john_d i've earned my small medal? :rolleyes:
Printable View
john_d i've earned my small medal? :rolleyes:
HI, i've not tested the script yet but analyzing the code it look's like it works pretty well!
Great Job m8!
One simples question:
Does SQL Injection works with mysql too or only with Sql Server? if so i'm fucked! lol
Pidarasi nahuj sam hack bilo zapuskatj v funkciji!!!!!!!!!!!!![QUOTE]
im not gonna read thru this whole thead right now since RZ is slow ATM, but all u need to do is limit your chracter fields to a max of 10-12, and deny sertain chracters in text fields such as ' - ; and ( )
I make exactly as you said and it works fine, except is not writing the log file whith the ip of the person that as tried tu use injection as:Quote:
Originally Posted by john_d
$sqlinject = new sql_inject('./log_file_sql.log'
try making the file manually. set it to have write permission...
ssddss... that would now a variable checker.. the posted above is a entire query checker. and i do have a variable checker. posted a long time ago here..
also included in the file is a class version of the variable checker,. rewriten by cyndre based on my old variable checker funtion.
Sorry, after i make some tests i veryfy "anti sql injection" is not workin on my page :(, sure i have done something wrong, so, one more time i ask your help, because database of my mu server as been destriod for 3 times.
here is top of one page of my server (login.php):
<?php require 'includes/config.php'; ?>
<?php
$Member_Pass = stripslashes($_POST['Member_Pass']);
$Member_Id = stripslashes($_POST['Member_Id']);
$pass = $Member_Pass;
$login = $Member_Id;
$hack_array = array("'");
$hack_replace = array("");
$pass_replaced = str_replace($hack_array, $hack_replace, $pass);
$login_replaced = str_replace($hack_array, $hack_replace, $login);
$sql_username_check = mssql_query("SELECT memb___id FROM MEMB_INFO WHERE memb___id='$login_replaced'");
$username_check = mssql_num_rows($sql_username_check);
$sql_pass_check = mssql_query("SELECT memb__pwd FROM MEMB_INFO WHERE memb__pwd='$pass' AND memb___id = '$login_replaced'");
$pass_check = mssql_num_rows($sql_pass_check);
if (empty($login_replaced) || empty($pass_replaced) || ($username_check <= 0) || ($pass_check <= 0)) {
if (empty($login_replaced) || empty($pass_replaced))
echo '<style type="text/css">
bla bla bla bla
bla bla bla
Now i know i have to insert this on the top after <? :
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
and i have to copy the file "sql_inject.php" to my www, but what i don't know is how it stand exactly on my loging.php, because in my case don't work.
Can you show-me how it will stand on the example a have puted here.
Sorry for my bad english
thank you
poor me, i came here at the wrong time, my database got hacked just now... :(
i can bypass the script that john_d posted here. the best fight to SQL injection is what ssddss said, check field's character lengths - limitting them to 10~12~14~etc. depending on maximum requirement because the fastest SQL Injection method ( that is ';DROP TABLE Character; ) is 23 letters long, disable ' and " characters on every field except when implementing resets for characters (character names can have ' and " characters), and insert a regexp check on email field input.
huj wam w dupe :)
--------------------
Some things i think are important.
Mutoolz
Protecting your website 101
Hex Guides
A very Useful Map of the Useful Thread In Ragezone
My MU server SupaMU
Fixed and Modified protection made by a hacker that I caught into my server..
Seems to work better, check it out :wub2:
what is "regexp check" on email field input?Quote:
Originally Posted by gam3r_3xtr3m3
Quote:
Originally Posted by StrEagle
ok.. i read throught it.. and it is ok..
added these new lines
just two quick hack detects... commonly used by the sql injectors. the program works without it.. but if somehow they pass thru the first check.. a second check would be useful...PHP Code://SQL injection got '--'
if (is_int(strpos($v,'--')))
{
return $this->detect();
**
//SQL injection got ';'
if (is_int(strpos($v,';')))
{
return $this->detect();
**
this is also serves as a basis for new checks,. for anyone who want to add there own.
-- Ok ... This Anti Sql injection was design to protect ur forms in ur website.. and the mssql queries after u submit ur forms. ++ the other things i added two this post.. ur form should be we well protected.
But that doesnt mean ur website cant get hacked too... there is plenty of things they still can do, depending on the design the program flow of ur website.
Mutoolz V1 (unreleased) should sheed some light on some new and should have been implemented protections to any website.
My server got hacked this weekend. I am using IOD's php files.
1) Do I stop vulnerability against sql-injection when I close online registration?
2) What are Forms plz? Variables?? And how to protect them?
3) At the end I have to protect the email input (>14 characters)?
4) Tried this antisqlinjection yesterday. When I run the test, my MEMB_INFO was gone, :chair: not so funny :eh:
I am shure I made something wrong, but I don't get it where.
Here my code:
<?php
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
require 'config.php';
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
?>
<?php
$ps_loginname = stripslashes($_POST['ps_loginname']);
$ps_loginname = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
// this type of sql injection is trying to execute more SQL data
$sqlinject->test($ps_loginname);
$ps_name = stripslashes($_POST['ps_name']);
$sqlinject->test($ps_name);
.
.
