Advance SQL Injection Attacks

[cancer10]

Hi,

I was going through my site stats and found some sql injections have been passed through my site's querystring.

This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

Code:

?action=show&id=-5 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--

I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

Code:

	function antisql($data){
		if(get_magic_quotes_gpc){
		$data1 = stripslashes($data);
		}else{
		$data1 = $data;
		}
		return mysql_real_escape_string($data1);
	}

I am not posting this thread to know what SQL Injection is. I know what is it. :)

Few things I want to know are:

1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

2) Why didn't the antisql() function prevent from that sql injection attack?

3) What is the above querystring actually doing?


Some Info:
My Site is made in PHP MySQl and running on CentOS.


Thank you so much for your help in advance.

[gorda001]

1) Lucky guess probably

2) Who says it didn't?

3) It's attempting to get username and password data

[cancer10]

1) Lucky guess probably

2) Who says it didn't?

3) It's attempting to get username and password data

1) Who has so much time in guessing?

2) I tried it myself and succeeded in fetching the first row user/password

3) ok thanx

[gorda001]

1) They could have got it from a previous query I suppose

2) OK then well the function looks OK, although I wouldn't write it like that:

PHP Code:

function antisql($data)
{
    if (get_magic_quotes_gpc())
    {
        $data = stripslashes($data);
    }
    return mysql_real_escape_string($data);
} 


Anyway, you're probably not using it correctly. Also, why not just disable magic quotes?

[unclekyky]

1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

2) Why didn't the antisql() function prevent from that sql injection attack?

1) Do you echo MySQL errors? If you do, it is a trivial thing to get a hold of the table structure. Alternatively, maybe you use a really common name for the tables.
2) Probably because you are using it wrong. How are you invoking it? (From what you said, didn't you write the antisql function after the attack?)

[cancer10]

1) Do you echo MySQL errors? If you do, it is a trivial thing to get a hold of the table structure. Alternatively, maybe you use a really common name for the tables.
2) Probably because you are using it wrong. How are you invoking it? (From what you said, didn't you write the antisql function after the attack?)

1) Well I do not. Any other way it can be revealed?

2) I have been using the antisql function since the beginning.

[Aepos]

1. You can get it from just what he's doing. I know that you can use "union select 1,2,..." to return MySQL results. Make doubly sure that it's not returning any errors. It's probably a script kiddy, but script kiddies have been know to do some damage without even knowing.

2. If you called the function, and it was written just like that, then there's no (simple) way that you could use MySQL injections to fetch the username and password.

Again, make SURE it's not returning any errors. MySQL errors are the key to breaking the lock on a website, to put it analogically.

[unclekyky]

2) I have been using the antisql function since the beginning.

You didn't really answer 2. The question was, "How are you invoking it?" By that I mean, give us some examples of how you use it in your code.

About the part of 2 you did answer, I guess I was just confused by what you said here:

I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

[cancer10]

This is how I am fetching querystring

$id = antisql($_GET['id']);

mysql_query("select * from mytable where id=$id");

[Damien Gray]

Try this:

$id = (int)$_GET['id'];

It will make anything that isn't an integer equal zero.