NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

Jake McGraw jmcgraw1 at gmail.com
Wed Nov 7 00:17:14 EST 2007


Try:

http://cl1p.net/

I'd be willing to take a look after you post it.

- jake

On Nov 7, 2007 12:12 AM,  <mikesz at qualityadvantages.com> wrote:
> Hello Jake,
>
>
> Wednesday, November 7, 2007, 12:52:11 PM, you wrote:
>
> > Without divulging who your client is, would it be possible to remove
> > any references to their site/company from the offending code and post
> > it here? Without access to your registration.php script I think we'll
> > all just be wasting our time with wild guesses.
>
> > - jake
>
> > On Nov 6, 2007 11:31 PM,  <mikesz at qualityadvantages.com> wrote:
> >> Hello All,
> >>
> >> I have a client site that has a registration form with a captcha image
> >> that is suppose to prevent spammers from dumping their junk. The form
> >> has two text input windows and a fair amount of personal information
> >> is collected as well.
> >>
> >> I just noticed that this client has been getting regular injection
> >> attacks that have been failing because it is a comment spammer and the
> >> INSERT query is failing on a duplicate key error. For privacy and
> >> security reasons I can not post the error message but it cites the php
> >> file name and the injection looks like it is being added to one of the
> >> text boxes.
> >>
> >> The form has "Required" fields as well as a check function that is
> >> suppose to check for valid input. All of those fields are empty in the
> >> query that failed.
> >>
> >> The question is, actually multiple related questions:
> >>
> >> First how did that bad guy "execute" the query without hitting the
> >> submit button or entering the captcha code and how did it bypass the
> >> check function. It seems like the query was sent directly to the
> >> database though the registration.php program but I have no clue how
> >> that could have happened. I need to plug this hole but don't have any
> >> idea where to start looking for it.
> >>
> >> I have tried running the query like registration.php?query but that
> >> didn't work.
> >>
> >> Any ideas about how I can reproduce this problem would greatly
> >> appreciate and any suggestions about how to fix it would be even more
> >> greatly appreciated.            8-)
> >>
> >> Thanks for your attention.
> >>
> >>
> >> --
> >> Best regards,
> >>  mikesz                          mailto:mikesz at qualityadvantages.com
> >>
> >> _______________________________________________
> >> New York PHP Community Talk Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/talk
> >>
> >> NYPHPCon 2006 Presentations Online
> >> http://www.nyphpcon.com
> >>
> >> Show Your Participation in New York PHP
> >> http://www.nyphp.org/show_participation.php
> >>
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
>
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
>
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
>
> > __________ NOD32 2642 (20071106) Information __________
>
> > This message was checked by NOD32 antivirus system.
> > http://www.eset.com
>
> Actually, the script code is not problem but its over 500 lines of
> code so I am not sure it is appropriate to post it here?
>
>
> --
>
> Best regards,
>  mikesz                            mailto:mikesz at qualityadvantages.com
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



More information about the talk mailing list