Re: SQL injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/06/15 18:55, Richard wrote:
>>> OK - this had no chance of success since publish_date_desc is
>>> >> processed using the _desc ( or _asc ) and any invalid data
>>> >> stripped
>>> >> 
>>> >> 
>>> >> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n
>>> >> ame_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const
>>> >> (CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3
>>> >> D1
>>> >> 
>>> >> The question is more of interest in just what it was trying to
>>> >> achieve? I presume hack MySQL? So Firebird would barf anyway, but
>>> >> just trying to something that has generated some several hundred
>>> >> error log entries in the last two days ...
>>> >> 
>>> >> Lester Caine - G8HFL
>>> >> 
>>> >> 
>> > The sub-query is invalid, if valid it would've been equivalent to:
>> > or (1,2)=(select*from(select 'b2xvbG9zaGVy' as 1, 'b2xvbG9zaGVy'
>> > as 1))a) -- and 1=1
>> > 
>> > Seems non threatening to me.
> Regardless of whether this specific attack could have resulted in
> harmful sql injection or not, user input should be sanitized so that
> things never get this far.

? That is taken direct off the URL! Sod all I can do to prevent it, but
I was simply asking if I was missing something as it did not make any
sense? It got no further than the error log but as I said several
hundred attempts via a few different filter options all of which
suggested something that was expected to work if the site was a
vulnerable mysql powered site ... which it's not.

Seems that is just a pointless URL rather than some recently identified
potential vulnerability?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux