yeah, you can avoid this and only this by banning 'declare', but the best approach to avoid sql injection of any kind would be changing all your database calls to PDO.
Printable View
yeah, you can avoid this and only this by banning 'declare', but the best approach to avoid sql injection of any kind would be changing all your database calls to PDO.
I heard about PDO but really never tried it before if you can share how to do it that would be great.Quote:
Originally Posted by alxndr
well, it's not that hard, but you have to do all the calls from scratch, it will be as making the whole site again.
http://vonblancofitness.com/wordpres...e-for-that.jpg
So what if change the Database names?Quote:
Originally Posted by alxndr
it's not use, coz if people think like me, i would use meterpreter sqlmap to help me to scan the databaseQuote:
Originally Posted by A v a r a
I see thanks anyways why only Ranking page of that web template mentioned?Quote:
Originally Posted by alxndr
Cuz, the programmer of that site thought if people don't put the inputs, then, it's no use to validate them.Quote:
Originally Posted by A v a r a
Ok so that kind of SQL injection posted by that forumer will only be use in the ranking page or there are other pages that are vulnerable for injection?Quote:
Originally Posted by alxndr
If you have good eye, you could say, that most of the pages have that ranking, i think zonagammers was the base site or al least a reference to developt some new sites.Quote:
Originally Posted by A v a r a
But it is not only the ranking, s_game, register, forgot password, every can be exploited if you are a bit smart and the site is awfully insecure.
Ok so for learning purposes..so for example for this PHP Script (credits to whoever posted it lol)Quote:
Originally Posted by alxndr
Do you think users can still place the word "declare" in that script? and is this a good script?PHP Code:?PHP
$xa = getenv('REMOTE_ADDR');
$badwords = array(";","'","\"","*","union","del","DEL","insert","update","drop","sele","memb","set","$","res3t","wareh","%","sa","#"," ",")","/","null","\"");
foreach($_POST as $value)
foreach($badwords as $word)
if(substr_count($value, $word) > 0)
die();
class sql_inject
{
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc url to redirect if an sql inject attempt is detect. if unset, value is FALSE
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] mixed
*/
var $urlRedirect;
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc does the session must be destroy if an attempt is detect
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] bool
*/
var $bdestroy_session;
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc the SQL data currently test
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] string
*/
var $rq;
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc if not FALSE, the url to the log file
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] mixed
*/
var $bLog;
/**
* Builder
*
* [MENTION=1333357818]param[/MENTION] bool bdestroy_session optional. does the session must be destroy if an attempt is detect?
* [MENTION=1333357818]param[/MENTION] string urlRedirect optional. url to redirect if an sql inject attempt is detect
* @public
* [MENTION=1333375725]Type[/MENTION] void
*/
function sql_inject($mLog=FALSE,$bdestroy_session=FALSE,$urlRedirect=FALSE)
{
$this->bLog = (($mLog!=FALSE)?$mLog:'');
$this->urlRedirect = (((trim($urlRedirect)!='') && file_exists($urlRedirect))?$urlRedirect:'');
$this->bdestroy_session = $bdestroy_session;
$this->rq = '';
}
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc test if there is a sql inject attempt detect
* test if there is a sql inject attempt detect
*
* [MENTION=1333357818]param[/MENTION] string sRQ required. SQL Data to test
* @public
* [MENTION=1333375725]Type[/MENTION] bool
*/
function test($sRQ)
{
$sRQ = strtolower($sRQ);
$this->rq = $sRQ;
$aValues = array();
$aTemp = array(); // temp array
$aWords = array(); //
$aSep = array(' and ',' or '); // separators for detect the
$sConditions = '(';
$matches = array();
$sSep = '';
// is there an attempt to unused part of the rq?
if (is_int((strpos($sRQ,"#")))&&$this->_in_post('#')) return $this->detect();
// is there a attempt to do a 2nd SQL requete ?
