|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 332 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
UNION SQL Injections - A Cure All Once & For All |
|
 I've seen many examples to stop the UNION SQL Injections for PHP-Nuke. I've been quite the busy bee and unable to offer more than I already have in the past that have covered UNION injections, cross site scripting (XSS), admin.php IMG hacks, the list goes on. Well, I read from the staff tonight that sites are still getting hacked by kiddies using Base64 encoding. I'd like to offer a very beta single line of code that may resolve this issue once and for all. I ran some tests at one of the subdomains successfully using UNION, the base64 of UNION, and all the sql injection in base64. The single line of code stopped them all. [Note, it also covers all possible upper and lower case permutations.] Please note, that it works so well, it may be catching false positives. To help debug it, I need full reports. But if you want to be ultra cautious, it appears from testing this single line of code does the trick. So here it is pro bono:
Open mainfile.php and anywhere in the very beginning add the following code:
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta Code to prevent UNION SQL Injections
if (preg_match("/([dnW5uIpb2N4VUJT0iO]{5})/", $_SERVER["QUERY_STRING"])) { die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a>"); }
As with anything else, I highly recommend you test it before applying it in production, also see the AUP.
ADMIN'S NOTE:If you are looking for this quality of protection, but still would like to use Raven's hack alert script so that you are notified, you can see an example of a hybrid here in the Nuke Security forum.
|
|
Posted on Thursday, April 22 @ 23:47:05 CEST by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 2.6
Votes: 5
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by FHFGhost on Friday, April 23 @ 00:26:34 CEST
(User Info | Send a Message) http://www.fubarfish.com | I got it to work but I had to add two characters.
="http://nukecops.com">
I added it just after the commented section of the mainfile.php. |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Imago on Friday, April 23 @ 01:01:48 CEST
(User Info | Send a Message) http://www.euronuke.org | What was wrong with the old fix?
$query_string = getenv ("QUERY_STRING");
if (preg_match ("/UNION|FROM|OUTFILE|nuke_authors|nuke_users/i", $query_string)) {
die ("Thank you! Your data have been logged and sent to the administrator of this site!");
} |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by nobleclem on Friday, April 23 @ 01:02:16 CEST
(User Info | Send a Message) http://hackerassassins.com | | just out of curiosity ... I am not very good with preg stuff but what is it searching for? |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by robertr994 on Friday, April 23 @ 02:45:18 CEST
(User Info | Send a Message) | | I couldnt get it to work are you sure the code posted is right? |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by MisterWORK on Friday, April 23 @ 03:28:14 CEST
(User Info | Send a Message) http://protector.warcenter.se | | Great thing here Zhen ill test this when i get home ;-). And report back all i can find out. |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Zhen-Xjell on Friday, April 23 @ 07:11:48 CEST
(User Info | Send a Message) http://castlecops.com | Like FHFGhost said & thanks, ensure you put slash marks before the quotes.
"http://nukecops.com"
Re-stating the article, its blocking union in plain text and base64 encoding. None of the other hacks released by others do this. |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by Peejay on Friday, April 23 @ 09:53:02 CEST
(User Info | Send a Message) http://www.peejay.info | For the life of me I'm just not putting these slashes where their supposed to go? I get the parse error and I'm putting them before the qotes at the a href line:
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta Code to prevent UNION SQL Injections
if (preg_match("/([dnW5uIpb2N4VUJT0iO]{5})/", $_SERVER["QUERY_STRING"])) { die("YOU ARE SLAPPED BY
NUKECOPS"); } |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by DivideByZero on Friday, April 23 @ 10:57:15 CEST
(User Info | Send a Message) http://www.ForwardObserver.us | | My site was recently the victim of a SQL injection attack too. Luckily it wasn't
a malicious one.
I found this great script from Raven called Hackalert that gather's the hacker's
info and sends it in an email to you. It also posts it on the screen for the
attempted hacker to see too! You can find Hackalert here: http://ravenphpscripts.com/downloads-cat12.html [ravenphpscripts.com]
|
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by chatserv on Friday, April 23 @ 11:19:43 CEST
(User Info | Send a Message) http://nukeresources.com | | I'd like to point out that even while i have not tested this hack, regardless of what method you use now you can safely combine this one with your current one, i don't see anything in the above code that would interfere with your current protection or be interfered by your own code, matter of fact when dealing with security measures there is no such thing as too much protection especially with a CMS as popular as PHP-Nuke. On that note do not fall on the false pretense that moving to a less known CMS will keep you safe, from personal experience i can tell you that no other program is exempt from vulnerabilities and/or attacks, if it can be accessed through the net it is prone to a vast array of attacks that will range from attacks to the actual site files to more advanced attacks on server software, this in no way implies you should pack your things and run scared, it just suggests you should practice common sense regardless of what you use as the backbone of your website, regular backups of files and/or database tables should be your first rule of maintenance. |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by ladysilver on Friday, April 23 @ 12:52:08 CEST
(User Info | Send a Message) http://www.nukediva.us | I had my first trigger of Raven's hackattempt after installing the new code as modified to point to hackattempt.php in sting's post. It looks like a member was doing a forum search. I will be happy to forward complete info via a PM or feedback, but in a public comment I'll be a bit more generic. Info in () was replaced.>
This is info on the trigger:
HTTP_REFERER : http://(www.mysite.ext)/modules.php?name=Forums&file=search&search_author=(MemberName)
REQUEST_METHOD : GET
QUERY_STRING : name=Forums&file=index&sid=(post SID)
REQUEST_URI : /hackattempt.php?name=Forums&file=index&sid=(postSID) |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by waraxe on Friday, April 23 @ 14:55:47 CEST
(User Info | Send a Message) | First of all i wanted to say - this filtering code is useless. Little change in sql injection code and filter can be evaded.
Second: i suggest to read this whitepaper:
http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
|
| | | | |
After testing, about 22% produced False Positives. (Score: 1)
by Darby_2k4 on Friday, April 23 @ 20:01:54 CEST
(User Info | Send a Message) | I have visited, 90 pages on my site.
10 of them were deliberate UNION sql injections by me. Your script caught them all.
60 pages were unaccected.
20 pages were also caught by the script as being hack attempts although they weren't.
Of those 20, 18 came from the forums/privatemessaging. Only 2 were from elsewhere. 1 was from a Search on news articles(I did a search for "union chapters in my region" so I guess that could count as a test...but if I wanted to do a search for real unions that might be a hassle) and the other one was, well, it was weird. I was just clicking a "read more..." link. No queries. And I still got slapped.
Hope that helps Paul. |
| | | | |
Re: UNION SQL Injections - A Cure All Once & For All (Score: 1)
by shedrock on Saturday, April 24 @ 07:37:10 CEST
(User Info | Send a Message) http://lorkan.com | I noticed a problem with this fix. When I click on any of my forums, I get the error message as if I was trying to hack my own site, and I wasn't.
Anyone else experienced this problem? |
| | | | | |
