Advance SQL Injection Attacks

Hi,

I was going through my site stats and found some sql injections have been passed through my site's querystring.

This was the querystring passed on one of the page. (Note: For security reasons I have replaced my original table and column names in the code below.)

?action=show&id=-5 union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--

Code (markup):

I have taken care of the SQL Injection attacks and hence using the following function in my code everywhere to bypass any SQL injections.

	function antisql($data){
		if(get_magic_quotes_gpc){
		$data1 = stripslashes($data);
		}else{
		$data1 = $data;
		}
		return mysql_real_escape_string($data1);
	}

Code (markup):

I am not posting this thread to know what SQL Injection is. I know what is it.

Few things I want to know are:

1) How did they know my column names (xuser and xpass) and table name (mytbl_login)?

2) Why didn't the antisql() function prevent from that sql injection attack?

3) What is the above querystring actually doing?


Some Info:
My Site is made in PHP MySQl and running on CentOS.


Thank you so much for your help in advance.

 

Heard it first time. what exactly is SQL injection attack?
is it related to hacking a website? sounds interesting.

 

they were guessing your table

or they know hole in your site because you developed site with popular cms

 

Is a form of hacking.
Whenever a website doesn't sanitise it's variables, a user could have the opportunity to introduce sql code in those variables. Since part of the sql query is already in place (because the variable only contains a piece of information needed to perform the query, such as an id number) the hacker need to know how to use the existing query to extract relevant information.

As an example:
Lets assume I have a website that shows posts based on the post ID, and therefore, it request the ID like this:

Then the website extract the proper information from the database with that ID, like this:

Select * from posts where id = $_GET['post']

Code (markup):

It should then execute this upon request:

Select * from posts where id = 1

Code (markup):

Which is a valid query.

But what happen if the user manages to insert more information, like this:

It then execute this:

Select * from posts where id = 1 AND 1=0

Code (markup):

Which is also a valid query and should return a null result, since 1 is not equal zero. Then the user should test:

Select * from posts where id = 1 AND 1=1

Code (markup):

It should return a valid result.
If that happens, it means he's managing to distort the results, by introducing statements. Therefore, the application is vulnerable to SQL injection attacks.

Of course, attacks could be much more complicated and relevant information can be extracted trough different queries, the hacker just need to imagine the structure of the query and find out the MySQL version (trough very simple injections). Different versions have different functions; generally newer versions have more functions and therefore the hacker has more alternatives.

Once the hacker knows the version, has a fairly good idea of the query and assuming he's well trained in MySQL, he could manage to find out the database structure, which will allow him to extract all the information he wants from all the tables... in some cases, also introduce information.

In my experience, blind SQL injection in MySQL 3.0 is by far the most challenging and difficult, but even so, is possible to extract all the data from the database.

Bye!

 

What warning messages do you have? That is the biggest form of recon. If they send something bogus the warning message sometimes include your entire string. They get field names from there.

Do anyone know of a good test for this? I received an email from someone (whitehat I presume) that got my info (not alot of data in that table luckily) but cant seem to duplicate the issue..

 

It is possible to find out table and column names with SQLinjection attacks.
http://www.unixwiz.net/techtips/sql-injection.html