Jump to content

people are hacking my forum

Monkuar

By Monkuar
in PHP Coding Help

 Share

Recommended Posts

Monkuar Advanced Member

Monkuar

Posted
Posted

and doing sql injections

 

i have enabled mysql logging and i can find where they did the query, but it only shows the query, it doesn't show what location or what url or how they did it so how can i fix it?

 

thx  also lighttpd logs doesn't show...

this sucks

Link to comment
Share on other sites
PaulRyan Member

PaulRyan

Posted
Posted

You've been on this forum long enough to have at least read something about query sanitization.

 

You'll need to go and check your queries, to make sure you are making them safe, such as using mysql_real_escape_string or mysqli_real_escape_string aswell as validating the incoming data to make sure it is exactly what it should be.

 

Do a quick search on the forum, there are alot of threads about this.

 

Regards, PaulRyan.

Link to comment
Share on other sites
Monkuar Advanced Member

Monkuar

Posted
  • Author
Posted

If you want our specific help, you would need to post the code getting the data for and building the the query statement along with the offending query.

 

i have tons of queries as this forum software is from 2001

 

here is a random code that works to pull all the data from the index to show the forum categorys

 

 

$DB->query("SELECT  f.*, f.name as forum_name, f.id as forum_id, f.posts as forum_posts, f.topics as forum_topics,
                            t.*, c.name as cat_name, c.id as cat_id, c.state as cat_state
                            FROM ibf_topics t, ibf_forums f , ibf_categories c
                            WHERE t.tid=".$ibforums->input['t']." and f.id = t.forum_id and f.category=c.id");

 

 

$ibforums is a global var:

$ibforums->input      = $std->parse_incoming();

 

parse_incoming is:

 

 

function parse_incoming()
    {
        global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_CLIENT_IP, $REQUEST_METHOD, $REMOTE_ADDR, $HTTP_PROXY_USER, $HTTP_X_FORWARDED_FOR;
        $return = array();


        if( is_array($HTTP_GET_VARS) )
        {
            while( list($k, $v) = each($HTTP_GET_VARS) )
            {
//-- mod_sec_update_131 begin
                if (strpos($k, "amp;") === 0)
                    $k = substr($k, 4);
//-- mod_sec_update_131 end

                if ( $k == 'INFO' )
                {
                    continue;
                }

                if( is_array($HTTP_GET_VARS[$k]) )
                {
                    while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) )
                    {
                        $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2);
                    }
                }
                else
                {
                    $return[$k] = $this->clean_value($v);
                }
            }
        }

        // Overwrite GET data with post data

        if( is_array($HTTP_POST_VARS) )
        {
            while( list($k, $v) = each($HTTP_POST_VARS) )
            {
                if ( is_array($HTTP_POST_VARS[$k]) )
                {
                    while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) )
                    {
                        $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2);
                    }
                }
                else
                {
                    $return[$k] = $this->clean_value($v);
                }
            }
        }

        //----------------------------------------
        // Sort out the accessing IP
        // (Thanks to Cosmos and schickb)
        //----------------------------------------

        $addrs = array();

        foreach( array_reverse( explode( ',', $HTTP_X_FORWARDED_FOR ) ) as $x_f )
        {
            $x_f = trim($x_f);

            if ( preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $x_f ) )
            {
                $addrs[] = $x_f;
            }
        }

        $addrs[] = $_SERVER['REMOTE_ADDR'];
        $addrs[] = $HTTP_PROXY_USER;
        $addrs[] = $REMOTE_ADDR;

        //header("Content-type: text/plain"); print_r($addrs); print $_SERVER['HTTP_X_FORWARDED_FOR']; exit();

        $return['IP_ADDRESS'] = $this->select_var( $addrs );

        // Make sure we take a valid IP address

        $return['IP_ADDRESS'] = preg_replace( "/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/", "\\1.\\2.\\3.\\4", $return['IP_ADDRESS'] );

        $return['request_method'] = ( $_SERVER['REQUEST_METHOD'] != "" ) ? strtolower($_SERVER['REQUEST_METHOD']) : strtolower($REQUEST_METHOD);

        return $return;
    }

 

 

Now see $ibforums->input is a cleaned value? But is that query still vulnerable? this is the class for $DB->query:

 

 

function query($the_query, $bypass=0) {
    	
    	//--------------------------------------
        // Change the table prefix if needed
        //--------------------------------------
        
        if ($bypass != 1)
        {
		if ($this->obj['sql_tbl_prefix'] != "ibf_")
		{
		   $the_query = preg_replace("/ibf_(\S+?)([\s\.,]|$)/", $this->obj['sql_tbl_prefix']."\\1\\2", $the_query);
		}
        }
        
        if ($this->obj['debug'])
        {
    		global $Debug, $ibforums;
    		
