vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=326655

How do I test for SQL Injection
by Scalemotorcars
13 Aug 2018 15:47

I just got a DB error and searched the IP it came from and its been reported for SQL Injection. Is there a way to test to see if they were successful?

Thanks.

Scalemotorcars 14 Aug 2018 18:42

Anyone have a clue?

snakes1100 15 Aug 2018 00:20

What DB error did u get?

Scalemotorcars 15 Aug 2018 02:19

I changed the DB table ID but her you go. And thanks for looking at it.

Quote:

Invalid SQL:
SELECT node.nodeid AS itemid,
(node.nodeleft = 1) AS isroot, node.nodeid, node.contenttypeid, node.contentid, node.url, node.parentnode, node.styleid, node.userid,
node.layoutid, node.publishdate, node.setpublish, node.issection, parent.permissionsfrom as parentpermissions,
node.permissionsfrom, node.publicpreview, node.showtitle, node.showuser, node.showpreviewonly, node.showall,
node.showupdated, node.showviewcount, node.showpublishdate, node.settingsforboth, node.includechildren, node.editshowchildren,
node.shownav, node.hidden, node.nosearch, node.nodeleft,
info.description, info.title, info.html_title, info.viewcount, info.creationdate, info.workflowdate,
info.workflowstatus, info.workflowcheckedout, info.workflowlevelid, info.associatedthreadid,
user.username, sectionorder.displayorder, thread.replycount, parentinfo.title AS parenttitle

FROM A2Ctest_cms_node AS node
INNER JOIN A2Ctest_cms_nodeinfo AS info ON info.nodeid = node.nodeid

LEFT JOIN A2Ctest_user AS user ON user.userid = node.userid
LEFT JOIN A2Ctest_thread AS thread ON thread.threadid = info.associatedthreadid
LEFT JOIN A2Ctest_cms_sectionorder AS sectionorder ON sectionorder.sectionid = 1
AND sectionorder.nodeid = node.nodeid
LEFT JOIN A2Ctest_cms_node AS parent ON parent.nodeid = node.parentnode
LEFT JOIN A2Ctest_cms_nodeinfo AS parentinfo ON parentinfo.nodeid = parent.nodeid
INNER JOIN A2Ctest_cms_node AS rootnode
ON rootnode.nodeid = 1 AND (node.nodeleft >= rootnode.nodeleft AND node.nodeleft <= rootnode.noderight) AND node.nodeleft != rootnode.nodeleft AND node.contenttypeid <> 23 AND node.new != 1 AND ( (( (node.permissionsfrom IN (-1)) OR ( node.permissionsfrom in (1,2,5,11,45,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133 ,134,135,136,148,149,164,165,205,242,243,273,336,337,338,375,377) AND (node.parentnode IN (1,133,134,136,375,242,205,45,117,336,337,338,377) OR node.nodeid = 1) AND
node.setpublish > 0 AND node.publishdate < 1534174163 ))) OR (node.setpublish AND node.publishdate <1534174163 AND node.publicpreview > 0))AND node.hidden = 0 AND ((node.setpublish = '1' AND node.publishdate <= 1534174163 ) OR node.userid = 0)

ORDER BY node.publishdate DESC LIMIT -16, 80;

snakes1100 15 Aug 2018 09:39

You can use these to scan for anything suspicious.


SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';


SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';


Did you locate anything in the apache/nginx etc log related to that attempted post in the cms for that time stamp?

Scalemotorcars 10 Nov 2018 20:46

Well, using PHPmyadmin I found the below items.

I'm not sure how to do the search you're referring to. And not sure how to check apache/nginx. In laymen's terms, please.

And thanks for the help.

%base64% in _searchcore_text, _pmtext, and _post

%exec% in _autosave, _cache, _cacheevent, _widgetconfig, _widgettype, _cronlog, _datastore, dbtech_dbseo_resolvedurl, iei_img, _language, _phrase, _plugin, _pmtext, _post, _postedithistory, _productcode, _searchcore_text, _searchgroup_text, _style, _template, _templatehistory, _thread, _user

Max Taxable 10 Nov 2018 21:12

Quote:

Originally Posted by Scalemotorcars (Post 2597318)
I'm not sure how to do the search you're referring to.

I believe (pretty sure) he gave you SQL queries you can run via ACP.

Scalemotorcars 10 Nov 2018 21:19

Not sure how to check in the ACP. Step by step if its not to much hassle.

Thanks

Max Taxable 10 Nov 2018 21:39

ACP>Maintenance>Execute SQL Query

One at a time, paste his queries into the manual query box and click "Continue."

You have to be a Super Admin with query running permissions as defined in includes/config.php or nothing will happen, except it will let you know you don't have permission to run queries.

Scalemotorcars 10 Nov 2018 21:55

I tried

Quote:

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%'
This returned an error number: 1146

Did I get the query wrong?

Sorry I feel like a total noob. You would think after 12 years I would know how to do this.

Max Taxable 10 Nov 2018 21:58

He posted two, complete queries. Looks like you posted only part of the first one.

The queries are:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Try them one at a time.

Scalemotorcars 10 Nov 2018 22:03

Tried that also. Im the super admin so thats not it. aLSO TRIED IN THE sql OF PHPMyAdmin. Same result

This is the complete error I get trying either one.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And thanks for the help I really appreciate it.

Max Taxable 10 Nov 2018 22:06

Quote:

error desc: Table 'p16t2ugb_forum.plugin' doesn't exist
I have no idea at all why it's trying to query that table, it's not called for in either query.

Need the guy who posted the queries to chime in, I may be mistaken what exactly it is he posted there. LOOKS like queries, might not be though.

Sorry i haven't been able to help you so far.

Scalemotorcars 10 Nov 2018 22:17

Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

Max Taxable 10 Nov 2018 22:27

Quote:

Originally Posted by Scalemotorcars (Post 2597326)
Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

No idea. Can't be good though.

snakes was online today, maybe he will chime in.

Scalemotorcars 10 Nov 2018 22:30

So like I said I got the plugin query to work and got 42 results. (cant get the template one to work)

Anway

Maybe reinstall the plugins affected with overwriting enabled. That would change the code but not sure about the DB.

Thanks again.
Daniel

snakes1100 11 Nov 2018 11:40

Well the 2 queries i gave you just pull the data from those tables, the results you can match to a default/clean install on a dev site for example.

Scalemotorcars 11 Nov 2018 17:10

Now if I only had a dev site. :(

snakes1100 11 Nov 2018 17:36

Those queries will only show you results that contain the keywords outlined base64 etc

Brandon Sheley 13 Nov 2018 11:09

Quote:

Originally Posted by Scalemotorcars (Post 2597326)
Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

You can try searching one at a time

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%';

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%iframe%';

What do you see with just this part of the command?
Any odd plugins that you don't remember adding?
A screenshot would help us, but really if your site was compromised, it's wise to have someone who knows what they're doing on board.


All times are GMT. The time now is 05:42.

Powered by vBulletin® Version 3.8.14
Copyright © 2020, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.