Quite a while back now I had a file uploaded to my site overwriting the index, which boasted of this hackers amazing skills in defacing my site. Never did figure out how they did it, however I found my website listed on this site:
<link removed> (Note thats the link to some sort of hacker site, the link may not be safe I don't know so just letting you know).
Anyway, the site is in another language but I noticed it said Somthing: SQL Injection, and after navigating back to the main page of this site I found the form (the one in the link above, don't really want to test it myself). I assume people just enter in whatever site they want and it exploits some sort of common weakness or somthing, but like I said I don't know and since it had SQL Injection listed next to my site I'm going to assume that. I've got the following in place for SQL Injection at the top of every page:
[PHP]
if(!get_magic_q uotes_gpc())
{
$_GET = array_map('mysq l_real_escape_s tring', $_GET);
$_POST = array_map('mysq l_real_escape_s tring', $_POST);
$_COOKIE = array_map('mysq l_real_escape_s tring', $_COOKIE);
}
else
{
$_GET = array_map('stri pslashes', $_GET);
$_POST = array_map('stri pslashes', $_POST);
$_COOKIE = array_map('stri pslashes', $_COOKIE);
$_GET = array_map('mysq l_real_escape_s tring', $_GET);
$_POST = array_map('mysq l_real_escape_s tring', $_POST);
$_COOKIE = array_map('mysq l_real_escape_s tring', $_COOKIE);
}
[/PHP]
Is this not enough, what else should I be doing? would someone be able to give me a line of text to enter into forms on my site (I assume it's just somthing like " mysql_query("IN SERT........") obviously only somthing that wont do much damage) so I can see where weaknesses are.
Thanks for any advice / opinions on this, just trying to get to the bottom of this so it dosn't happen again.
11  3742   dlite922 1,584
Recognized Expert Top Contributor
SQL Injection deals with SQL, i.e. Database.
Unless they found your SQL password on your site, AND your homepage is actually in the database (not in an HTML file) then they could have re-written it.
Or they just used FTP or SSh and found a password somewhere on your site and used that.
make sure files that contain such passwords and sensitive information ARE NOT in the public domain folders, or folders accessable from the web.
so that i can't do this to get your config file that has your passwords in it.
yoursite.com/config/config.php~
(if your using the linux text editor: emacs or another)
I have a server and its is Constantly pinged via SSH, as a brute force attempt to get the root password.
search google on securing your server, if its hosted by a company, sometimes they are the problem and had nothingt to do with your code, (But they're not going to tell you if the server has been hacked by some chinese dude)
Just make sure you take security measures
Find sites like this on google: http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Good luck and hope it doesn't happen again,
Dan
Markus 6,050
Recognized Expert Expert
Yeh, unless your site runs dynamically, I don't think it's SQL injection. What it is, I'm not sure.
Do you give the ability to upload files, on your website?
Thanks for the responses.
People can upload image files on my site but they need to be signed up to do so and I didn't notice any odd usernames signed up, they all seem pretty genuine.
Thanks for that link too I'll definetely be having a thourough read of that. I do have password information stored in my one file which is for the database connection, which is in the public_html folder, is this what I should not be doing?
Also, all this person did was upload a file that overwrites the index, all I had to do was just re upload mine and the problem was solved. I thought this seemed a little too easy but no database information and been erased / added (which is why I originally though it wasn't an SQL attack anyway), but is there any checks I should make to ensure they didn't do anything else such as uploading other any malicious fies?
dlite922 1,584
Recognized Expert Top Contributor
Thanks for the responses.
People can upload image files on my site but they need to be signed up to do so and I didn't notice any odd usernames signed up, they all seem pretty genuine.
Thanks for that link too I'll definetely be having a thourough read of that. I do have password information stored in my one file which is for the database connection, which is in the public_html folder, is this what I should not be doing?
Also, all this person did was upload a file that overwrites the index, all I had to do was just re upload mine and the problem was solved. I thought this seemed a little too easy but no database information and been erased / added (which is why I originally though it wasn't an SQL attack anyway), but is there any checks I should make to ensure they didn't do anything else such as uploading other any malicious fies?
I would just re-upload ALL your files from scratch. Remove everything and reload everything.
Yes, do remove that password file from public_html, PHP can still access it even if its in a folder not available through the browser (in public_html)
There is times when all a person wants to do is practice his hacking skills, he doesn't really want to destroy/capture any data, it does him no good.
MAKE SURE, you have proper validations in place for that image. Could I Upload a PHP file if i wanted to?
Hack your own site is the best way. Try uploading a php file for example, try uploading anything else that's not a JPG.
Don't just check the last few characters of the name for the file extension, actually do a PHP type check to see if its an image file.
Hope that helps,
Dan
zorgi 431
Recognized Expert Contributor
I
Yes, do remove that password file from public_html, PHP can still access it even if its in a folder not available through the browser (in public_html)
Dan
Where is the best place to keep such files than?
Actually, I do not have any of my PHP scripts located in the document tree which can be reached by the Apache server. I only have stubs such as this: -
<?php
-
require ("/script_directory/main.php");
-
exit;
-
?>
-
where the /script_director y/ is substituted for the directory path where I have the PHP scripts for the given application. This directory is off limits for the Apache server, so it cannot by itself read or write to the script directory. All access must go via my PHP scripts.
zorgi 431
Recognized Expert Contributor
How do I reach things outside "public_htm l" with php
I am using Linux, so I don't know whether any answer I give here will apply to you in case you are using another operating system.
Your "document tree" is where your document server (e.g. Apache) is allowed to directly serve pages from. But your PHP engine is not limited to this. As long as the directory and file permissions are set to allow your PHP scripts to read them, then you can access them from other PHP scripts. In the example I showed above, the user will try to access a small script located within the document tree, which will then "require" or "include" the remainder of the PHP script located in a directory outside the document tree.
Of course, if your permissions are not set correctly on the directory where the script file is located, or the script file itself, then maybe your PHP scripts cannot access them.
zorgi 431
Recognized Expert Contributor
I would like o do some more reading on this subject. So you have a link to somewhere on internet where I can read about this some more.
Thanks
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Aravind |
last post by:
I would like to know in what manner dangling pointers affect the
security of a application developed using C++.What are the loopholes
that are created by dangling pointers and how they could be exploited
by hackers?.
Aravind
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was...
|
by: Neil |
last post by:
Hi,
I have a website hosted on MS IIS.
It has a news section fed by a database to allow the owners of the site the
ability to update the news pages themslves.
Last week a message was added by an Iranian hacker (see the end of this
post.)
|
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username should only begin either letters or numbers, and
Underscore character
example = user123, 123user, u_ser123, user_123 = completely case
insensitive
|
by: shank |
last post by:
I've been hit again using DW, parameterized queries and stored procedures.
I'm guessing I was not strict enough with character counts and allowing to
long of a string to pass.
Aside from that, as crude as it may be, is the below enough to stop these
attacks? If not, how would they get around this?
<%
If Instr(Request.QueryString("http")) 1 or
Instr(Request.QueryString("script")) 1 Then
| | |
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
