You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 220 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - GET RID OF UNION HACKS 100% [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
djmaze
Captain
Captain


Joined: Nov 29, 2003
Posts: 566

Location: Netherlands

PostPosted: Fri Apr 23, 2004 3:43 am Reply with quoteBack to top

Everyone is preventing UNION hacks by reading the query_string $_GET variables and other preventions but without seeing a point which works 100%:

"Modify the query itself"

in db/mysql.php replace
Code:
    function sql_query($query = "", $transaction = FALSE)
    {
        // Remove any pre-existing queries
        unset($this->query_result);
        if($query != "")
                {

            $this->query_result = @mysql_query($query, $this->db_connect_id);

        }
        if($this->query_result)
        {
            unset($this->row[$this->query_result]);
            unset($this->rowset[$this->query_result]);
            return $this->query_result;
        }
        else
        {
            return ( $transaction == END_TRANSACTION ) ? true : false;
        }
    }
with
Code:
    function sql_query($query = "", $transaction = FALSE)
    {
        // Remove any pre-existing queries
        unset($this->query_result);
        if($query != "")
                {
            $query = eregi_replace('union','UNI0N', $query);
            $this->query_result = @mysql_query($query, $this->db_connect_id);

        }
        if($this->query_result)
        {
            unset($this->row[$this->query_result]);
            unset($this->rowset[$this->query_result]);
            return $this->query_result;
        }
        else
        {
            return ( $transaction == END_TRANSACTION ) ? true : false;
        }
    }


UNION is never used in the mysql queries so replace UNION with UNI0N and done Very Happy

_________________
Famous people never give their signature Rolling Eyes
http://www.cpgnuke.com <- back online thanks to dedicatednow.com
Don't ask me to be admin on your site please Exclamation
Find all posts by djmazeView user's profileSend private messageVisit poster's website
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Fri Apr 23, 2004 4:37 am Reply with quoteBack to top

First of all, there is no standard, requirement, nor anything that requires that sql_query is used. MANY addons that I have come across don't. That is the reason why the $_GET will catch it more times than sql_query. Secondly, how are you expecting to stop the exploit by altering the case? It's the UNION functionality that is exploited, not the case sensitivity of the word. I get union attacks in al kinds of different ways.

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
Def
Sergeant
Sergeant


Joined: Feb 08, 2004
Posts: 105


PostPosted: Fri Apr 23, 2004 5:19 am Reply with quoteBack to top

He's not altering the case, he's altering the "o" to a "0" (zero), thus making the string different.
Find all posts by DefView user's profileSend private message
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Fri Apr 23, 2004 5:22 am Reply with quoteBack to top

Def wrote:
He's not altering the case, he's altering the "o" to a "0" (zero), thus making the string different.
Embarassed Thanks Def. I stared at that for many minutes before commenting on it. Being 54 with only one eye that works (most the time) ....

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293


PostPosted: Fri Apr 23, 2004 6:20 am Reply with quoteBack to top

DJmaze you haven't been reading the latest exploits have you?

Let me quote one of the latest.

Quote:
bypass this authentication step, we must use UNION
functionality, constructing "cookie" like this:



x'%20UNION%20SELECT%201/*:1



which gives to us after base64encode operation the string
eCcgVU5JT04gU0VMRUNUIDEvKjox .



As we can see, in first authentication step in auth.php
script, pwd from database is pulled out, but

because we use UNION method, we can fake the pwd to be "1".
If we look at "cookie", after the ":", we



Since this UNION is passed in base64 encoding, how is a simple expression evaluation going to matter here?

_________________
J.
j e r u v y a t y a h o o d o t c o m
Find all posts by JeruvyView user's profileSend private messageICQ Number
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Fri Apr 23, 2004 9:44 am Reply with quoteBack to top

My patch from last night will resolve all union injections completely (right now some measure of false positive exists). It accounts for plaintext and base64 case sensitive UNION.

As an aside...

I've been noticing lately on boards across the net that credit is not being properly assigned and historical data is being wiped out. Seeing that we're all honorable here, I want to ensure things like this survive not only in the public dictionary, but also inside code we all use.

Allevon was the founder of the technology I've seen deliver by Raven's script. Allevon has done a lot of work that has since fallen out of memory.

Myself included... I've released code that is no longer being credited to me. One such piece is the Googletap Karakas book entry. I've asked him to update that to reflect my coining of the term 'googletap' as well as being the guiding force and coder of the project.

