!UNION*/ and /*!SELECT*/
Comment statements are meant for only reading purpose, right? If so, how a SQL server reads the injection query inside the comments and executes it?
Filtering keywords with a WAF is pointless. There is no way it could possibly succeed. Take a look at this list of ways to bypass it: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ (And I found that link in just a few seconds with google.)
If the code was written correctly, it would not be necessary.
As for your question the /*! syntax of MySQL is for MySQL specific commands. It's intended for you to be able to write portable SQL (that can run on any database) and yet still be able to send MySQL special commands.
SQL injection should not be an issue at all if you're using a database driver that supports placeholders for data. What you'd be trying to do with an after-the-fact detection is futile, like trying to eradicate a roach infestation with a ratty fly-swatter. You can't possibly get them all.
The best practice is to ensure it's impossible to inject hostile data into your queries in the first place. There are many examples available on Booby Tables that illustrate how to do this properly.
Commenting out partial query by not closing them can be used for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
The one that you've mentioned is a special comment syntax for MySQL. If you put a code into this comments it's going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version. For example:
Classical Inline Comment SQL Injection Attack Samples
ID: /*!32302 10*/
ID: 10
You will get the same response if MySQL version is higher than 3.23.02
I record the search terms in on my e-commerce site and I the term
function.mysql connect
appears frequently. Immediately it concerns me that there may be some kind of automated bot looking for holes? SQL injection perhaps?
Could some one please explain what people are trying to do, and if this is indeed a signature of dodgy activity how can I check that I am protected against it?
Many thanks in advance
Most likely the search initiator is looking for dynamic pages that are displaying as plain text. Ie. if a webserver is misconfigured and displaying php files as plain text. In this case, there is a good chance that the mysql database credentials are exposed. This is a common way for malicious users/bots to search for database passwords and this is not SQL injection. For SQL injection, there would be part of a SQL query.