PDA

View Full Version : DB Exploitation Attempt



raebaca
02-24-2004, 11:50 AM
Over the last few days, I've received the following same SQL error from two separate and totally unrelated websites that I implemented OR on (one is real estate and one is not):


202.39.244.14 -- February 24, 2004, 4:23:42 am -- SELECT wpa_UserDB.emailAddress FROM wpa_listingsDB, wpa_UserDB WHERE ((wpa_listingsDB.ID = http://poerschke.seumala.net/cse.gif?) AND (wpa_UserDB.ID = wpa_listingsDB.user_ID))

Following the URL in the above error ( http://poerschke.seumala.net/cse.gif ) displays not a graphic file but a php script to exploit the database. Additionally, going to http://poerschke.seumala.net displays a Brazilian webpage that appears to have been defaced by someone named Poerschke.

I am wondering if anyone else has seen this exploit attempt or has any comments about this.

Anonymous
02-24-2004, 02:31 PM
I got this just yesterday. I would like to know what is going on too.

Is there a file or funtion we need to get rid of.

Someone please commdent.

raebaca, when did you get this ?

raebaca
02-24-2004, 04:45 PM
I've been getting these for the last few days. I was ignoring them because I thought that they were just a image that wasn't displaying correctly during a query but then today I decided to follow the URL to see what it really was. I also am wondering if we need to tighten things up to avoid this.

greengiant
02-24-2004, 05:31 PM
THis error is comming from the getListingEmail($listingID) function. I have been looking over code for the last 30 min or so, and i dont see any way they are giogn to exploit a site, as we should never actually visit that page. It is my opinion that we are fine. I would like to ask that any of the other developers see a problem with this let me know...

greengiant
02-24-2004, 05:51 PM
As another note, I dont even see how you getting this error, this function in a stock o-r release isnt accessed by the listing page untill after the listing is already checked to be active, which isn't possible given the improper listing ID.

I am giogn to guess there is a mod on your sites that is accessing that function, which is why we see the error. Even in that event i see no harm...

ltp
02-24-2004, 07:48 PM
Over the last few days, I've received the following same SQL error from two separate and totally unrelated websites that I implemented OR on (one is real estate and one is not):
.....
I am wondering if anyone else has seen this exploit attempt or has any comments about this.

what you can do is actually go into that function and add is_int() or is_numeric() to the check, else exit or die. This would fix any problem you are having within that function if a mod messed it up.

Anonymous
02-25-2004, 06:36 AM
::
::

202.39.244.14 -- February 24, 2004, 4:23:42 am -- SELECT wpa_UserDB.emailAddress FROM wpa_listingsDB, wpa_UserDB WHERE ((wpa_listingsDB.ID = http://poerschke.seumala.net/cse.gif?) AND (wpa_UserDB.ID = wpa_listingsDB.user_ID))
::
::


If all that's trying to be retrieved is the email address, it could simply be an email harvester trawling through the site ...