|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 274 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
UNION SQL Injections - A Cure All Once & For All |
|
 I've seen many examples to stop the UNION SQL Injections for PHP-Nuke. I've been quite the busy bee and unable to offer more than I already have in the past that have covered UNION injections, cross site scripting (XSS), admin.php IMG hacks, the list goes on. Well, I read from the staff tonight that sites are still getting hacked by kiddies using Base64 encoding. I'd like to offer a very beta single line of code that may resolve this issue once and for all. I ran some tests at one of the subdomains successfully using UNION, the base64 of UNION, and all the sql injection in base64. The single line of code stopped them all. [Note, it also covers all possible upper and lower case permutations.] Please note, that it works so well, it may be catching false positives. To help debug it, I need full reports. But if you want to be ultra cautious, it appears from testing this single line of code does the trick. So here it is pro bono:
Open mainfile.php and anywhere in the very beginning add the following code:
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta Code to prevent UNION SQL Injections
if (preg_match("/([dnW5uIpb2N4VUJT0iO]{5})/", $_SERVER["QUERY_STRING"])) { die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a>"); }
As with anything else, I highly recommend you test it before applying it in production, also see the AUP.
ADMIN'S NOTE:If you are looking for this quality of protection, but still would like to use Raven's hack alert script so that you are notified, you can see an example of a hybrid here in the Nuke Security forum.
|
|
Posted on Thursday, April 22 @ 23:47:05 CEST by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 2.6
Votes: 5
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by FHFGhost on Friday, April 23 @ 00:26:34 CEST
(User Info | Send a Message) http://www.fubarfish.com | I got it to work but I had to add two characters.
="http://nukecops.com">
I added it just after the commented section of the mainfile.php. |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by FHFGhost on Friday, April 23 @ 08:42:38 CEST
(User Info | Send a Message) http://www.fubarfish.com | Sorry, I forgot to put in the two characteres. It should look like this:
="http://nukecops.com"> |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 11:02:55 CEST
(User Info | Send a Message) http://castlecops.com |
{ die("YOU ARE SLAPPED BY
<a href=\"http://nukecops.com\">NUKECOPS</a>"); }
|
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by ArgonX on Friday, April 23 @ 11:30:14 CEST
(User Info | Send a Message) | I add this code to main file
right on top after
& NUKECOPS"); }
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
So is this wrong or right |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Imago on Friday, April 23 @ 01:01:48 CEST
(User Info | Send a Message) http://www.euronuke.org | What was wrong with the old fix?
$query_string = getenv ("QUERY_STRING");
if (preg_match ("/UNION|FROM|OUTFILE|nuke_authors|nuke_users/i", $query_string)) {
die ("Thank you! Your data have been logged and sent to the administrator of this site!");
} |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 08:55:04 CEST
(User Info | Send a Message) http://castlecops.com | The fix you have there, unknown to me by who, will apply even to valid authorized authors. And it doesn't catch base64.
Whoever wrote that doesn't understand the true nature of the admin.php problem either. They are attacking it retroactively versus proactively... which my admin referer hack handles. |
]
Re: UNION SQL Injections (Score: 1)
by Imago on Friday, April 23 @ 09:41:55 CEST
(User Info | Send a Message) http://www.euronuke.org | Well, I found it on a Russian Nuke support site two or three weeks ago and it saved my ass from a bunch of young Iranian hackers. Valid authors are not affected by it, otherwise my wife would have me affected by now. :-)
Anyway, there seem to be too much Php-Nuke exploits to risk one's hard content work. Is that in the nature of Php-Nuke, or the system is by far more popular than the other CMS which makes it a preferable target? |
]
Re: UNION SQL Injections (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 10:58:01 CEST
(User Info | Send a Message) http://castlecops.com | | There have recently been exploits on postnuke that php-nuke has already resolved months ago. Even yahoo and hotmail are exploited on occasion. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by nobleclem on Friday, April 23 @ 01:02:16 CEST
(User Info | Send a Message) http://hackerassassins.com | | just out of curiosity ... I am not very good with preg stuff but what is it searching for? |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Imago on Friday, April 23 @ 01:18:17 CEST
(User Info | Send a Message) http://www.euronuke.org | I am not sure if it is allowed to post links to exploits, but since this is a major one, here is a list of all affected moduels and operations one can make through them.
