Portal Home > Knowledgebase > Articles Database > I got hacked and need help sanitizing the part they got in thru
I got hacked and need help sanitizing the part they got in thru
| Posted by rumrunner439, 06-16-2008, 10:39 PM |
| Ok i have a alstrasoft script efriends yeah i know its got issues but i worked thru most of them but i have a hacker hole and i googled it and came up with below ok i have no clue how to do the sanitizing source code but i can post whatever source code on here if someone can help me out sanitizing
Attackers can use a browser to exploit this issue.The following proof-of-concept URIs are available:http://www.example.com/index.php?mod...from%20admin--
http://www.example.com/index.php?mod...om%20members--
Input passed to the "seid" parameter in index.php (when "mode" is set to "events" and "act" to "viewevent") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation allows e.g. retrieving usernames and password hashes.
The vulnerability is reported in version 4.98. Other versions may also be affected.
Solution:
Edit the source code to ensure that input is properly sanitised.
|
| Posted by rumrunner439, 06-16-2008, 10:44 PM |
| ok below is my source code for the index.php i cant wait to see who figures it out and what the differences are that can keep a hacker out
Last edited by P-nut; 06-17-2008 at 12:20 PM.
Reason: add [php] tags
|
| Posted by Codelphious, 06-17-2008, 01:24 AM |
| This is a classic example of mySQL injection.
Everywhere in your script where you run sql_execute ensure that the input is escaped corectly using mysql_real_escape_string().
For example:
sql_execute("SELECT mem_id FROM members WHERE username = '$user'","get");
Should be:
sql_execute("SELECT mem_id FROM members WHERE username = '" . mysql_real_escape_string($user) . "'","get");
|
| Posted by P-nut, 06-17-2008, 12:26 PM |
| Some other good sanitation functions include
strip_tags() - to strip out some html tags
htmlentities() and htmlspecialchars() - to make html a little safer to query with
Your best bet, though, is to write a function that will check and allow only what you want, and reject anything else. So if all you want are alphanumeric characters, then only allow that.
Another tip - never trust anything from $_GET, $_REQUEST, or $_POST as-is. Always run your sanitation/validation checks on them.
Good luck!
|
| Posted by nettiapina, 06-17-2008, 07:42 PM |
| There is good advice above.
I would also get rid of the $superglobals array. It's kind of weird to actually do something like that, since register_globals is nowadays usually turned off on the server because it's considered very bad practise. Which is why it's deprecated, and removed in upcoming PHP 6.0 version.
Instead, you should pick only what you need:
$variable = your_sanitization_function($_GET['variable']);
|
| Posted by rumrunner439, 06-17-2008, 09:21 PM |
| Ok im going to copy and paste and try some of the above advise and ill post my recodes and see if i did good or failed lol
whats going to happen when i remove the $superglobals array
Last edited by P-nut; 06-18-2008 at 07:48 AM.
Reason: add [php] tags
|
| Posted by rumrunner439, 06-17-2008, 09:25 PM |
| Ok i think i fixed the one sql_execute
$mem = sql_execute("SELECT mem_id FROM members WHERE username = '" . mysql_real_escape_string($user) . "'","get");
im a super newbie coder heck i wouldnt even give me coder status yet lol but hey im trying
thanks for the help guys
|
| Posted by rumrunner439, 06-21-2008, 12:54 PM |
| Ok now i just have to figure out how to get rid of the $superglobal arrays how do i recode it to make it work safer and more hacker proof
thanks newbie
|
Add to Favourites 
Print this Article
Also Read
