NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

bz-gmort at beezifies.com bz-gmort at beezifies.com
Wed Nov 7 07:29:49 EST 2007 

mikesz at qualityadvantages.com wrote:
> First how did that bad guy "execute" the query without hitting the
> submit button or entering the captcha code and how did it bypass the
> check function.

Your running queries before you do your captcha check in your code.

	if (!isset($_POST['securityImageValue']) || !isset($_SESSION['strSec']) 
|| md5($_POST['securityImageValue']) != $_SESSION['strSec'])
	{
		$page = $join_pages_num;

		$add_on .= report_err ( _t("_SIMG_ERR") );
	}

Is halfway down the page, and even after the code notices there is no 
security image, it STILL keeps running and performing queries.

As for sending without hitting the submit, all forms have to post their 
data to something, the submit button is just for a human to use.

> I have tried running the query like registration.php?query but that
> didn't work.

Try registration.php?page=1'INSERT but I would suppose that depends on 
your server how it would end up dealing with that.


> Any ideas about how I can reproduce this problem would greatly
> appreciate and any suggestions about how to fix it would be even more
> greatly appreciated.            8-)

I'm assuming you don't have the time/money to really rewrite your code 
properly and have it commented so you can understand it.

As such, here are a couple lazy solutions:
Follow the instructions to download and install it from the FAQ
http://php-ids.org/faq/

Take their sample code and stick it at the top of the code you want to 
protect.

Change these lines:
  if (!$result->isEmpty()) {
// Take a look at the result object
echo $result;
}

Into
  if (!$result->isEmpty()) {
// Take a look at the result object
if ($result->getImpact()  > 5) {
// Being lazy hear, abort abort potential attack
// you really ought to be logging this stuff somewhere
   exit;
}
}


Adjust the impact number(in my example 10) until you have a number that 
catches attackers but not legitimate traffic.

Also modify the lazy solution and have it notify you in some manner, 
log, email, whatnot about what it did.


Another lazy solution, if you have full control over your server and are 
running Apache2, is to use mod_security http://www.modsecurity.org/

Both these solutions do nothing to fix your code, so when someone finds 
a way to circumvent their detection algorithms your are still as 
vulnerable as ever.  Their just quick fixes until you can have your code 
rewritten.

More information about the talk mailing list