Hey Here is Toxic Boys Team , its Security Article That How Can We
Protect Our Website By Common Web Attacks ?
On this post i am telling about five types of common web attacks,
which are used in most types of defacements or dumps of databases.
Following five exploits are listed SQL injection, XSS, RCE, RFI, and
LFI. Most of the time, we missed out some website code tags. So that
our website gets attack and allows the hacker for hijack the
vulnerable website.
1. SQL Injection
Types ->
Login Form Bypassing
UNION SQL Injection
2. Cross Site Scripting ( XSS )
Types -> Cross Site Request Forgery
3: File Inclusion
Types -> Remote File Inclusion and Remote Code Execution
1. SQL Injection
>> Login Form Bypassing
Here is an example of the vulnerable code that we can bypass very easily:
index.html file:
<form action="login.php" method="POST" />
<p>Password: <input type="text" name="pass" /><br />
<input type="submit" value="Authenticate" /></p>
</form>
login.php file:
<?php
// EXAMPLE CODE
$execute = "SELECT * from database WHERE password = '{$_POST['pass'])";
$result = mysql_query($execute);
?>
We can simply bypass this by using ' or '1=1', which will execute
"password = ''or '1=1'';".
Alternatively, the user can also delete the database by executing "'
drop table database; --".
>> PREVENTION:
Use mysql_real_escape_string in your php code.
Example:
<?php
$badword = "' OR 1 '";
$badword = mysql_real_escape_string($badword);
$message = "SELECT * from database WHERE password = "'$badword'";
echo "Blocked " . $message . ";
?>
>> UNION SQL Injection
UNION SQL injection is when the user uses the UNION command. The user
checks for the vulnerability by adding a tick to the end of a
".php?id=" file.
If it comes back with a MySQL error, the site is most likely
vulnerable to UNION SQL injection. They proceed to use ORDER BY to
find the columns, and at the end, they use the UNION ALL SELECT
command. An example is shown below.
http://www.site.com /website.php?id=1'
You have an error in your SQL syntax near '' at line 1 SELECT SUM(quantity)
as type FROM orders where (status='completed' OR status='confirmed' OR
status='pending') AND user_id=1'
No error--> http://www.site.com /website.php?id=1 ORDER BY 1--
Two columns, and it comes back with an error! This means that there is
one column.
http://www.site.com /website.php?id=1 ORDER BY 2--
Selects the all the columns and executes the version() command on the
only column.
http://www.site.com /website.php?id=-1 UNION SELECT ALL version()--
SOLUTION:
Add something like below to prevent UNION SQL injection.
$evil = "(delete)|(update)|(union)| (insert)|(drop)|(http)|(--)|(/*)|(select)";
$patch = eregi_replace($evil, "", $patch);
2. Cross Site Scripting
Cross site scripting is a type of vulnerability used by hackers to
inject code into vulnerable web pages. If the site is vulnerable to
cross site scripting, most likely users will try to inject the site
with malicious javascript or try to scam users by creating a form
where users have to type their information in.
There are two types of XSS (cross site scripting) are persistent XSS
and non-persistent XSS.
Example:
http://www.site.com /search.php?q=">
SOLUTION
function RemoveBad(strTemp) {
strTemp = strTemp.replace(/\ <|\>|\"|\'|\%|\;|\(|\)|\&|\ |\-/g,"");
return strTemp;
}
3. File Inclusion
Types: Remote File Inclusion/Local File Inclusion, and Remote Code Execution
Remote File Inclusion allows a hacker to include a remote file through
a script (usually PHP). This code is mostly patched on websites, but
some websites are still vulnerable to the vulnerability. RFI usually
leads to remote code execution or javascript execution.
Example of the vulnerable code:
<?php
include($_GET['page']);
?>
Exploiting would be something like as follows:
http://www.site.com /page.php?page=../../../../.. /etc/passwd or
http://www.site.com /page.php?page=http: //www.site.com/xyz.txt?
SOLUTION:
Validate the input.
$page = $_GET['page'];
$allowed = array('index.php', 'games.php' 'ip.php');
$iplogger = ('ip.php');
if (in_array $page, $pages)) {
include $page {
else
{
include $iplogger
die("IP logged.");
}
For remote code execution, the site would have to have a php
executing command. You would patch this by about doing the same thing.
Note: I hope this post will helpful for your website to get secure
from above types of attacks.
