Sublime directory Surf the web anonymous Pagerank Monitor

Hack this code: possible mysql injection

aaron_s
Tue 15 January 2008, 03:45 am GMT +0100
Ok - as always - edited to protect my employer - or my job ;)

So, I've been auditing some code for my employer, and I found some unfiltered code a mysql query.

The url from /news is /newsitem/12  where 12 is the ID of the article.

Then, here is the code:

$newsID = basename($_SERVER['REQUEST_URI']);
$sql = "select * from Tnews where newsID={$newsID}";


So, I've already fixed this - so no worries, but I'm having a hard time actually proving the SQL injection issue here.  Every time I put something in there, it gets urlencoded (obviously) by the browser.  I've been able to successfully break the sql, but never get extra info.  I've also tried telnet connections to the apache server - but any non-url encoded urls generate 400 errors for bad request.

Anyone have any ideas?
olaf
Tue 15 January 2008, 06:24 am GMT +0100
$newsID = basename($_SERVER['REQUEST_URI']);
$sql = "select * from Tnews where newsID=".(int)$newsID;

lol
Nikolas
Tue 15 January 2008, 06:44 am GMT +0100
The (int) is always good to use for numeric queries.

Now if you are looking for something fast that will work on anything (but may cause other kind of problems) you can try something like this:

$_SERVER['REQUEST_URI'] = addslashes$_SERVER['REQUEST_URI'] );
?>
olaf
Tue 15 January 2008, 09:01 am GMT +0100
Quote from: Nikolas on Jan 15, 2008, 06:44:53 am
The (int) is always good to use for numeric queries.

Now if you are looking for something fast that will work on anything (but may cause other kind of problems) you can try something like this:

$_SERVER['REQUEST_URI'] = addslashes$_SERVER['REQUEST_URI'] );
?>

Nick he called it a record id (which is a number)

your snippet doesn't work on all machines, it must be:

$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;
aaron_s
Mon 21 January 2008, 03:21 am GMT +0100
You guys aren't getting my question.

I've fixed the issue from that previous programmer.

My question is: how can you do some sql injection with that old code.  And changing the ID to be that of another news article is not injection ...
Nikolas
Tue 22 January 2008, 11:05 am GMT +0100
Oh right, this way you can't besides getting another article. But what if someone add a ; and run another query? Will this be executed?

Example :

$newsID = "'' OR 1 =1 ; DELETE * FROM users";
aaron_s
Tue 22 January 2008, 03:11 pm GMT +0100
Nope - it gets URL encoded in the URL.

Try this:

make a php file named test.php

inside of it put:
echo basename($_SERVER['REQUEST_URI']);

Start experimenting with adding additional items onto the end of it... so...
test.php/123
test.php/; select *

see how the results look to get a better idea of what I'm talking about :)
aaron_s
Sun 10 February 2008, 10:57 pm GMT +0100
This is depressing.  I've posted this query among several boards - and everyone keeps replying with generic solutions - as if it was a $_GET result and not from the $_SERVER['REQUEST_URI']; 

:(

I guess I'm just going to assume that even though I 'fixed' the errors, it never could have been exploited... :(
Archive for SMF v1.00 by N.P. Valid XHTML 1.0 Transitional