Sql Injections and Securing Clipshare Vulnerabilities

By On July 2, 2007 · 6 Comments

Tags: Clipshare, PHPNuke, SQL Injection, SQL Injection Vulnerability


Just last week I was informed that two Clipshare (Youtube clone) sites were hacked.  The culprit was a SQL injection vulnerability in the code.  This article will explain a creative way of securing your site without really fixing the underlying code.

What is a SQL Injection and how do you fix it?

It means that the code was executing code that looked like this:

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

Where $_GET['id'] means the querystring parameter ID which is passed in as follows:

http://www.yoursite.com/index.php?id=5

However, because we are not "sanitizing" the data before sending it to the sql server, someone can load the URL:

http://www.yoursite.com/index.php?id=5 OR 1=1 (or http encoded as http://www.yoursite.com/index.php?id=5%20OR%201=1
What that means is the SQL statement that will be executed is

ExecuteSQL("Select salary from employees where ID = 5 OR 1=1");

When you say that to the database, return salaries for employees if 1=1 (which is always), thus it will return all records for all employees

Even worse can be done, such as when you are checking a login and password, we had a live site that executed the following SQL and checked if the user and password was correct if a record was returned:

string sql = 'select * from users where login = ' + login + ' and password = ' + password;

(C#)

you could put the login as "admin –" and anything for the password, and the password part was commented out and it would load the following:

select * from users where login = admin – and password = asidasdsad

the indicates that the rest is a comment and should be ignored by the SQL server, thus it will only execute:

select * from users where login = admin

Now the ClipShare software is full of these vulnerabilities.  To fix them (in PHP), you have to call mysql_real_escape_string() on your querystring and form post variables.

So if we have

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

you can change this to:

ExecuteSQL("Select salary from employees where ID = ‘ + mysql_real_escape_string($_GET['id']));

If you want to fix it, you can try to see if there is an upgrade that resolves these problems.  If you have heavily modified the script, or you cannot upgrade, this might not be an option. 
You can try to fix it yourself, but I looked like every single page was vulnerable. 

How to fix your Clipshare software the easy way!

There is another solution that is stronger.  This is not the 100% foolproof solution, but it is an easy way to fix it without having to fix your entire bad codeset.  What you can do is change the actual database table name from ‘adminusers’ which everyone knows, to something like ‘purpleadmins’. It doesn’t fix the underlying problem (the door is still wide open), but the wallet is hidden somewhere else in the house and nobody can find it, even if they can get in.

Here is how you can do it.
It’s been about a year and this method has worked extremely well and my vulnerable PHP Nuke installation (version 7.1) has not been hacked again yet!
This also worked on two clipshare installations.

First you have to execute some SQL code to change the table name.

1) Rename your column (MySQL code)

ALTER TABLE oldAdminTableName RENAME newAdminTableName;

2)  Then you have to execute a search and replace on the actual PHP code. 
This will only work if you have the full source code (Some applications such as whois.cart are encoded and you cannot see the source code).  To replace in files you can run the following Linux command:

perl -e "s/SEARCH/REPLACE/g;" -pi.save $(find ./*.php -type f)


3) To verify that it actually worked, search for files (linux again)

find . -name "*.c" -exec grep -i "find me" {} /dev/null \;

References:

Related Reading:

JavaScript: The Good PartsJavaScript: The Good Parts
Head First Java, 2nd EditionHead First Java, 2nd Edition
Effective Java (2nd Edition)Effective Java (2nd Edition)

Other Interesting Posts

 
If you enjoyed this article, please consider sharing it!
Reddit Facebook Twitter Delicious

6 Responses to Sql Injections and Securing Clipshare Vulnerabilities

  1. Shweta Jain says:
    August 22, 2007 at 3:48 am

    HOW to use LIKE keyword with % sign in SQL Query for preventing the SQL Injection?

    Reply
  2. abelkakraba says:
    September 12, 2007 at 1:39 pm

    good

    Reply
  3. henke37 says:
    October 15, 2007 at 9:07 am

    Renaming the table/db/field is not going to hide the info, there is meta tables, that can not be renamed, that can be queried for the names.

    Also, I think that the best way to make immune scripts is to use the parameterized queries, those where the database engine binds the input after compiling the query.

    Reply
  4. Sameer Alibhai says:
    October 15, 2007 at 10:46 am

    That is so true… but the point of this article was to have a quick and dirty way to protect the site, anyway it will stop most kiddy hackers. :) Sameer

    Reply
  5. prasad says:
    December 27, 2007 at 9:41 am

    Hi,
    I have bug in sql injection.when i am giving user name and password as
    ‘ or 1=1–

    i could able to login sucessfully.please give me the solution to fix the bug.

    rgds,
    Prasad.

    Reply
  6. eddybear says:
    September 20, 2008 at 4:07 am

    henke37, what does your thing mean.. .can you say that in plain english :D

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*


6 + 4 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>