On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using readline 5.1
I spotted something strange and immediately installed a routine to automatically impose an iptables block when the key used for database access is excessively long.
Indeed. There are several flaws in how mysql handles data. This is why to the best of my ability I am trying to avoid mysql, and use postgresql if whatever chunk of software I need is designed to work also with postgresql. And I recommend developers I work with/for the same (to use postgresql). These are good examples:
https://www.youtube.com/watch?v=1PoFIohBSM4
I know, this may inflame [***]SQL wars here, but I hope, this will help somewhat those who are not married to mysql (yet).
Just my $0.02
Valeri
My URL was something like this
...../...../.....php?key=123456
The injection was something like this
...../...../.....php?key=876711111111111111111111111111' UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%" -- /* order by 'as
There are no user permission on information_schema.
There seems to be 2 versions of the coding floating around on Austrian and Russian IPs. One is ineffective but the other works. It seems the author is expert in the intricate structure and design of SQL.
-- Regards,
Paul. England, EU. England's place is in the European Union.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++