Tables erased by hacker

rivka

I've written a script for distribution (which I haven't quite released yet). One of my beta-testers had a situation where someone managed to erase his mySQL tables, and all the data within them. How could this have happened?

1) The database login and password are stored in a php file called dbconfig.php, in a folder called data. In my install instructions, I tell the person to place that folder outside the web directory (i.e. up a level), and the path to that folder is set in the settings. The person in question did not do this, and placed the data folder in their main web directory. Is this the likely culprit? Somehow, someone managed to read that file and get the login and password?

2) Something else? What are some ways that a script can be insecure, and allow someone to do something like this? There are certain areas in the script where people are submitting information through a form -- is this where it could have happened? And if so, how exactly could it have happened, and what can I do to fix the script to keep it from happening?

laserlight

Well, there is the possibility of SQL injection, where a malicious user could attempt to alter the SQL query that is processed.

The general method used to avoid that is to check that the datatypes received are as expected, and to escape certain characters such as quotes.

stolzyboy

there are many different ways a h@x0r can gain access to your server, using one of your script, via ftp, or via telnet, the easiest way that i have noticed is the ftp method, once logged in to a server that isn't completely secure, they can gain access all the way to the root of the maching, also telnet is also an attainable method of access to a server, where a person can do a lot more damage, but is usually easier to track, looks like you have been OWNED at any rate, i wouldn't coun't on it just being your script or the person who is using this script, i would look in other directions, check log files, etc............

Good Luck man

Frederick

if the variables are set in the dbconfig.php, then i think the person who owns the site messed up. the code is not visible to the source and you can not call that page directly if there are no echos in it. You'll jsut get a blank page with no source if you call the config file

stolzyboy

i think a view source is the least of his problems as i stated in the previous post

rivka

You're right -- it's unlikely that they would be able to view the dbconfig file, since all it would output is a white page. So that leaves two possibilities:

1) The user didn't have a secure server or password -- the first seems unlikely, as it's a fairly sizeable host with a good reputation, although I guess it's possible. An easy to guess password is always possible, but I checked with the guy in question, and he says his password is a mixture of letters and numbers, and not at all easy to guess.

2) My code is sloppy or has holes in it. Which is definitely possible 😉

I lean towards it being option #2. There are certain things about the script that are inherantly insecure, that I've tried my best to shore up, such as:

needing a specific folder to be chmoded to 777 (or someone being knowledgeable enough or the ability to know how to change the group/owner, which is rare)
include()ing of .txt files from the above folder
file uploads

I've tried to minimize possible damage by using strip_tags on everything that is uploaded and included, but obviously, that was not enough. Should I be using htmlspecialchars in addition to strip_tags? Incidentally, the script requires that magic_quotes be set to on for it to work...is there a security hole in doing that?

laserlight, I'm intrigued by your mention of SQL injection -- how exactly can it be done, and better yet, how can it be prevented?

Frederick

i created this for free download, it will block very well and is very customizable. download it and use it as you choose.

http://mcmfriends.net/members/index.php

matt_4013

Rivka, probably the easiest example of an sql injection is this:

You have a login form, has a username field, a password field, and a submit button. This form submits to your form handler page, which queries your mysql database. You have written your code so that if the query returns true, then the user is given access. eg:

$sql = "SELECT id FROM users WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'";
$result = mysql_query($sql);

if($result) { 
// Give user access
}

Recognize that? It's pretty common. Let's look at this situation.

The malicious user in question puts "HaXx0r" as his/her username. (Note, this is not a valid username).
In the password field the user then puts this:

foo' OR 1=1--

The query that is then formed from this is:

SELECT id FROM users WHERE username='HaXx0r' AND password='foo' OR 1=1

(the -- ignores the rest of the query, avoiding the final ' ).

Think about this query. It will ALWAYS return a result, because 1 is always = 1, and as such the malicious user now has access using an invalid username and password.

That's an sql injection 🙂

Now, how to avoid this!

PHP has a whole bunch of functions that'll stop this for you, but it sucks to remember to do it on every variable that you're going to put into a database. As such, I've created a nice little function that will clean it up. I'm sure there's a hundred thousand or so of them out there, but this one works for me!

function clean_input($needle) {

	if(is_array($needle)) {

		$haystack = array();

		foreach($needle as $k=>$v) {

			$haystack[$k] = (!get_magic_quotes_gpc()) ? mysql_escape_string($v) : $v;
			$haystack[$k] = trim($haystack[$k]);
		}
	} else {
		$haystack = (!get_magic_quotes_gpc()) ? mysql_escape_string($needle) : $needle;
		$haystack = trim($haystack);
	}

	return $haystack;
}

Run your input through that, eg:

$input = clean_input($_POST);

and it will clean it up for you, then just refer to it using $input.

This would make the above sql injection useless, because it would look like this:

SELECT id FROM users WHERE username='HaXx0r' AND password='foo\' OR 1=1--'

(Notice the ' after foo is escaped).

Hope that helps,
Matt

rivka

Hi,
I understand the concept, but I have yet to get it work with my script. Will something like what you just showed work with magic_quotes enabled? With your specific example, wouldn't:

foo' OR 1=1--

get output after submitting the form as:

foo\' OR 1=1--

which would make the sql query look like so:

SELECT id FROM users WHERE username='HaXx0r' AND password='foo\' OR 1=1

which wouldn't work the way the hacker wanted.

I've been trying to duplicate the various SQL injection examples I've found in other places and on this forum, and so far, none of them have worked, because the single (or double) quote gets escaped by magic_quotes. Is there some other way to do a SQL injection?

I'm wondering if the security hole might not be in the text files that are written to the server using fopen/fwrite, and then fread later in a different page. All of the content of those files are run through strip_tags -- is that enough to prevent someone somehow from doing some sort of php code that would erase the tables?

matt_4013

Yep, that's what magic_quotes is for. If you notice in my function it checks whether magic quotes is set, because otherwise it will escape it twice, and that's not fun 😉

There's not really any other way to do an sql injection, afaik, and i've done quite an extensive study on it.

strip_tags should strip anything malicious from those files. If you've done all this, (magic quotes, strip_tags), I'd be more inclined to think that it was a server setup problem.

Could it also be a "clumsy admin" problem? I've had that before. A person came to me saying my script had been compromised, but the system logs, and my application auditing actually showed that they accidentally deleted some sensitive data, and were trying to cover their own ass. 🙁

rivka

It's possible, I suppose. I wonder how I can ask him without sounding accusing...