List:General Discussion« Previous MessageNext Message »
From:Wm Mussatto Date:November 18 2009 6:59pm
Subject:Re: MySQL being hacked with commands through URL
View as plain text  
On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
>                 My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and I
cannot seem to find one.  The command above is showing all usernames and
passwords (in hashes) and I am not comfortable with that at all!  Is
there anyone out there that may be able to help or may be able to point
me in the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack.  You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.

Update to our phone conversation looks like id value is NOT a number (ss
looks like 55 in my web font, sorry).

In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.

($pid) = $q->param('PAGEID') =~/(\d+)/;  Basically it will only accept
0-9s as input.   Hope this helps.


How do you have your database server setup?  How are the commands being
passed to the database?



------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154



Thread
MySQL being hacked with commands through URLJames Coffman18 Nov
  • Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
    • RE: MySQL being hacked with commands through URLJames Coffman18 Nov
      • Re: MySQL being hacked with commands through URLMichael Dykman18 Nov
        • RE: MySQL being hacked with commands through URLJames Coffman19 Nov
  • Re: MySQL being hacked with commands through URLGary Smith18 Nov
    • Re: MySQL being hacked with commands through URLTompkins Neil18 Nov
      • Re: MySQL being hacked with commands through URLJohan Gant18 Nov
  • Re: MySQL being hacked with commands through URLPintér Tibor18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
RE: MySQL being hacked with commands through URLJames Coffman19 Nov