http://securitylab.ru/42540.html |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by IACOJ on Friday, April 23 @ 08:30:49 CEST
(User Info | Send a Message) | | The code ZX posted above takes care of all those listed. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by robertr994 on Friday, April 23 @ 02:45:18 CEST
(User Info | Send a Message) | | I couldnt get it to work are you sure the code posted is right? |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Coldy on Friday, April 23 @ 02:50:56 CEST
(User Info | Send a Message) | | When you have install the "Admin Secure 1.5" it do not work! I´ve testet on two systems, one with "Admin Secure" and one without! |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by IACOJ on Friday, April 23 @ 08:34:59 CEST
(User Info | Send a Message) | | Hi Can you be a little more specific as to how it doesn't work. Does it allow the injection? Do you get an error? |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by robertr994 on Friday, April 23 @ 14:06:28 CEST
(User Info | Send a Message) | | sorry I should have said, It was a fatal error that shut the site down, I cant tell you more right now I have to go to court but will get you the exact error message when I get back |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by IACOJ on Friday, April 23 @ 08:33:23 CEST
(User Info | Send a Message) | Hi,
Did you get a parse error? If so make the modification like in the first comment. If it wasn't a parse error would you please tell us what it was so we can help you to resolve it. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by MisterWORK on Friday, April 23 @ 03:28:14 CEST
(User Info | Send a Message) http://protector.warcenter.se | | Great thing here Zhen ill test this when i get home ;-). And report back all i can find out. |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 07:11:48 CEST
(User Info | Send a Message) http://castlecops.com | Like FHFGhost said & thanks, ensure you put slash marks before the quotes.
"http://nukecops.com"
Re-stating the article, its blocking union in plain text and base64 encoding. None of the other hacks released by others do this. |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Imago on Friday, April 23 @ 08:06:21 CEST
(User Info | Send a Message) http://www.euronuke.org | | Thank you. So, should I replace the old fix cited above, with the present one, or they can co-exist? |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Peejay on Friday, April 23 @ 09:53:02 CEST
(User Info | Send a Message) http://www.peejay.info | For the life of me I'm just not putting these slashes where their supposed to go? I get the parse error and I'm putting them before the qotes at the a href line:
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta Code to prevent UNION SQL Injections
if (preg_match("/([dnW5uIpb2N4VUJT0iO]{5})/", $_SERVER["QUERY_STRING"])) { die("YOU ARE SLAPPED BY
NUKECOPS"); } |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 11:01:45 CEST
(User Info | Send a Message) http://castlecops.com | Clearly the filter system keeps removing the proper code, try 2:
Right here:
{ die("YOU ARE SLAPPED BY
<a href="http://nukecops.com">NUKECOPS</a>"); }
|
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 11:02:28 CEST
(User Info | Send a Message) http://castlecops.com | Final try:
{ die("YOU ARE SLAPPED BY
<a href=\"http://nukecops.com\">NUKECOPS</a>"); }
|
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by DivideByZero on Friday, April 23 @ 10:57:15 CEST
(User Info | Send a Message) http://www.ForwardObserver.us | | My site was recently the victim of a SQL injection attack too. Luckily it wasn't
a malicious one.
I found this great script from Raven called Hackalert that gather's the hacker's
info and sends it in an email to you. It also posts it on the screen for the
attempted hacker to see too! You can find Hackalert here: http://ravenphpscripts.com/downloads-cat12.html [ravenphpscripts.com]
|
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 10:58:50 CEST
(User Info | Send a Message) http://castlecops.com | | Please note that Allevon pioneered this technology. I want to ensure Allevon is properly credited as the founder. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by chatserv on Friday, April 23 @ 11:19:43 CEST
(User Info | Send a Message) http://nukeresources.com | | I'd like to point out that even while i have not tested this hack, regardless of what method you use now you can safely combine this one with your current one, i don't see anything in the above code that would interfere with your current protection or be interfered by your own code, matter of fact when dealing with security measures there is no such thing as too much protection especially with a CMS as popular as PHP-Nuke. On that note do not fall on the false pretense that moving to a less known CMS will keep you safe, from personal experience i can tell you that no other program is exempt from vulnerabilities and/or attacks, if it can be accessed through the net it is prone to a vast array of attacks that will range from attacks to the actual site files to more advanced attacks on server software, this in no way implies you should pack your things and run scared, it just suggests you should practice common sense regardless of what you use as the backbone of your website, regular backups of files and/or database tables should be your first rule of maintenance. |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 11:25:19 CEST
(User Info | Send a Message) http://castlecops.com | | Just keep in mind that PHP-Nuke does need some optimization. Not all, but some folks have performance issues. The more code that is added, the more work the CPU must do. The purpose of security is to protect, not to advertise. |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by chatserv on Friday, April 23 @ 17:12:54 CEST
(User Info | Send a Message) http://nukeresources.com | | Both claims are true, if anyone released protection code/scripts/files that advertise instead of handling x or y vulnerability it's not only useless, it's sad but i imagine it must not be very popular as i haven't encountered it although i admit i don't try everything released out there unless i trust the author and said people have a perfect standing with me. as for the extra code, yes, the more code, the more load but in my case any code added to validate variables and similar code is well worth it, a quick browse through any of the so-called "security" sites that post vulnerabilities in detail shows that one of the most common causes for vulnerabilities resides in poor code validation, hence why i aim to secure as much code as possible, the good thing? A few others have started implementing better code validation which is a big plus. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by ladysilver on Friday, April 23 @ 12:52:08 CEST