.and so one.........
ur problem.. is easy to see.Quote:
Originally Posted by Z80
when u first got the variable.. $ps_loginname u set it to have the $_POST['ps_loginname'];
then on the next line u completely remove the POST with a normal and variable...
so the anti sql injection is thinking ok.. it wasnt really send from a login box (FORM) so the owner must have set it for me to run.. so the script runned the command.
Note: The Anti Sql injection was design to STOP POST and GET VARIABLES from being inserted with bad injections.
if u really wanna test .. change this
into thisPHP Code:$ps_loginname = stripslashes($_POST['ps_loginname']);
$ps_loginname = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
PHP Code:$_POST['ps_loginname'] = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
$ps_loginname = stripslashes($_POST['ps_loginname']);
1) OK, now I've got this - sqlinject is working fine now!
2) Now the forms: :eh:
You wrote this at the beginning:
Put this on ur a File Ur targeting as an Action on a form.
PHP Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
I really don't understand what do you mean. Could you give an exaple, plz?
3) Do you have a recomendation for good book, where I can learn this?
I feel so stupid and helpless with all this php (and its so familiar with C++)
Thanks a lot for your patience.
Anyway no matter how perfect are php scripts if you have port 55960 open for incoming data to dataserver.exe you are full open for any update on table character and warehouse
Then that would be Sql Injection Dude.. then that would be Packet Injection.. which is an entirely new topic (.. though there is way to stop that )
anyway...
that piece of code is used on target pages for forms.Quote:
PHP Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
lets say u have pk.php (a file there they enter their username and character name to submit for pk clear) let say absulote path to pk.ph is http://www.mywebsite.com/pk.php
and u then have pkok.php ( a file wer all the mssql queries are put, and is the target for the pk.php)
lets say again the absolute path is http://www.mywebsite.com/pkok.php
the main problem with sql injection is that they can save ur file which is pk.php to there computers and edit it anyway they can. so any limitation u set on the pk.php file .. will no longer take effect.
to solve this problem we add this like to pkok.php
wat this does it.. if the website who sumbit the form is not ur own pk.php and not their edit version. THis will stop it dead.Quote:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.mywebsite.com/pk.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
Do I have to check after every $_POST, or do I have to check it only once?
Last problem is the function filelogs:
function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$dtime = date('r');
if($ref == ""){
$ref = "None";
** What for those asterix?
if($user == ""){
$user = "None";
** What for those asterix?
$location = "/";
$type = $location . $type . ".txt";
$entry_line = "$dtime - IP: $ip | Agent: $agent | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n";
$fp = fopen("$type", "a");
fputs($fp, $entry_line);
fclose($fp);
**
Where do I have to declare this function as a global function and how? :eh:
We are almost through! :thumbup:
Anyway you did a great job! :icon6: :icon6:
Whithout search buttom, its very hard to find those threads! :eh:Quote:
Originally Posted by doorf
I suppose my server was hacked with packet injection.
They could retrieve their passwords, after I changed them.
I am using Sygate Firewall and port for DS1 is open! If I close it, players cannot connect anymore. Is there a way to configure the firewall to block only incoming trafic?
those two asteris (**) are really close braces ... this forum disables them.. i have no idea why.. (protection maybe)
to declare a function.. u must either include them in ur header file or put them on the very top of ur php page right below the <? (which would mean php code starts here)
on using them.. is easy.. just stick to the example.
Thx, with your help I got everything running. :thumbup: Now my tests:
I tried to inject my server. I entered this:
Login ID: "update
Name: character;
E-mail: set clevel='350' where Name='WurliWiz'
Password: sepp
Recovery Question: a
Recovery Answer: b
Number: 11111111111
and got this bunch of warnings:
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137
Warning: mssql_query(): message: Line 1: Incorrect syntax near '350'. (severity 15) in c:\appserv\www\idreg.php on line 111
Warning: mssql_query(): Query failed in c:\appserv\www\idreg.php on line 111
Warning: mssql_num_rows(): supplied argument is not a valid MS SQL-result resource in c:\appserv\www\idreg.php on line 113
Warning: mssql_query(): message: Line 1: Incorrect syntax near '350'. (severity 15) in c:\appserv\www\idreg.php on line 143
Warning: mssql_query(): Query failed in c:\appserv\www\idreg.php on line 143
Your account has been created succesfully:
The account was not greated! Nothing happened. Execpt the ugly warnings, which are showing the file names of the pages.
If I understood correctly, the function sqlinject should detect the '#' as a forbidden character and also the rest of the words who are all in the ban list, and should move to index.php.
But this is not the case.
Are I just a stupid "hacker" or whats wrong? :animal_ro
thats not how to hack ur server.. those are causing errors in ur script. which should be stop before any sql injection test should be done.
Learn how to filter ur entries.
The problem is in sqlinject, not in the register script!Quote:
Originally Posted by john_d
If you just put as loginname: 'select' your script has troubles.
It goes wrong here:
function _in_post($value)
{
foreach($_POST as $i => $v)
{
if (is_int(strpos(strtolower($v),$value))) return TRUE;
**
return FALSE;
What has to be filtered from the string before you can send it to sqlinject?
I know I am a pain in the a... , but I try just learning and understanding, like most of us here. :eh:
The function sqlinject has those problems with the characters ; and '