[CentOS] C5 MySQL injection attack ("Union Select")
Always Learning
centos at u64.u22.net
Thu Mar 24 14:57:38 UTC 2016
On Thu, 2016-03-24 at 14:27 +0300, Александр Кириллов wrote:
> This is obviously an application level problem. What is this php file?
> You should upgrade wordpress and remove or block access to the plugin or
> custom page which allows sql injections.
Yes, my mistake. I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as:-
UNION SELECT
CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45) -- /*
and reject any incoming string containing ' or " in addition to PHP's
strip_tags and (deprecated in later versions)
mysql_real_escape_string($_GET['....'],$link);
I do not use Wordpress or anything like it.
--
Regards,
Paul.
England, EU. England's place is in the European Union.
More information about the CentOS
mailing list