    		$Debug->startTimer();
    	}
    	
        $this->query_id = mysql_query($the_query, $this->connection_id);
      
        if (! $this->query_id )
        {
            $this->fatal_error("mySQL query error: $the_query");
        }
        
        if ($this->obj['debug'])
        {
        	$endtime = $Debug->endTimer();
        	
        	if ( preg_match( "/^select/i", $the_query ) )
        	{
        		$eid = mysql_query("EXPLAIN $the_query", $this->connection_id);
        		$ibforums->debug_html .= "<table width='95%' border='1' cellpadding='6' cellspacing='0' bgcolor='#FFE8F3' align='center'>
									   <tr>
									   	 <td colspan='8' style='font-size:14px' bgcolor='#FFC5Cb'><b>Select Query</b></td>
									   </tr>
									   <tr>
									    <td colspan='8' style='font-family:courier, monaco, arial;font-size:14px;color:black'>$the_query</td>
									   </tr>
									   <tr bgcolor='#FFC5Cb'>
										 <td><b>table</b></td><td><b>type</b></td><td><b>possible_keys</b></td>
										 <td><b>key</b></td><td><b>key_len</b></td><td><b>ref</b></td>
										 <td><b>rows</b></td><td><b>Extra</b></td>
									   </tr>\n";
			while( $array = mysql_fetch_array($eid) )
			{
				$type_col = '#FFFFFF';

				if ($array['type'] == 'ref' or $array['type'] == 'eq_ref' or $array['type'] == 'const')
				{
					$type_col = '#D8FFD4';
				}
				else if ($array['type'] == 'ALL')
				{
					$type_col = '#FFEEBA';
				}

				$ibforums->debug_html .= "<tr bgcolor='#FFFFFF'>
										 <td>$array[table] </td>
										 <td bgcolor='$type_col'>$array[type] </td>
										 <td>$array[possible_keys] </td>
										 <td>$array[key] </td>
										 <td>$array[key_len] </td>
										 <td>$array[ref] </td>
										 <td>$array[rows] </td>
										 <td>$array[Extra] </td>
									   </tr>\n";
			}

			if ($endtime > 0.1)
			{
				$endtime = "<span style='color:red'><b>$endtime</b></span>";
			}

			$ibforums->debug_html .= "<tr>
									  <td colspan='8' bgcolor='#FFD6DC' style='font-size:14px'><b>mySQL time</b>: $endtime</b></td>
									  </tr>
									  </table>\n<br />\n";
		}
		else
		{
		  $ibforums->debug_html .= "<table width='95%' border='1' cellpadding='6' cellspacing='0' bgcolor='#FEFEFE'  align='center'>
									 <tr>
									  <td style='font-size:14px' bgcolor='#EFEFEF'><b>Non Select Query</b></td>
									 </tr>
									 <tr>
									  <td style='font-family:courier, monaco, arial;font-size:14px'>$the_query</td>
									 </tr>
									 <tr>
									  <td style='font-size:14px' bgcolor='#EFEFEF'><b>mySQL time</b>: $endtime</span></td>
									 </tr>
									</table><br />\n\n";
		}
	}

	$this->query_count++;
        
        $this->obj['cached_queries'][] = $the_query;
        
        return $this->query_id;
    }

 

 

I have these queries like this all over my board , tons of them..... I know it's probably so vulnerable, any "eye" noticable fixes that are vulnerable off the bat?

 

 

Is there any way I can add the mysql_real_escape string to the global $DB->query function?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

$ibforums->input['t'] is a numerical value, probably an integer. You would need to cast it as an integer at the time you put it into the query statement to prevent whatever sql injection, that you didn't bother to post the example of, is occurring. Using mysql_real_escape_string on an integer value in a query would not prevent sql injection since the type of sql injection that does not use any quotes would not be affected.

Link to comment
Share on other sites
Monkuar Advanced Member

Monkuar

Posted
  • Author
Posted

$ibforums->input['t'] is a numerical value, probably an integer. You would need to cast it as an integer at the time you put it into the query statement to prevent whatever sql injection, that you didn't bother to post the example of, is occurring. Using mysql_real_escape_string on an integer value in a query would not prevent sql injection since the type of sql injection that does not use any quotes would not be affected.

 

but I have no idea where they are doing the query's from! so Iuno what query to give you!!

 

Here is one from a gold mod I made.

