C5 MySQL Injection Attack (“Union Select”)

Home » CentOS » C5 MySQL Injection Attack (“Union Select”)
CentOS 28 Comments

mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using readline 5.1

I spotted something strange and immediately installed a routine to automatically impose an iptables block when the key used for database access is excessively long.

My URL was something like this

…../…../…..php?key3456

The injection was something like this

…../…../…..php?key

28 thoughts on - C5 MySQL Injection Attack (“Union Select”)

  • Am 24.03.2016 um 04:21 schrieb Always Learning :

    Current version on C5 is mysql55, 5.0 does not get any updates anymore!

  • Always use parameterized statements (aka prepared statements) for SQL
    that involves untrusted input.

    I like to use them even for input that involves trusted input because it is easy to make a change in my code and not think about how it impacts the parameters.

    -=-

    This is an attack on WordPress ??? Or just trying to get WordPress database from a different app?

    Be careful with WordPress – it’s database handler doesn’t actually use parameterized statements, it emulates them with printf – one (of many)
    reasons I do not like the product.

    If it is not an attack on WordPress directly – your WordPress database should be using a different uname/pass from anything else, so actual queries for data should fail.

  • This is obviously an application level problem. What is this php file?
    You should upgrade wordpress and remove or block access to the plugin or custom page which allows sql injections.

  • This is a rather controversial statement. There’s nothing wrong with using sprintf when building sql queries. Besides

    “Using a prepared statement is not always the most efficient way of executing a statement. A prepared statement executed only once causes more client-server round-trips than a non-prepared statement.”

  • The only time database has ever been a bottleneck for me is when I am not using something like apcu to cache query results. Use of prepared statements is slower for single queries never repeated but not the bottleneck in any application I’ve dealt with.

    WordPress lack of genuine prepared statements has however caused me issues when I would like to make a query that is used more than once with different parameters.

  • I write my own database applications (each has its own unique user-id and password and only essential permissions on tables) and do not use any packaged solution. Thus no WordPress or anything like it.

    The hacker tried many variants like this – which baffle me.

    ‘ UNION SELECT (-x1-Q-,-x2-Q-,-x3-Q-,-x4-Q-,-x5-Q-,-x6-Q-)

    ‘ UNION SELECT 1,CONCAT(ddd,[X],file_priv,[XX],3,4,5,6,7,8 FROM
    mysql.user limit 0,1 (I do not have mysql.user)

    ‘ UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
    information_schema.TABLES WHERE `TABLE_NAME` LIKE “%wp_users%” — /*
    order by ‘as

    LIKE “%user%”
    LIKE “%usr%”
    LIKE “%phpbb%”
    LIKE “»%”
    LIKE “­m%”
    LIKE “%member%”
    LIKE “%forum%”
    LIKE “%reg%”
    LIKE “%moder%”
    LIKE “%ftp%”
    LIKE “%jos%”
    LIKE “¬ces%”
    LIKE “%wso%”

    anymore!

    Thank you. That server is the last production server on C5. I need to shift it to C6 and Maria 10.

    I am ‘always learning’ security is a perpetual task. Thankfully I always read the daily logs and reports (an arduous task).

    Many thanks.

    Paul. England, EU. England’s place is in the European Union amid our European brothers and sisters and even our betters.

  • Indeed. There are several flaws in how mysql handles data. This is why to the best of my ability I am trying to avoid mysql, and use PostgreSQL if whatever chunk of software I need is designed to work also with PostgreSQL. And I recommend developers I work with/for the same (to use PostgreSQL). These are good examples:

    https://www.youtube.com/watch?v=1PoFIohBSM4

    I know, this may inflame [***]SQL wars here, but I hope, this will help somewhat those who are not married to mysql (yet).

    Just my $0.02

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Valeri Galtsev wrote:
    >

    Ok, do you have a link or two to info about that?

    We seem to be moving to PostgreSQL. I find I do not like it – it’s much more of a pain to work with than mysql is. Do you have any opinions about meria d/b? Are there improvements over the flaws you’re aware of with mysql?

    mark

  • Yes, my mistake. I should have imposed strict controls on the length of parameters passed to programmes via web pages $_GET[] such as:-

    UNION SELECT
    CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45) — /*

    and reject any incoming string containing ‘ or ” in addition to PHP’s strip_tags and (deprecated in later versions)
    mysql_real_escape_string($_GET[‘….’],$link);

    I do not use WordPress or anything like it.


    Regards,

    Paul. England, EU. England’s place is in the European Union.

  • *snip*

    I would shift to CentOS 7.

    Always deploy the latest version of CentOS unless you know something you have absolutely will not work in it.

    That’s my philosophy.

    That doesn’t mean I upgrade as soon as a new version comes out, though I
    frequently do simply because there are advantages with the new versions of software.

  • With the, among others, systemd controversy I dread moving to C7. C6
    works well and having just one version of an operating system simplifies everything. I also lack sufficient time to exploring and learning the C7
    differences and changes of operational logic.

    C6 is, from my perspective, very similar to C5. C7 is not.

  • Mark, you seemed to snip away the link to presentation on youtube :

    https://www.youtube.com/watch?v=1PoFIohBSM4

    which I gave in my post. That even though a bit old, was instructive for me.

    Great!

    Mariadb being a fork of mysql likely inherited mysql’s “inconsistencies”. Not that I would say mysql (and mariadb surely) folks are not working on improvements. E.g., the default installation of latest mysql does not have any accounts with empty password (I was weeding these away for years with every new installation of mysql. Oh, well, maybe I’m wrong, as this I just had seen fixed on FreeBSD, so it is possible that package maintainer did this nice cleaning). I’m not the one who can have any opinion on something
    (mariadb) which he doesn’t use, still…

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Valeri Galtsev wrote:
    Oh. I really dislike videos of people explaining something I could read, if they’d just typed it up…. (I mean the author, not you). But I suppose I’ll watch it.

    Well, remember that it was forked after the Evil Empire took over mysql. I
    just wonder if Oracle is *not* fixing some security issues… because they obviously want you to “fix” that problem by simply buying Oracle. With that train of thought, that’s why I’m wondering if the mariad/b team *is*
    fixing the issues.

    mark

  • I’m with you there. It is getting worse because people are trying to monetize it with the ads that YouTube plays first.

    But you can’t scan it, easily move back when you need to, etc.

    I wish more online help and tutorials were text like they use to be.

  • –2MC4sPxumFtNsflX4x0ixNJoTCUPnXH10
    Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    Let me reiterate this:

    the mysql-5.0.95* packages are not supported. A very long time ago, Red Hat upgraded mysql for el5 to an SCL. The current supported version is:

    mysql55-mysql-5.5.45-1.el5*

    I guarantee that the 5.0.95 packages have security issues. Here is how to move to the newer mysql55 packages:

    http://red.ht/1pAcb7q

    I can’t stress enough, mysql-5.0 on el5 is absolutely not updated security wise. The last update to it happened on 22-Jan-2013 and was in CentOS-5.9 .. we are now in 5.11 and there have been upgrades to mysql55
    since then to fix security issues.

    Here is more info on this MySQL 5.0 to 5.5 upgrade, that was required starting in CentOS 5.10.

    http://red.ht/1o8VkHN

    http://red.ht/1UK30hR

    http://red.ht/1q48NT5

    Thanks, Johnny Hughes

    –2MC4sPxumFtNsflX4x0ixNJoTCUPnXH10

  • I agree with you both, gentlemen. But I gave the link I had handy. It is kind of laziness on my part, I admit: I decided to not invest into search of convenient equivalent, and gave something I already had reference to, letting those who are interested find out either from this video or find better – readable – source. If someone finds better source, I would appreciate it. As my users will benefit if I refer them to better digestible presentation. Thanks in advance!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • –daBAEmLKP4PKHhSutEvun78pf1s0r0caq Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    This shoule not be news to anyone .. it was in the CentOS-5.10 release notes:

    https://wiki.CentOS.org/Manuals/ReleaseNotes/CentOS5.10

    (first two bullets in ‘New Features’ section)

    There were also discussions on this list:

    https://lists.CentOS.org/pipermail/CentOS/2013-October/137939.html

    Thanks, Johnny Hughes

    –daBAEmLKP4PKHhSutEvun78pf1s0r0caq

  • I was going to add the following, and I didn’t. This actually is not about mysql or mariadb vs PostgreSQL, but more about one’s general approach to what you will choose. Way back when there were continuing security issues with sendmail (which were being promptly fixed, still…) I was looking for what I could use as mail server software. And I chose postfix, as it was architectured from the very beginning with security in mind. There probably will be no often need of fixing issues, as from the very beginning the code was created so to have as minimal number of potential issues as possible. I don’t invite into jumping in discussion about variety of particular MTA etc. I was just trying to say in general:
    something better written from the very beginning vs something that needs many fixes. The last, BTW, will more likely make you suffering down the road because of the change of internals with upgrade to next version etc.

    I hope I managed to convey the thought…

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Just to be clear: you absolutely should upgrade to a currently maintained version of MySQL.

    However, upgrading will not protect you from SQL injection attacks. The probes you’re seeing aren’t targeting the SQL server. They’re targeting your php code.

  • I have never (not once) used non-prepared SQL statements, nor string concatenation, nor sprintf.

    mysql_real_escape_string() is useful for storing in tables words with apostrophes.

  • Agreed. Its going to be rainy in England this Easter weekend, so am contemplating upgrading the last production C5 to C6.

    Have already upgraded my PHP routine which blocks IP addresses when GET
    data exceeds its acceptable field size.

  • Valeri Galtsev wrote:


    Ok, now I *really* dislike videos. Since I’m not at home, and not putting the video on a 42″ TV, I *CANNOT* read most of what they’re typing, and the system responses not at all.

    However, if, just before the video goes from the lead page announcing
    “PostgreSQL” to the video of them typing, for about a 3 sec pause, you freeze the video, it says “this is from
    <http://sql-info.de/mysql/gotchas.html>

    Great, so here’s the text. And I start reading…. Excerpt:
    he MySQL database server is being continually improved. Some gotchas described here are no longer relevant for the latest versions; in these cases the version numbers affected are noted at the top of each section. As a rule gotchas have been tested against the most recent stable versions from the 3.23.x, 4.0.x and 4.1.x series.
    — end excerpt –

  • and I find mysql a real pain to work with.

    the biggest difference is, PostgreSQL is much stricter about data types. it will not, for example, allow you to store 2015-02-30 as a date. also, postgres is very strict about the atomicity of transactions, its all or nothing.

  • John,

    John R Pierce wrote:

    And I have serious issues trying to figure out the structure of, say, the barios d/b. But I did NOT ask for a comparison to PostgreSQL, or care to have any kind of argument about it at all. I was asking about mariadb vs. mysql.

    Oh, and the link I posted, to MySQL gotchas, that was last updated in ’14?
    I tried emailing them, at the link they gave, and my email bounced.

    mark
    mark