Network Security: Detailed info on SQL injection problem

Subject:	SQL injection problem
Date:	Thu, 13 Dec 2007 13:58:36 +0200

Hi, I'am new in using Nessus for testing my php+MySql(on Apache web
server,Montavista Linux platform) web pages.
It detects the folowing security hole in my page:

blabla.php?-=&site=TIM34A&sm= or 1=1-

blabla.php?-=&site=TIM34A&sm=&#39
+OR+&#39
a&#39
<&#39
b

blabla.php?-=&site=TIM34A&sm=&#39
)+OR+(&#39
a&#39
<&#39
b

blabla.php?-=&site=TIM34A&sm=&#39
)+OR+(&#39
a&#39
<&#39
b&#39
)/*
blabla.php?-=&site=TIM34A&sm=#

My source code looked like:

if (isset($_REQUEST['cat']))
  $cat=$_REQUEST['cat'];
else
  if (isset($_REQUEST['sm']))
       $sm=$_REQUEST['sm'];
 else
       $cat="all";

$site=$_REQUEST['site'];

@ $bd = mysql_pconnect( "localhost", "root", "");
  if( !$bd )
    die("Connexion impossible");
 mysql_select_db ( "database" );
if (strlen($sm)!=0)
{
  $sql = "SELECT * FROM database_table WHERE obj_val LIKE
'".strtoupper($sm)."'  AND status=0 ORDER BY instance ASC ";
    }
else
  switch($cat)
  {
   case 'im': case 'id':case 'si':
      $sql = "SELECT * FROM database_table WHERE cat LIKE
'".strtoupper($cat)."' AND status=0 ORDER BY instance ASC";
      break;
   case 'all':
      $sql = "SELECT * FROM database_table ORDER BY instance ASC";
      break;
   case 'nack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 0 ORDER
BY instance ASC";
      break;
   case 'ack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 1 ORDER
BY instance ASC";
      break;
   default:
      break;
   }
   $res = mysql_query ($sql);
   $all = mysql_num_rows($res);
  mysql_close($bd);


After Nessus found the security hole, I modified my source code but it
still give me the same security hole. Now the code looks like :

if (isset($_REQUEST['cat']))
  $cat=$_REQUEST['cat'];
else
  if (isset($_REQUEST['sm']))
   $sm=$_REQUEST['sm'];
  else
   $cat="all";

$site=$_REQUEST['site'];

  @ $bd = mysql_pconnect( "localhost", "root", "");
  if( !$bd )
    die("Connexion  impossible");
  mysql_select_db ( "database" );
if (strlen($sm)!=0)
{
    $sm=strtoupper($sm);
    //protection against SQL injection
    if (isset($_POST['sm']))
    {
        if(get_magic_quotes_gpc()) {
            $sm        = stripslashes($_POST['sm']);
        } else {
            $sm        = $_POST['sm'];
        }
    }
  $sql = sprintf("SELECT * FROM database_table WHERE obj_val LIKE '%s'
 AND status=0 ORDER BY instance ASC ",
                    mysql_real_escape_string($sm));
}
else
  switch($cat)
  {
   case 'im': case 'id':case 'si':
        $cat=strtoupper($cat);
        if (get_magic_quotes_gpc()) {
        $cat = stripslashes($cat);
      }
      $sql = "SELECT * FROM database_table WHERE cat LIKE
'".mysql_real_escape_string($cat)."' AND status=0 ORDER BY instance
ASC";
      break;
   case 'all':
      $sql = "SELECT * FROM database_table ORDER BY instance ASC";
      break;
   case 'nack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 0 ORDER
BY instance ASC";
      break;
   case 'ack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 1 ORDER
BY instance ASC";
      break;
   default:
      break;
   }
   $res = mysql_query ($sql);
   $all = mysql_num_rows($res);
   mysql_close($bd);

What must I do now to get out of this" hole"?

Thanks,
Simona
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

<Prev in Thread]	Current Thread	[Next in Thread>
SQL injection problem, simona _ <= Re: SQL injection problem, Richard Moore

Previous by Date:	Re: Web Front for Nessus, Roch
Next by Date:	Re: SQL injection problem, Richard Moore
Previous by Thread:	nessusd floating pt exception: new bootstrap.nbin (200712121135) doesn't help, Dan Sullivan
Next by Thread:	Re: SQL injection problem, Richard Moore
Indexes:	[Date] [Thread] [Top] [All Lists]