vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   How do I test for SQL Injection (https://vborg.vbsupport.ru/showthread.php?t=326655)

Scalemotorcars 08-13-2018 01:47 PM
How do I test for SQL Injection
 
I just got a DB error and searched the IP it came from and its been reported for SQL Injection. Is there a way to test to see if they were successful?

Thanks.

Scalemotorcars 08-14-2018 04:42 PM
Anyone have a clue?

snakes1100 08-14-2018 10:20 PM
What DB error did u get?

Scalemotorcars 08-15-2018 12:19 AM
I changed the DB table ID but her you go. And thanks for looking at it.

Quote:
Invalid SQL:
SELECT node.nodeid AS itemid,
(node.nodeleft = 1) AS isroot, node.nodeid, node.contenttypeid, node.contentid, node.url, node.parentnode, node.styleid, node.userid,
node.layoutid, node.publishdate, node.setpublish, node.issection, parent.permissionsfrom as parentpermissions,
node.permissionsfrom, node.publicpreview, node.showtitle, node.showuser, node.showpreviewonly, node.showall,
node.showupdated, node.showviewcount, node.showpublishdate, node.settingsforboth, node.includechildren, node.editshowchildren,
node.shownav, node.hidden, node.nosearch, node.nodeleft,
info.description, info.title, info.html_title, info.viewcount, info.creationdate, info.workflowdate,
info.workflowstatus, info.workflowcheckedout, info.workflowlevelid, info.associatedthreadid,
user.username, sectionorder.displayorder, thread.replycount, parentinfo.title AS parenttitle

FROM A2Ctest_cms_node AS node
INNER JOIN A2Ctest_cms_nodeinfo AS info ON info.nodeid = node.nodeid

LEFT JOIN A2Ctest_user AS user ON user.userid = node.userid
LEFT JOIN A2Ctest_thread AS thread ON thread.threadid = info.associatedthreadid
LEFT JOIN A2Ctest_cms_sectionorder AS sectionorder ON sectionorder.sectionid = 1
AND sectionorder.nodeid = node.nodeid
LEFT JOIN A2Ctest_cms_node AS parent ON parent.nodeid = node.parentnode
LEFT JOIN A2Ctest_cms_nodeinfo AS parentinfo ON parentinfo.nodeid = parent.nodeid
INNER JOIN A2Ctest_cms_node AS rootnode
ON rootnode.nodeid = 1 AND (node.nodeleft >= rootnode.nodeleft AND node.nodeleft <= rootnode.noderight) AND node.nodeleft != rootnode.nodeleft AND node.contenttypeid <> 23 AND node.new != 1 AND ( (( (node.permissionsfrom IN (-1)) OR ( node.permissionsfrom in (1,2,5,11,45,117,118,119,120,121,122,123,124,125,1 26,127,128,129,130,131,132,133,134,135,136,148,149 ,164,165,205,242,243,273,336,337,338,375,377) AND (node.parentnode IN (1,133,134,136,375,242,205,45,117,336,337,338,377) OR node.nodeid = 1) AND
node.setpublish > 0 AND node.publishdate < 1534174163 ))) OR (node.setpublish AND node.publishdate <1534174163 AND node.publicpreview > 0))AND node.hidden = 0 AND ((node.setpublish = '1' AND node.publishdate <= 1534174163 ) OR node.userid = 0)

ORDER BY node.publishdate DESC LIMIT -16, 80;

snakes1100 08-15-2018 07:39 AM
You can use these to scan for anything suspicious.

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Did you locate anything in the apache/nginx etc log related to that attempted post in the cms for that time stamp?

Scalemotorcars 11-10-2018 07:46 PM
Well, using PHPmyadmin I found the below items.

I'm not sure how to do the search you're referring to. And not sure how to check apache/nginx. In laymen's terms, please.

And thanks for the help.

%base64% in _searchcore_text, _pmtext, and _post

%exec% in _autosave, _cache, _cacheevent, _widgetconfig, _widgettype, _cronlog, _datastore, dbtech_dbseo_resolvedurl, iei_img, _language, _phrase, _plugin, _pmtext, _post, _postedithistory, _productcode, _searchcore_text, _searchgroup_text, _style, _template, _templatehistory, _thread, _user

Max Taxable 11-10-2018 08:12 PM
Quote:
Originally Posted by Scalemotorcars (Post 2597318)
I'm not sure how to do the search you're referring to.
I believe (pretty sure) he gave you SQL queries you can run via ACP.

Scalemotorcars 11-10-2018 08:19 PM
Not sure how to check in the ACP. Step by step if its not to much hassle.

Thanks

Max Taxable 11-10-2018 08:39 PM
ACP>Maintenance>Execute SQL Query

One at a time, paste his queries into the manual query box and click "Continue."

You have to be a Super Admin with query running permissions as defined in includes/config.php or nothing will happen, except it will let you know you don't have permission to run queries.

Scalemotorcars 11-10-2018 08:55 PM
I tried

Quote:
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%'
This returned an error number: 1146

Did I get the query wrong?

Sorry I feel like a total noob. You would think after 12 years I would know how to do this.

Max Taxable 11-10-2018 08:58 PM
He posted two, complete queries. Looks like you posted only part of the first one.

The queries are:
HTML Code:
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';
And:
HTML Code:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
Try them one at a time.

Scalemotorcars 11-10-2018 09:03 PM
Tried that also. Im the super admin so thats not it. aLSO TRIED IN THE sql OF PHPMyAdmin. Same result

This is the complete error I get trying either one.

Code:
An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'REDACTED_forum.plugin' doesn't exist
Code:
An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'REDACTED_forum.template' doesn't exist
And thanks for the help I really appreciate it.

Max Taxable 11-10-2018 09:06 PM
Quote:
error desc: Table 'p16t2ugb_forum.plugin' doesn't exist
I have no idea at all why it's trying to query that table, it's not called for in either query.

Need the guy who posted the queries to chime in, I may be mistaken what exactly it is he posted there. LOOKS like queries, might not be though.

Sorry i haven't been able to help you so far.

Scalemotorcars 11-10-2018 09:17 PM
Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

Max Taxable 11-10-2018 09:27 PM
Quote:
Originally Posted by Scalemotorcars (Post 2597326)
Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?
No idea. Can't be good though.

snakes was online today, maybe he will chime in.

Scalemotorcars 11-10-2018 09:30 PM
So like I said I got the plugin query to work and got 42 results. (cant get the template one to work)

Anway

Maybe reinstall the plugins affected with overwriting enabled. That would change the code but not sure about the DB.

Thanks again.
Daniel

snakes1100 11-11-2018 10:40 AM
Well the 2 queries i gave you just pull the data from those tables, the results you can match to a default/clean install on a dev site for example.

Scalemotorcars 11-11-2018 04:10 PM
Now if I only had a dev site. :(

snakes1100 11-11-2018 04:36 PM
Those queries will only show you results that contain the keywords outlined base64 etc

Brandon Sheley 11-13-2018 10:09 AM
Quote:
Originally Posted by Scalemotorcars (Post 2597326)
Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?
You can try searching one at a time

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%';

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%iframe%';

What do you see with just this part of the command?
Any odd plugins that you don't remember adding?
A screenshot would help us, but really if your site was compromised, it's wise to have someone who knows what they're doing on board.


All times are GMT. The time now is 04:58 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01249 seconds
  • Memory Usage 1,764KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (2)bbcode_html_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (20)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete