I am suffering SQL Injection type attacks

Since I opened an online project I am having trouble with hack, where someone is making direct inserts into the database. That's what gave me the initiative to put in all the variables received through the method $_GET and $_POST. The functions: 

$variavel = trim(strip_tags(mysqli_real_escape_string($conn, $_POST['recebe'])));

I used two programs to do scanner to analyze the site ('Acunetix' and 'Scrawlr'), where the first time returned vulnerable variables, but now I did the whole procedure in the same and now not the most sign of trouble.

However, even then, the attacker still manages to hack into the server, even if he is sure after having checked all the lines of code of the project..

Author: Pedro Quezado, 2015-12-12
Source

3 answers

After being attacked he may have gathered important information that allows him to do the invasion by other means. When you have a server hacked it is not simple to make it secure again. If you failed to effectively do what is simple, which is to make you safe initially, it will now be much more difficult. He may even be doing this because he has direct access to the server now.

A security expert (rare to find a really empowered one) could do an analysis on that server to see if there is anything that can be done. If you prefer on your own, the best way is probably to start a new server with all different data, especially passwords. Do not copy anything that was on the compromised server. If you really have to copy something, you have to do a thorough analysis of the content. And passwords, forget it, this can not be taken advantage of.

Privacy was gone. This will never have a solution, once lost, does not come back more.

Other than that, the code is probably still vulnerable. These softwares do superficial analysis, do not trust them as a definitive solution. If you can't find all the vulnerabilities you'll have to hire a specialist. And beware, a lot of people sell what they don't have.

Remember that now the attacker probably knows your code and knows how to exploit any flaws, even those that previously went unnoticed.

See more in How does a SQL happen Injection?.

 44
Author: Maniero, 2019-11-05 16:00:56

Avoid using mysqli_* and mysql_ * functions, use PDO, process data entries.

Do a select in your bank and check the privileges of the users, if there are any "strange" users, if root has external access without password, etc.

select user,password,host,grant_priv from mysql.user;

By running the query above, verify that any user (with the host = %, which would be remote access) is without a password. It is not guaranteed that it has access to the database in the way I cited but it can occur. Check logs MySQL and PHP.

As quoted by @Maniero, the most recommended is to hire someone who understands on the subject, rarity but it is possible.

 1
Author: Marcos Xavier, 2019-08-21 15:30:22

Solution that can help your problem:

  1. Change all user passwords, and especially the database access password, preferably a complex password, type: #@_12!aVxzHors12_8^.

  2. Put a new alias in the tables, example, if the table is : usuarios => t_db_usuarios ...

  3. If possible, change the database name, use "placeholders" with Prepared Statements in the insert methods / update:

Mysqli_ * 

$intVal = $_POST['id'];

$column1 = "exemplo 1";
$column2 = "exemplo 2";
$column3 = intval($intVal);


    $query = "INSERT INTO tabela_nome (column1_string, column2_string, column3_integer)
    VALUES (?, ?, ?)";
    $stmt = $mysqli->prepare($query);
    $stmt->bind_param("ssi", $column1, $column2, $column3);
    if ($stmt->execute()) {
       echo "Sucesso!";
    }
    $stmt->close();

PDO: 

try {

    //dados da conexao

    $intVal = $_POST['id'];
    $data = [
             ':column1_string' => 'exemplo1', 
             ':column2_string' => 'exemplo2',
             ':column3_integer' => intval($intVal),
    ];

    $sql = "INSERT INTO tabela_nome (column1_string, column2_string, column3_integer)
    VALUES (:column1_string, :column2_string, :column3_int)";
    $sth = $conn->prepare($sql);
    $exec = $sth->execute($data);
    if ($exec) {
      echo "Sucesso!";
    }
   /*
    Se preferir não enviar como um array, também pode trabalhar cada dado inserido:

     $sth->bindParam(':column1_string', $data[':column1_string'], PDO::PARAM_STR, 255);
     $sth->bindParam(':column2_string', $data[':column2_string'], PDO::PARAM_STR, 255);
     $sth->bindParam(':column3_int', $data[':column3_int'], PDO::PARAM_INT);
    if ($sth->execute()) {
        echo "Sucesso";
    }
   */
} catch(PDOException $e) {
    echo $e->getMessage();
}

  1. Never pass insert and update parameters via GET. Take preference use a csrf token for forms by Method POST , thus you will validate that the source of publication, corresponds to the same place of submission.

    For RestFul APIs, use a token with authorization of Type Bearer Token , projects CORS origin for your domain from site, protect yourself from attacks by XSS : 

    header('Access-Control-Allow-Origin: http://www.seudominio.com.br');
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
header('Access-Control-Allow-Methods: GET, POST, PUT');

  2. Use some website vulnerability scanning tool, here are some examples:

    Https://www.scanmyserver.com/
    https://www.ssllabs.com/ssltest/analyze.html
    https://detectify.com/
    https://www.newnettechnologies.com/vulnerability-tracker.html

 0
Author: Ivan Ferrer, 2019-11-05 18:09:22