I am suffering attacks of type SQL Injection

Question

I am suffering attacks of type SQL Injection

Asked 8 years, 11 months ago

Viewed 859 times

39

Ever since I started an online project, I’ve been having problems with hacking, where someone is making direct entries into the database. This is what gave me the initiative to put in all the variables received through the method $_GET and $_POST. The functions:

$variavel = trim(strip_tags(mysqli_real_escape_string($conn, $_POST['recebe'])));

I used two programs to do scanner to analyze the site ('Acunetix' and 'Scrawlr'), where the first time returned vulnerable variables, but now I did the whole procedure in the same and now not more signal problem.

However, even so, the attacker still manages to hack the server, even though he is sure after checking all lines of code of the project..

1

Well, for starters, I’d say restore the latest backup, so you must have made one right before the attack. Check log files to see if you can find queries.

– Edilson

2015/12/12 at 12:09
1

A simple question: Is your database server exposed to the internet or is it only accessible through your web server?

– Victor Stafusa

2015/12/12 at 12:43
@Victorstafusa This is on the site, but is only accessed by Adms, but I know it is not so pq, by the panel on the site, when some data is inserted the script takes the account id, but when I see that there was attack and I check on the server itself is like '0', saying it wasn’t on account

– Pedro Quezado

2015/12/12 at 12:49
1

Are you sure there’s no way to access the database directly other than through the application? Because if that happens, just have the login and password of the database and it’s over. By the way, have you changed the login and password of the database? If you haven’t changed yet, I recommend you do it urgently.

– Victor Stafusa

2015/12/12 at 12:53
1

If your site has user information (email, login, password, etc.) and passwords are not properly encrypted, send an email alerting users to modify passwords from their personal email. Many users use the same email password in other services.

– Marcos Xavier

2015/12/14 at 13:18
Don’t forget to always use Prepared statments that avoid too much of these problems.

– Jorge B.

2016/08/03 at 22:01
Replace passwords, mainly from the database, put a new alias in the tables... change the name of the database, use placeholders in the Insert/ update methods, never pass input and update parameters by GET, preferably use a csrf token for POST by forms, so you validate the publication origin, for restful methods, use a token with type authorization Bearer Token

– Ivan Ferrer

2019/11/05 at 17:15

Show 2 more comments

3 answers

44

After being attacked he may have gathered important information that allows him to make the invasion by other means. When you have an hacked server it is not simple to make it safe again. If you haven’t been able to effectively do what’s simple, which is to make it safe initially, now it’s going to be a lot harder. He may even be doing this by having direct access to the server now.

A security expert (rare to find a really skilled one) could do an analysis on this server to see if there is anything that can be done. If you prefer on your own, the best way is probably to start a new server with all different data, especially passwords. Do not copy anything that was on the compromised server. If you really have to copy something, you will have to do a thorough analysis of the content. And passwords, forget it, it can’t be taken advantage of.

Privacy is gone. That will never be solved, once lost, never come back.

Other than that, the code is probably still vulnerable. These softwares do superficial analyses, don’t trust them as a definitive solution. If you can’t find all the vulnerabilities you’ll have to hire an expert. And be careful, a lot of people sell what they don’t have.

Remember that now the attacker probably knows your code and knows how to exploit any flaw, even those that used to go unnoticed.

See more in How an SQL Injection Happens?.

1

An important detail that I had not said, but as has answer on, PDO is not the solution to this, at least no more than native use.

– Maniero

2019/08/21 at 15:12

Browser other questions tagged php sql security-guard sql-injection

You are not signed in. Login or sign up in order to post.

by Marcos Xavier • **698** points · Answer 1 · 2016-10-26T15:04:47+00:00

Avoid using mysqli_* and mysql_* functions, use PDO, process data entries.

Makes a select in your bank and check the privileges of users, if there are any "strange" users, if root has external access without password, etc.

select user,password,host,grant_priv from mysql.user;

Executing the query above, check if any user (with host = %, which would be remote access) is without password. It is not guaranteed that he has access to the database in the way I mentioned but can occur. Check logs Mysql and PHP.

As @Maniero said, the most recommended is to hire someone who understands the subject, rarity but is possible.

by Ivan Ferrer • **12,096** points · Answer 2 · 2019-11-05T17:51:31+00:00

Solution that can help your problem:

Exchange all user passwords, and especially the access to the database, preferably a complex password, type: #@_12!aVxzHors12_8^.
Put a new alias in the tables, example, if the table is : usuarios => t_db_usuarios ...
If possible, rename the database, use "placeholders" with Prepared Statements in the methods of Insert / update:

mysqli_*

$intVal = $_POST['id'];

$column1 = "exemplo 1";
$column2 = "exemplo 2";
$column3 = intval($intVal);


    $query = "INSERT INTO tabela_nome (column1_string, column2_string, column3_integer)
    VALUES (?, ?, ?)";
    $stmt = $mysqli->prepare($query);
    $stmt->bind_param("ssi", $column1, $column2, $column3);
    if ($stmt->execute()) {
       echo "Sucesso!";
    }
    $stmt->close();

PDO:

try {

    //dados da conexao

    $intVal = $_POST['id'];
    $data = [
             ':column1_string' => 'exemplo1', 
             ':column2_string' => 'exemplo2',
             ':column3_integer' => intval($intVal),
    ];

    $sql = "INSERT INTO tabela_nome (column1_string, column2_string, column3_integer)
    VALUES (:column1_string, :column2_string, :column3_int)";
    $sth = $conn->prepare($sql);
    $exec = $sth->execute($data);
    if ($exec) {
      echo "Sucesso!";
    }
   /*
    Se preferir não enviar como um array, também pode trabalhar cada dado inserido:

     $sth->bindParam(':column1_string', $data[':column1_string'], PDO::PARAM_STR, 255);
     $sth->bindParam(':column2_string', $data[':column2_string'], PDO::PARAM_STR, 255);
     $sth->bindParam(':column3_int', $data[':column3_int'], PDO::PARAM_INT);
    if ($sth->execute()) {
        echo "Sucesso";
    }
   */
} catch(PDOException $e) {
    echo $e->getMessage();
}

Never pass input and update parameters via GET. From preferably use a csrf token for method forms POST, so you will validate that the origin of publication, corresponds to the same place of sending.

For Restful Apis, use a token with type authorization Bearer Token, designs CORS origin for your website domain, protect yourself from attacks by XSS:
```
header('Access-Control-Allow-Origin: http://www.seudominio.com.br');
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
header('Access-Control-Allow-Methods: GET, POST, PUT');
```
Use some site vulnerability checking tool, here some examples:

https://www.scanmyserver.com/
https://www.ssllabs.com/ssltest/analyze.html
https://detectify.com/
https://www.newnettechnologies.com/vulnerability-tracker.html