 

 

function buyticket() {
        global $ibforums, $DB, $std, $print;

	// Newmans checker lol
			if ($ibforums->input['amount'] < 0){
			$std->Error2("Stop being nawty");
			}




			///
//Figure out the id and send variables for each
if (!$ibforums->input['id']){
$std->Error2("Stop trying to be nawty....");
}
switch ($ibforums->input['id']){
case "1";
$name = "100FG Scratch Ticket(s)";
$cost = "10";
$redirect = 'Scratch Ticket';
break;
case "2";
$name = "1,000FG Scratch Ticket(s)";
$cost = "125";
$redirect = 'Scratch Ticket';
break;
case "3";
$name = "Name Stylizer Ticket";
$cost = "1500";
$redirect = 'Name Stylizer';
break;
case "4";
$name = "Goodie Bag";
$redirect = 'Goodie Bag';
$cost = "1699";
break;
}
	If (isset($ibforums->input['amount']) AND $ibforums->input['amount'] > "100"){
	$std->Error2("You can only buy a max of 100 Tickets");
	}else{
	}
	If (isset($ibforums->input['amount'])){
$amount2 = $ibforums->input['amount'];
}else{
$ibforums->input['amount'] = "1";
$amount2 = '1';
}
	$amount = $cost*$ibforums->input['amount'];
	$newamount = $amount;
if ($ibforums->member['gold'] < $amount) {
$std->Error2("You do not have enough Forum Gold you need, $amount");
}else{
//Check if they already have the item
$DB->query("SELECT item_id from items where user_id = {$ibforums->member['id']} AND item_id = {$ibforums->input['id']}");
$r2 = $DB->fetch_row();
if ($r2['item_id'] == $ibforums->input['id']){
//Just update and give them quantity +1 
$DB->query("UPDATE items
SET quantity=quantity+$amount2,comment='Bought $name'
WHERE user_id={$ibforums->member['id']} AND item_id = {$ibforums->input['id']}");
$DB->query("UPDATE ibf_members
SET gold=gold-$amount
WHERE id={$ibforums->member['id']}");
$db_string = $std->compile_db_string( array(
                                                             'to_id'       => "0",
                                                             'from_id'     => "{$ibforums->member['id']}",
                                                             'comments'          => "Bought {$amount2}x $name",
														 //Date
                                                             'date'        => time(),
														 //0 -> Store 1 -> Receieved 2 -> Sent
														 'amount' => "$newamount",
                                                    )      );

                $DB->query("INSERT INTO gold_logs (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")");
$print->redirect_screen("$redirect Purchased", 'a=Shop&action=MyItems');
}else{	
$DB->query("UPDATE ibf_members
SET gold=gold-$amount
WHERE id={$ibforums->member['id']}");
$db_string = $std->compile_db_string( array(
                                                             'to_id'       => "0",
                                                             'from_id'     => "{$ibforums->member['id']}",
                                                             'comments'          => "Bought {$amount2}x $name",
														 //Date
                                                             'date'        => time(),
														 //0 -> Store 1 -> Receieved 2 -> Sent
														 'amount' => "$newamount",
                                                    )      );

                $DB->query("INSERT INTO gold_logs (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")");
$db_string = $std->compile_db_string( array(
                                                             'item_id'       => "{$ibforums->input['id']}",
                                                             'user_id'     => "{$ibforums->member['id']}",
														 'from_id'     => "0",
                                                             'date'          => time(),
														 'quantity' => ''.$amount2.'',
														 'comment' => "{$name}",
                                                    )      );

                $DB->query("INSERT INTO items (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")");
			$print->redirect_screen("$redirect Purchased", 'a=Shop&action=MyItems');
}






}


	$this->output .=
<<< LOL
LOL;
}

 

 

 

Now, see the problem is, they cant access those queries unless they have gold on there account am I right?  the hacker has no gold on his profile so i know he didn't use this

 

 

okay heres another query in the profile settings

 

 

//Make sure no1 comes in...

			//Update the star they chose..
			if (isset($ibforums->input['remove'])) {
			$DB->query("UPDATE ibf_members set star='' WHERE id='".$this->member['id']."'");
			$print->redirect_screen("Your star has been removed.", "a=[]&c=Donor");
			}
			if (isset($ibforums->input['star'])) {
			// Newmans checker lol
			if ($ibforums->input['star'] < 0){
			$std->Error2("Stop being nawty");
			}
if ($ibforums->input['star'] > $this->member['max_stars']){
//They trying to hack my stars...
$std->Error2("You cannot choose a star you don't have access to...");
}else{
$DB->query("UPDATE ibf_members set star='{$ibforums->input['star']}' WHERE id='".$this->member['id']."'");
}

 

would that be vulnerable ?

 

but the hacker had a max_Stars of 0 anyway.... so how could they get in? but in general are queries like this vulnerable? but isnt the $ibforums input alrdy escaped? or should i use mysql_real_escape on it again? i dont get it

 

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.