NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

mikesz at qualityadvantages.com mikesz at qualityadvantages.com
Wed Nov 7 00:40:28 EST 2007 

Hello Jake,

Wednesday, November 7, 2007, 1:17:14 PM, you wrote:

> Try:

> http://cl1p.net/

> I'd be willing to take a look after you post it.

> - jake

> On Nov 7, 2007 12:12 AM,  <mikesz at qualityadvantages.com> wrote:
>> Hello Jake,
>>
>>
>> Wednesday, November 7, 2007, 12:52:11 PM, you wrote:
>>
>> > Without divulging who your client is, would it be possible to remove
>> > any references to their site/company from the offending code and post
>> > it here? Without access to your registration.php script I think we'll
>> > all just be wasting our time with wild guesses.
>>
>> > - jake
>>
>> > On Nov 6, 2007 11:31 PM,  <mikesz at qualityadvantages.com> wrote:
>> >> Hello All,
>> >>
>> >> I have a client site that has a registration form with a captcha image
>> >> that is suppose to prevent spammers from dumping their junk. The form
>> >> has two text input windows and a fair amount of personal information
>> >> is collected as well.
>> >>
>> >> I just noticed that this client has been getting regular injection
>> >> attacks that have been failing because it is a comment spammer and the
>> >> INSERT query is failing on a duplicate key error. For privacy and
>> >> security reasons I can not post the error message but it cites the php
>> >> file name and the injection looks like it is being added to one of the
>> >> text boxes.
>> >>
>> >> The form has "Required" fields as well as a check function that is
>> >> suppose to check for valid input. All of those fields are empty in the
>> >> query that failed.
>> >>
>> >> The question is, actually multiple related questions:
>> >>
>> >> First how did that bad guy "execute" the query without hitting the
>> >> submit button or entering the captcha code and how did it bypass the
>> >> check function. It seems like the query was sent directly to the
>> >> database though the registration.php program but I have no clue how
>> >> that could have happened. I need to plug this hole but don't have any
>> >> idea where to start looking for it.
>> >>
>> >> I have tried running the query like registration.php?query but that
>> >> didn't work.
>> >>
>> >> Any ideas about how I can reproduce this problem would greatly
>> >> appreciate and any suggestions about how to fix it would be even more
>> >> greatly appreciated.            8-)
>> >>
>> >> Thanks for your attention.
>> >>
>> >>
>> >> --
>> >> Best regards,
>> >>  mikesz                          mailto:mikesz at qualityadvantages.com
>> >>
>> >> _______________________________________________
>> >> New York PHP Community Talk Mailing List
>> >> http://lists.nyphp.org/mailman/listinfo/talk
>> >>
>> >> NYPHPCon 2006 Presentations Online
>> >> http://www.nyphpcon.com
>> >>
>> >> Show Your Participation in New York PHP
>> >> http://www.nyphp.org/show_participation.php
>> >>
>> > _______________________________________________
>> > New York PHP Community Talk Mailing List
>> > http://lists.nyphp.org/mailman/listinfo/talk
>>
>> > NYPHPCon 2006 Presentations Online
>> > http://www.nyphpcon.com
>>
>> > Show Your Participation in New York PHP
>> > http://www.nyphp.org/show_participation.php
>>
>> > __________ NOD32 2642 (20071106) Information __________
>>
>> > This message was checked by NOD32 antivirus system.
>> > http://www.eset.com
>>
>> Actually, the script code is not problem but its over 500 lines of
>> code so I am not sure it is appropriate to post it here?
>>
>>
>> --
>>
>> Best regards,
>>  mikesz                            mailto:mikesz at qualityadvantages.com
>>
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk

> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com

> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

> __________ NOD32 2642 (20071106) Information __________

> This message was checked by NOD32 antivirus system.
> http://www.eset.com


Here is the URL : http://cl1p.net/myexploitedcode/

thanks, mikesz

-- 
Best regards,
 mikesz                            mailto:mikesz at qualityadvantages.com

More information about the talk mailing list