Protect Our Website By Common Web Attacks ?
On this post i am telling about five types of common web attacks,
which are used in most types of defacements or dumps of databases.
Following five exploits are listed SQL injection, XSS, RCE, RFI, and
LFI. Most of the time, we missed out some website code tags. So that
our website gets attack and allows the hacker for hijack the
vulnerable website.
1. SQL Injection
Types ->
Login Form Bypassing
UNION SQL Injection
2. Cross Site Scripting ( XSS )
Types -> Cross Site Request Forgery
3: File Inclusion
Types -> Remote File Inclusion and Remote Code Execution
1. SQL Injection
>> Login Form Bypassing
Here is an example of the vulnerable code that we can bypass very easily:
index.html file:
<form action="login.php" method="POST" />
<p>Password: <input type="text" name="pass" /><br />
<input type="submit" value="Authenticate" /></p>
</form>
login.php file:
<?php
// EXAMPLE CODE
$execute = "SELECT * from database WHERE password = '{$_POST['pass'])";
$result = mysql_query($execute);
?>
We can simply bypass this by using ' or '1=1', which will execute
"password = ''or '1=1'';".
Alternatively, the user can also delete the database by executing "'
drop table database; --".
>> PREVENTION:
Use mysql_real_escape_string in your php code.
Example:
<?php
$badword = "' OR 1 '";
$badword = mysql_real_escape_string($badword);
$message = "SELECT * from database WHERE password = "'$badword'";
echo "Blocked " . $message . ";
?>
>> UNION SQL Injection
UNION SQL injection is when the user uses the UNION command. The user
checks for the vulnerability by adding a tick to the end of a
".php?id=" file.
If it comes back with a MySQL error, the site is most likely
vulnerable to UNION SQL injection. They proceed to use ORDER BY to
find the columns, and at the end, they use the UNION ALL SELECT
command. An example is shown below.
http://www.site.com /website.php?id=1'
You have an error in your SQL syntax near '' at line 1 SELECT SUM(quantity)
as type FROM orders where (status='completed' OR status='confirmed' OR
status='pending') AND user_id=1'
No error--> http://www.site.com /website.php?id=1 ORDER BY 1--
Two columns, and it comes back with an error! This means that there is
one column.
http://www.site.com /website.php?id=1 ORDER BY 2--
Selects the all the columns and executes the version() command on the
only column.
http://www.site.com /website.php?id=-1 UNION SELECT ALL version()--
SOLUTION:
Add something like below to prevent UNION SQL injection.
$evil = "(delete)|(update)|(union)| (insert)|(drop)|(http)|(--)|(/*)|(select)";
$patch = eregi_replace($evil, "", $patch);
2. Cross Site Scripting
Cross site scripting is a type of vulnerability used by hackers to
inject code into vulnerable web pages. If the site is vulnerable to
cross site scripting, most likely users will try to inject the site
with malicious javascript or try to scam users by creating a form
where users have to type their information in.
There are two types of XSS (cross site scripting) are persistent XSS
and non-persistent XSS.
Example:
http://www.site.com /search.php?q=">
SOLUTION
function RemoveBad(strTemp) {
strTemp = strTemp.replace(/\ <|\>|\"|\'|\%|\;|\(|\)|\&|\ |\-/g,"");
return strTemp;
}
3. File Inclusion
Types: Remote File Inclusion/Local File Inclusion, and Remote Code Execution
Remote File Inclusion allows a hacker to include a remote file through
a script (usually PHP). This code is mostly patched on websites, but
some websites are still vulnerable to the vulnerability. RFI usually
leads to remote code execution or javascript execution.
Example of the vulnerable code:
<?php
include($_GET['page']);
?>
Exploiting would be something like as follows:
http://www.site.com /page.php?page=../../../../.. /etc/passwd or
http://www.site.com /page.php?page=http: //www.site.com/xyz.txt?
SOLUTION:
Validate the input.
$page = $_GET['page'];
$allowed = array('index.php', 'games.php' 'ip.php');
$iplogger = ('ip.php');
if (in_array $page, $pages)) {
include $page {
else
{
include $iplogger
die("IP logged.");
}
For remote code execution, the site would have to have a php
executing command. You would patch this by about doing the same thing.
Note: I hope this post will helpful for your website to get secure
from above types of attacks.