Knowing the history of projects is a vital way to lock ourselves into PHP-Nuke. Its not a single person, but a family of developers who contribute to the internal and external code.

I ask everyone to remember this and assign credits appropriately, and to maintain those credits. Its the least one may do for code assigned GNU GPL.

Thanks

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
alexm
Nuke Soldier
Nuke Soldier


Joined: Dec 23, 2003
Posts: 19


PostPosted: Fri Apr 23, 2004 10:35 am Reply with quoteBack to top

Jeruvy wrote:
Since this UNION is passed in base64 encoding, how is a simple expression evaluation going to matter here?


Because he's catching the "union" as it's passed to the underlying database layer. It's already base64 decoded (or whatever injection method was used) at this point.

Essentially, if you're trying to execute a query with "union" in it, it won't work.

It's sorta like fighting a forest fire by tossing water on the fire instead of trying to drown every book of matches in the world...

It does have the odd side effect of doing things like changing "The Soviet Union" into "The Soviet UNI0N" just about anywhere you stuff text into a database...

Perhaps another solution would be to trap patterns of "union\s.*select" ?
Find all posts by alexmView user's profileSend private message
waraxe
Nuke Cadet
Nuke Cadet


Joined: Apr 23, 2004
Posts: 2


PostPosted: Fri Apr 23, 2004 12:48 pm Reply with quoteBack to top

I suggest to read this whitepaper:

http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html

So, if we use something like this:

UNI/**/ON , then traditional filtering can be easily evaded.

Waraxe
Find all posts by waraxeView user's profileSend private message
Sp4c3J4m
Corporal
Corporal


Joined: Mar 21, 2004
Posts: 56

Location: Brazil

PostPosted: Fri Apr 23, 2004 1:01 pm Reply with quoteBack to top

Hey Maze

I´m using your hack, BUT its more simple to say that you should just ADD one LINE to the code.

Thats what i´m using :

Code:
   function sql_query($query = "", $transaction = FALSE)
   {
      // Remove any pre-existing queries
      unset($this->query_result);
      if($query != "")
                {

                        $query = eregi_replace('union','UNI0N', $query); //Djmaze suggestion

         $this->query_result = @mysql_query($query, $this->db_connect_id);

      }
      if($this->query_result)
      {
         unset($this->row[$this->query_result]);
         unset($this->rowset[$this->query_result]);
         return $this->query_result;
      }
      else
      {
         return ( $transaction == END_TRANSACTION ) ? true : false;
      }
   }


I think that way is better :
Code:
  $query = eregi_replace('union','UNI0N', $query); //Djmaze suggestion

Putting the name there, SO, if something WRONG happen in the future, i remember who to chase! Laughing In the other way, to thanks!

_________________
Image
Find all posts by Sp4c3J4mView user's profileSend private messageVisit poster's websiteMSN MessengerICQ Number
djmaze
Captain
Captain


Joined: Nov 29, 2003
Posts: 566

Location: Netherlands

PostPosted: Fri Apr 23, 2004 8:01 pm Reply with quoteBack to top

alexm wrote:
Essentially, if you're trying to execute a query with "union" in it, it won't work.

It's sorta like fighting a forest fire by tossing water on the fire instead of trying to drown every book of matches in the world...

It does have the odd side effect of doing things like changing "The Soviet Union" into "The Soviet UNI0N" just about anywhere you stuff text into a database...

Perhaps another solution would be to trap patterns of "union\s.*select" ?


This is just a first fix, but yes it has side effects.
A better way would be to split the string and find all matches for UNION and check which word comes after it.
But i'm just to lazy to do and after all who is posting the word Union much ?

preg_split ( string pattern, string subject [, int limit [, int flags]])
And then use something like
Code:
$query_parts = preg_split('/(union)([\s\ ]+)(select)/i', $query, -1, PREG_SPLIT_NO_EMPTY);
// and then merge the query_parts:
if (count($query_parts) > 1) {
    $query = '';
    foreach($query_parts AS $part) {
        if ($query != '') $query .= 'UNI0N SELECT'; // a ZERO
        $query .= $part;
    }
}
This code isn't tested

_________________
Famous people never give their signature Rolling Eyes
http://www.cpgnuke.com <- back online thanks to dedicatednow.com
Don't ask me to be admin on your site please Exclamation
Find all posts by djmazeView user's profileSend private messageVisit poster's website
Darby_2k4
Nuke Soldier
Nuke Soldier


Joined: Apr 15, 2004
Posts: 32


PostPosted: Sat Apr 24, 2004 6:16 am Reply with quoteBack to top

I think that cutting off the UNION attacks at the sql query level is probably the *best* way to solve the problem. I had assumed, falsely, that this step was already in place. My mistake, I know, for assuming anything.

