Re: C5 MySQL injection attack ("Union Select")

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote:

> Always use parameterized statements (aka prepared statements) for SQL 
> that involves untrusted input.
> 
> I like to use them even for input that involves trusted input because it 
> is easy to make a change in my code and not think about how it impacts 
> the parameters.
> 
> -=-
> 
> This is an attack on WordPress ??? Or just trying to get WordPress 
> database from a different app?
> 
> Be careful with WordPress - it's database handler doesn't actually use 
> parameterized statements, it emulates them with printf - one (of many) 
> reasons I do not like the product.
> 
> If it is not an attack on WordPress directly - your WordPress database 
> should be using a different uname/pass from anything else, so actual 
> queries for data should fail.

I write my own database applications (each has its own unique user-id
and password and only essential permissions on tables) and do not use
any packaged solution. Thus no Wordpress or anything like it.

The hacker tried many variants like this - which baffle me.

' UNION SELECT (-x1-Q-,-x2-Q-,-x3-Q-,-x4-Q-,-x5-Q-,-x6-Q-)

' UNION SELECT 1,CONCAT(ddd,[X],file_priv,[XX],3,4,5,6,7,8 FROM
mysql.user limit 0,1  (I do not have mysql.user)

' UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
order by 'as

LIKE "%user%"
LIKE "%usr%"
LIKE "%phpbb%"
LIKE "»%"
LIKE "­m%"
LIKE "%member%"
LIKE "%forum%"
LIKE "%reg%"
LIKE "%moder%"
LIKE "%ftp%"
LIKE "%jos%"
LIKE "¬ces%"
LIKE "%wso%"



>> Am 24.03.2016 um 09:54:11 +0100 schrieb Leon Fauster:

>> Current version on C5 is mysql55, 5.0 does not get any updates
anymore!

Thank you. That server is the last production server on C5. I need to
shift it to C6 and Maria 10.

I am 'always learning' security is a perpetual task. Thankfully I always
read the daily logs and reports (an arduous task).

Many thanks.

-- 


Paul.
England, EU.      England's place is in the European Union amid our
European brothers and sisters and even our betters.



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux