The Arcive of Official vBulletin Modifications Site.

Scalemotorcars · #1 08-13-2018, 01:47 PM

I just got a DB error and searched the IP it came from and its been reported for SQL Injection. Is there a way to test to see if they were successful?

Thanks.

Scalemotorcars · #2 08-14-2018, 04:42 PM

Anyone have a clue?

snakes1100 · #3 08-14-2018, 10:20 PM

What DB error did u get?

Scalemotorcars · #4 08-15-2018, 12:19 AM

I changed the DB table ID but her you go. And thanks for looking at it.

Quote:

Invalid SQL:
SELECT node.nodeid AS itemid,
(node.nodeleft = 1) AS isroot, node.nodeid, node.contenttypeid, node.contentid, node.url, node.parentnode, node.styleid, node.userid,
node.layoutid, node.publishdate, node.setpublish, node.issection, parent.permissionsfrom as parentpermissions,
node.permissionsfrom, node.publicpreview, node.showtitle, node.showuser, node.showpreviewonly, node.showall,
node.showupdated, node.showviewcount, node.showpublishdate, node.settingsforboth, node.includechildren, node.editshowchildren,
node.shownav, node.hidden, node.nosearch, node.nodeleft,
info.description, info.title, info.html_title, info.viewcount, info.creationdate, info.workflowdate,
info.workflowstatus, info.workflowcheckedout, info.workflowlevelid, info.associatedthreadid,
user.username, sectionorder.displayorder, thread.replycount, parentinfo.title AS parenttitle

FROM A2Ctest_cms_node AS node
INNER JOIN A2Ctest_cms_nodeinfo AS info ON info.nodeid = node.nodeid

LEFT JOIN A2Ctest_user AS user ON user.userid = node.userid
LEFT JOIN A2Ctest_thread AS thread ON thread.threadid = info.associatedthreadid
LEFT JOIN A2Ctest_cms_sectionorder AS sectionorder ON sectionorder.sectionid = 1
AND sectionorder.nodeid = node.nodeid
LEFT JOIN A2Ctest_cms_node AS parent ON parent.nodeid = node.parentnode
LEFT JOIN A2Ctest_cms_nodeinfo AS parentinfo ON parentinfo.nodeid = parent.nodeid
INNER JOIN A2Ctest_cms_node AS rootnode
ON rootnode.nodeid = 1 AND (node.nodeleft >= rootnode.nodeleft AND node.nodeleft <= rootnode.noderight) AND node.nodeleft != rootnode.nodeleft AND node.contenttypeid <> 23 AND node.new != 1 AND ( (( (node.permissionsfrom IN (-1)) OR ( node.permissionsfrom in (1,2,5,11,45,117,118,119,120,121,122,123,124,125,1 26,127,128,129,130,131,132,133,134,135,136,148,149 ,164,165,205,242,243,273,336,337,338,375,377) AND (node.parentnode IN (1,133,134,136,375,242,205,45,117,336,337,338,377) OR node.nodeid = 1) AND
node.setpublish > 0 AND node.publishdate < 1534174163 ))) OR (node.setpublish AND node.publishdate <1534174163 AND node.publicpreview > 0))AND node.hidden = 0 AND ((node.setpublish = '1' AND node.publishdate <= 1534174163 ) OR node.userid = 0)

ORDER BY node.publishdate DESC LIMIT -16, 80;

snakes1100 · #5 08-15-2018, 07:39 AM

You can use these to scan for anything suspicious.

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Did you locate anything in the apache/nginx etc log related to that attempted post in the cms for that time stamp?

Scalemotorcars · #6 11-10-2018, 07:46 PM

Well, using PHPmyadmin I found the below items.

I'm not sure how to do the search you're referring to. And not sure how to check apache/nginx. In laymen's terms, please.

And thanks for the help.

%base64% in _searchcore_text, _pmtext, and _post

%exec% in _autosave, _cache, _cacheevent, _widgetconfig, _widgettype, _cronlog, _datastore, dbtech_dbseo_resolvedurl, iei_img, _language, _phrase, _plugin, _pmtext, _post, _postedithistory, _productcode, _searchcore_text, _searchgroup_text, _style, _template, _templatehistory, _thread, _user

Max Taxable · #7 11-10-2018, 08:12 PM

Quote:

Originally Posted by Scalemotorcars

I'm not sure how to do the search you're referring to.

I believe (pretty sure) he gave you SQL queries you can run via ACP.

Scalemotorcars · #8 11-10-2018, 08:19 PM

Not sure how to check in the ACP. Step by step if its not to much hassle.

Thanks

Max Taxable · #9 11-10-2018, 08:39 PM

ACP>Maintenance>Execute SQL Query

One at a time, paste his queries into the manual query box and click "Continue."

You have to be a Super Admin with query running permissions as defined in includes/config.php or nothing will happen, except it will let you know you don't have permission to run queries.

Scalemotorcars · #10 11-10-2018, 08:55 PM

I tried

Quote:

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%'

This returned an error number: 1146

Did I get the query wrong?

Sorry I feel like a total noob. You would think after 12 years I would know how to do this.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06023 seconds Memory Usage 2,265KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (1)post_thanks_box_bit (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

Благодарность от:
Brandon Sheley

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!