if (is_int(strpos($sRQ,';'))){
$aTemp = explode(';',$sRQ);
if ($this->_in_post($aTemp[1])) return $this->detect();
}
$aTemp = explode(" where ",$sRQ);
if (count($aTemp)==1) return FALSE;
$sConditions = $aTemp[1];
$aWords = explode(" ",$sConditions);
if(strcasecmp($aWords[0],'select')!=0) $aSep[] = ',';
$sSep = '('.implode('|',$aSep).')';
$aValues = preg_split($sSep,$sConditions,-1, PREG_SPLIT_NO_EMPTY);
// test the always true expressions
foreach($aValues as $i => $v)
{
// SQL injection like 1=1 or a=a or 'za'='za'
if (is_int(strpos($v,'=')))
{
$aTemp = explode('=',$v);
if (trim($aTemp[0])==trim($aTemp[1])) return $this->detect();
}
//SQL injection like 1<>2
if (is_int(strpos($v,'<>')))
{
$aTemp = explode('<>',$v);
if ((trim($aTemp[0])!=trim($aTemp[1]))&& ($this->_in_post('<>'))) return $this->detect();
}
}
if (strpos($sConditions,' null'))
{
if (preg_match("/null +is +null/",$sConditions)) return $this->detect();
if (preg_match("/is +not +null/",$sConditions,$matches))
{
foreach($matches as $i => $v)
{
if ($this->_in_post($v))return $this->detect();
}
}
}
if (preg_match("/[a-z0-9]+ +between +[a-z0-9]+ +and +[a-z0-9]+/",$sConditions,$matches))
{
$Temp = explode(' between ',$matches[0]);
$Evaluate = $Temp[0];
$Temp = explode(' and ',$Temp[1]);
if ((strcasecmp($Evaluate,$Temp[0])>0) && (strcasecmp($Evaluate,$Temp[1])<0) && $this->_in_post($matches[0])) return $this->detect();
}
return FALSE;
}
function _in_post($value)
{
foreach($_POST as $i => $v)
{
if (is_int(strpos(strtolower($v),$value))) return TRUE;
}
return FALSE;
}
function detect()
{
// log the attempt to sql inject?
if ($this->bLog)
{
$fp = @fopen($this->bLog,'a+');
if ($fp)
{
fputs($fp,"\r\n".date("d-m-Y H:i:s").' ['.$this->rq.'] from '.$this->sIp = getenv("REMOTE_ADDR"));
fclose($fp);
}
}
// destroy session?
if ($this->bdestroy_session) session_destroy();
// redirect?
if ($this->urlRedirect!=''){
if (!headers_sent()) header("location: $this->urlRedirect");
}
return TRUE;
}
function protect1($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[a-zA-Z0-9@]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
} else {
//echo "-";
echo $protected;
die ( ' Is invalid for that spot, please try a different entry.' ); // Message if thier is any characters not in [a-zA-Z0-9].
} // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
} // ends the function Protect() {
function protect2($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[0-9]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
} else {
//echo "-";
echo $protected;
die ( ' Tidak valid untuk tempat itu, silakan coba entri yang berbeda.' ); // Message if thier is any characters not in [a-zA-Z0-9].
} // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
} // ends the function Protect() {
}
?>
@A v a r a, do you know what POST and GET are? if not, well it would be better if could read a bit of it for you to understand this code, also, the managment of classes on php, only putting the file is not going to "filter" your ban words you have to call the functions in each input both GET and POST.
Unfortunately I am only a leecher but willing to share ideas as much as I could if given a chance to learn but for this I regret to say that I have a very bad knowledge about it. So going back to my question I assume the answer is NO?Quote:
Originally Posted by alxndr
Yeah, users will still be able to put the word declare, fisrt, cuz is not banned, second, coz that script just filter POST request and tha ranking from zonagamers and most of then works with GET request.Quote:
Originally Posted by A v a r a
Ok so again for learning purposes how about this one I put "declare" already (I don't know if I got it right) but unfortunately I don't know where to place the GET request.
So far thankful for you mate I have so much to learn.PHP Code:$xa = getenv('REMOTE_ADDR');
$badwords = array(";","'","\"","*","union","del","DEL","declare","insert","update","drop","sele","memb","set","$","res3t","wareh","%","sa","#"," ",")","/","null","\"");
foreach($_POST as $value)
foreach($badwords as $word)
if(substr_count($value, $word) > 0)
die();
class sql_inject
{
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc url to redirect if an sql inject attempt is detect. if unset, value is FALSE
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] mixed
*/
var $urlRedirect;
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc does the session must be destroy if an attempt is detect
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] bool
*/
var $bdestroy_session;
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc the SQL data currently test
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] string
*/
var $rq;
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc if not FALSE, the url to the log file
* [MENTION=825028]Private[/MENTION]
* [MENTION=1333375725]Type[/MENTION] mixed
*/
var $bLog;
/**
* Builder
*
* [MENTION=1333357818]param[/MENTION] bool bdestroy_session optional. does the session must be destroy if an attempt is detect?