But searching UNION SELECT won't solve waraxe's problem though....and they could do UNION ALL| DISTINCT SELECT so you would need to search for other words between the two as well.

To solve waraxe's problem I think an easy solution would be to strip out any SQL comment characters first using something simple like str_replace(lower overhead than a preg) THEN do a preg match. OR fit the two of them together with a preg_replace. But I think a preg_replace has more overhead than a simple str_replace followed by your usual preg. (Both of those are simple, while the preg_replace is complex searching/filtering....so I guess it would require some testing to check the speed differences).

UNION is only available in versions 4.0.0+ of MySQL so you could always just dumb down your version of MySQL to 3.23 if you have that kind of access. Smile
Find all posts by Darby_2k4View user's profileSend private message
djmaze
Captain
Captain


Joined: Nov 29, 2003
Posts: 566

Location: Netherlands

PostPosted: Sat Apr 24, 2004 10:14 am Reply with quoteBack to top

above preg_split can easily add the others if you know about perl commands:
Code:
$query_parts = preg_split('/(union)([\s\ ]+)(all|distinct|select)/i', $query, -1, PREG_SPLIT_NO_EMPTY);
// and then merge the query_parts:
if (count($query_parts) > 1) {
    $query = '';
    foreach($query_parts AS $part) {
        if ($query != '') $query .= 'UNI0N SELECT'; // a ZERO
        $query .= $part;
    }
}


and the /i meanse case-insesitive

_________________
Famous people never give their signature Rolling Eyes
http://www.cpgnuke.com <- back online thanks to dedicatednow.com
Don't ask me to be admin on your site please Exclamation
Find all posts by djmazeView user's profileSend private messageVisit poster's website
edogs
Lieutenant
Lieutenant


Joined: Sep 10, 2003
Posts: 172

Location: Russia

PostPosted: Sat Apr 24, 2004 10:48 am Reply with quoteBack to top

Guys, not mentioned to teach you.
But big part of problems can be easy solved by making restrictions to access admin.php file using tools of Web-Server.
Even if evil guy add into DB new admin, or get password, that will this hacker do next?
To try to access admin.php? But there are another password.
Definitely that solution solves problem with "addauthor" and many more
Find all posts by edogsView user's profileSend private messageVisit poster's websiteICQ Number
Imago
Captain
Captain


Joined: Jan 17, 2003
Posts: 629

Location: Europe

PostPosted: Sat Apr 24, 2004 11:30 am Reply with quoteBack to top

I have installed the Paul's "antihack" and started getting messages from registrants failing to validate their registration. Some of them know about the "Slapped by Nukecops", others however wondered why should Nukecops slap them.

_________________
www.vdsp.net | www.indopedia.org | www.orientalia.org | www.indology.net | www.yogadarsana.org | www.husserl.info | www.medicum.net
Find all posts by ImagoView user's profileSend private messageVisit poster's website
djmaze
Captain
Captain


Joined: Nov 29, 2003
Posts: 566

Location: Netherlands

PostPosted: Sat Apr 24, 2004 1:35 pm Reply with quoteBack to top

Zhen-Xjell wrote:
I've been noticing lately on boards across the net that credit is not being properly assigned and historical data is being wiped out. Seeing that we're all honorable here, I want to ensure things like this survive not only in the public dictionary, but also inside code we all use.

Allevon was the founder of the technology I've seen deliver by Raven's script. Allevon has done a lot of work that has since fallen out of memory.

Myself included... I've released code that is no longer being credited to me. One such piece is the Googletap Karakas book entry. I've asked him to update that to reflect my coining of the term 'googletap' as well as being the guiding force and coder of the project.

Knowing the history of projects is a vital way to lock ourselves into PHP-Nuke. Its not a single person, but a family of developers who contribute to the internal and external code.

I ask everyone to remember this and assign credits appropriately, and to maintain those credits. Its the least one may do for code assigned GNU GPL.

Thanks


Well if you put this incredible protection in phpnuke then give credit to cpgnuke.com somewhere Wink

_________________
Famous people never give their signature Rolling Eyes
http://www.cpgnuke.com <- back online thanks to dedicatednow.com
Don't ask me to be admin on your site please Exclamation
Find all posts by djmazeView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.047 Seconds - 91 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::