(User Info | Send a Message) http://www.nukediva.us | I had my first trigger of Raven's hackattempt after installing the new code as modified to point to hackattempt.php in sting's post. It looks like a member was doing a forum search. I will be happy to forward complete info via a PM or feedback, but in a public comment I'll be a bit more generic. Info in () was replaced.>
This is info on the trigger:
HTTP_REFERER : http://(www.mysite.ext)/modules.php?name=Forums&file=search&search_author=(MemberName)
REQUEST_METHOD : GET
QUERY_STRING : name=Forums&file=index&sid=(post SID)
REQUEST_URI : /hackattempt.php?name=Forums&file=index&sid=(postSID) |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 12:54:22 CEST
(User Info | Send a Message) http://castlecops.com | | This is not valid, and actually Raven's script is breaking your users from using your site with per session cookies. That REQUEST_URI *IS VALID*. Its how phpBB works. I suggest you advise Raven to fix his code otherwise your users are unable to utilize per session only cookies. |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by ladysilver on Friday, April 23 @ 13:01:41 CEST
(User Info | Send a Message) http://www.nukediva.us | | Thanks for letting me know. I will use the code as you have it originally posted in this article. |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Raven on Friday, April 23 @ 15:08:55 CEST
(User Info | Send a Message) http://ravenphpscripts.com | | As usual Paul, did you bother to test that piece of code before coming to your assumption that my script was wrong? I took the posters exact URI and tested it about 8 times and gee, it works every time. How terribly childish of you to take yet another opportunity to attack me like this. Well, I've really had enough. Up until now I have attempted to be as civil to you as I can in public. You have shown that you do not care about unity or fair play. I will no longer refrain from answering the questions and responding to the NC complaints that I receive. Don't you think that if this was a pervasive problem I would have heard about it by now? Hmmm. Let's see. My code works and then you post a piece of code claiming to have discovered that every one elses code sucks and only yours can do this or that. Seems that maybe your code is breaking, hmmm? And by the way, 2 things. #1, what exactly is the exploit that you are supposedly trapping? #2, your login script on the front page w/o the security code is not working. 100% of the time it kicks the person to Your Account. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by waraxe on Friday, April 23 @ 14:55:47 CEST
(User Info | Send a Message) | First of all i wanted to say - this filtering code is useless. Little change in sql injection code and filter can be evaded.
Second: i suggest to read this whitepaper:
http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
|
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 15:35:20 CEST
(User Info | Send a Message) http://castlecops.com | | Hi, I didn't read your link yet, however, the code works for UNION injections. I make no claims this works for ALL SQL injections. |
]
| | | | |
After testing, about 22% produced False Positives. (Score: 1)
by Darby_2k4 on Friday, April 23 @ 20:01:54 CEST
(User Info | Send a Message) | I have visited, 90 pages on my site.
10 of them were deliberate UNION sql injections by me. Your script caught them all.
60 pages were unaccected.
20 pages were also caught by the script as being hack attempts although they weren't.
Of those 20, 18 came from the forums/privatemessaging. Only 2 were from elsewhere. 1 was from a Search on news articles(I did a search for "union chapters in my region" so I guess that could count as a test...but if I wanted to do a search for real unions that might be a hassle) and the other one was, well, it was weird. I was just clicking a "read more..." link. No queries. And I still got slapped.
Hope that helps Paul. |
I figured out why so many false positives on forums/messaging. (Score: 1)
by Darby_2k4 on Friday, April 23 @ 20:21:29 CEST
(User Info | Send a Message) | At least I think I have. ;)
The sid, in all those cases, contained 5 of the characters in the regular expression. If I am correct, the injection only happens with "query=" so I could just change the preg to look for the query= at the start followed by your code....?
preg_match("/(query=)([dnW5uIpb2N4VUJT0iO]{5})/", $_SERVER["QUERY_STRING"])
?
Or do I misunderstand where the attack comes from and we need to search the whole URL...? |
]
Re: After testing, about 22% produced False Positives. (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 21:04:16 CEST
(User Info | Send a Message) http://castlecops.com | | Thanks Darby, that's just what I need to hear... Sting also sent me some stuff... I'm just catching up on some sleep right now. My brain has turned to mush after the server headaches. |
]
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by shedrock on Saturday, April 24 @ 07:37:10 CEST
(User Info | Send a Message) http://lorkan.com | I noticed a problem with this fix. When I click on any of my forums, I get the error message as if I was trying to hack my own site, and I wasn't.
Anyone else experienced this problem? |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by foxyfemfem on Saturday, April 24 @ 08:44:51 CEST
(User Info | Send a Message) | | Yes, I am .... read this: http://www.nukecops.com/postp120605.html#120605 |
]
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by inkydink1234 on Saturday, April 24 @ 10:07:08 CEST
(User Info | Send a Message) | | What exciting reading :lol: - I wonder how forum admin works w/o zx's great script but won't work with it. Hmmmm. Maybe it has an imperfection GASP! If that would be the case do you think he might apologize GASP! No, that would mean apologizing GASP! But don't worry - he will find a way to blame it someone else :lol: |
]
| | | | | |