* [MENTION=1333357818]param[/MENTION] string urlRedirect optional. url to redirect if an sql inject attempt is detect
* @public
* [MENTION=1333375725]Type[/MENTION] void
*/
function sql_inject($mLog=FALSE,$bdestroy_session=FALSE,$urlRedirect=FALSE)
{
$this->bLog = (($mLog!=FALSE)?$mLog:'');
$this->urlRedirect = (((trim($urlRedirect)!='') && file_exists($urlRedirect))?$urlRedirect:'');
$this->bdestroy_session = $bdestroy_session;
$this->rq = '';
}
/**
* [MENTION=1333419955]Sho[/MENTION]rtdesc test if there is a sql inject attempt detect
* test if there is a sql inject attempt detect
*
* [MENTION=1333357818]param[/MENTION] string sRQ required. SQL Data to test
* @public
* [MENTION=1333375725]Type[/MENTION] bool
*/
function test($sRQ)
{
$sRQ = strtolower($sRQ);
$this->rq = $sRQ;
$aValues = array();
$aTemp = array(); // temp array
$aWords = array(); //
$aSep = array(' and ',' or '); // separators for detect the
$sConditions = '(';
$matches = array();
$sSep = '';
// is there an attempt to unused part of the rq?
if (is_int((strpos($sRQ,"#")))&&$this->_in_post('#')) return $this->detect();
// is there a attempt to do a 2nd SQL requete ?
if (is_int(strpos($sRQ,';'))){
$aTemp = explode(';',$sRQ);
if ($this->_in_post($aTemp[1])) return $this->detect();
}
$aTemp = explode(" where ",$sRQ);
if (count($aTemp)==1) return FALSE;
$sConditions = $aTemp[1];
$aWords = explode(" ",$sConditions);
if(strcasecmp($aWords[0],'select')!=0) $aSep[] = ',';
$sSep = '('.implode('|',$aSep).')';
$aValues = preg_split($sSep,$sConditions,-1, PREG_SPLIT_NO_EMPTY);
// test the always true expressions
foreach($aValues as $i => $v)
{
// SQL injection like 1=1 or a=a or 'za'='za'
if (is_int(strpos($v,'=')))
{
$aTemp = explode('=',$v);
if (trim($aTemp[0])==trim($aTemp[1])) return $this->detect();
}
//SQL injection like 1<>2
if (is_int(strpos($v,'<>')))
{
$aTemp = explode('<>',$v);
if ((trim($aTemp[0])!=trim($aTemp[1]))&& ($this->_in_post('<>'))) return $this->detect();
}
}
if (strpos($sConditions,' null'))
{
if (preg_match("/null +is +null/",$sConditions)) return $this->detect();
if (preg_match("/is +not +null/",$sConditions,$matches))
{
foreach($matches as $i => $v)
{
if ($this->_in_post($v))return $this->detect();
}
}
}
if (preg_match("/[a-z0-9]+ +between +[a-z0-9]+ +and +[a-z0-9]+/",$sConditions,$matches))
{
$Temp = explode(' between ',$matches[0]);
$Evaluate = $Temp[0];
$Temp = explode(' and ',$Temp[1]);
if ((strcasecmp($Evaluate,$Temp[0])>0) && (strcasecmp($Evaluate,$Temp[1])<0) && $this->_in_post($matches[0])) return $this->detect();
}
return FALSE;
}
function _in_post($value)
{
foreach($_POST as $i => $v)
{
if (is_int(strpos(strtolower($v),$value))) return TRUE;
}
return FALSE;
}
function detect()
{
// log the attempt to sql inject?
if ($this->bLog)
{
$fp = @fopen($this->bLog,'a+');
if ($fp)
{
fputs($fp,"\r\n".date("d-m-Y H:i:s").' ['.$this->rq.'] from '.$this->sIp = getenv("REMOTE_ADDR"));
fclose($fp);
}
}
// destroy session?
if ($this->bdestroy_session) session_destroy();
// redirect?
if ($this->urlRedirect!=''){
if (!headers_sent()) header("location: $this->urlRedirect");
}
return TRUE;
}
function protect1($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "declare","insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[a-zA-Z0-9@]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
} else {
//echo "-";
echo $protected;
die ( ' Is invalid for that spot, please try a different entry.' ); // Message if thier is any characters not in [a-zA-Z0-9].
} // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
} // ends the function Protect() {
function protect2($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "declare","insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[0-9]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
} else {
//echo "-";
echo $protected;
die ( ' Tidak valid untuk tempat itu, silakan coba entri yang berbeda.' ); // Message if thier is any characters not in [a-zA-Z0-9].
} // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
} // ends the function Protect() {
}
Yeah, this will catch the declare statement in the POST request. Anyway, in some time, i hope no so much time, i'm going to release a site with php 5.5 that will fix all the injection methods that i knowQuote:
Originally Posted by A v a r a