Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-07-27 14:41:30

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,454
Website GitHub

Script kiddie playground

The latest round of people trying to break into my site have been using this curious fella added to any site URL that takes a parameter, such as ?pg=2:

%27+and+(7=11+xor+1=4)--+a

The math expression varies every time (another example: and+not+1=7) but always equates to true. Clearly it must be some kind of injection attempt, trying to short circuit any input that’s not escaped. Good old smd_prognostics has caught the lot so far (yay!) but I’m unsure what this apparent exploit is supposed to be targeting exactly.

The %27 (apostrophe) is not always included — probably an attempt to end some prior statement or variable — then the math expression equates true, which would essentially bypass anything on the line up to that point. What I can’t fathom is the -- a. Doesn’t -- on its own indicate the end of options in most script languages so that what comes after is implied as an input/output file (depending on script). If so, why the a? Is this just a primer to see if the file called ‘a’ gets read/written to, and would the injection continue with a second wave if this first part succeeded?

Some injection attempts are clever and after studying them I can see what they’re trying to do. But I just can’t see the point behind this one, nor the hole it’s trying to breach. Maybe I’m missing something obvious?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#2 2012-07-27 15:25:13

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Script kiddie playground

-- is mysql comment, I think it’s trying to inject something like ' OR 1 -- as $user into “SELECT * WHERE user=’$user’ AND pwd=’$pwd’”.

I’ve got many '%20and%20char(124)%2Buse​r%2Bchar(124)=0%20and%20''=' and such from 114.​227.​11.​153 this morning. Any ideas?

Offline

#3 2012-07-28 00:43:23

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,454
Website GitHub

Re: Script kiddie playground

etc wrote:

-- is mysql comment, I think it’s trying to inject something like ' OR 1 -- as $user into “SELECT * WHERE user=’$user’ AND pwd=’$pwd’”

Ahhhh, makes sense. Didn’t realise it was a MySQL comment, thanks.

I’ve got many '%20and%20char(124)%2Buse​r%2Bchar(124)=0%20and%20''=' and such from 114.​227.​11.​153 this morning.

I got a few of those too last week; different IP of course. No idea what they were about either, but didn’t seem to affect me in any way. I just serve a rude message from smd_prognostics and it seems to kill off most attempts on the 2nd try. when the script realises the site isn’t going to roll over. The reason the one I posted stood out was because they were persistent, like 18 times persistent. Clearly got nothing better to do.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#4 2012-07-28 16:21:47

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Script kiddie playground

still on the topic does anyone know what these kids are trying?

index.php?id=65index.php?id=15


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#5 2012-07-29 12:11:31

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Script kiddie playground

colak wrote:

still on the topic does anyone know what these kids are trying?

index.php?id=65index.php?id=15

Wish I knew what this could break. Are you getting many hits like this?

Offline

#6 2012-07-30 08:35:28

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Script kiddie playground

etc wrote:

Wish I knew what this could break. Are you getting many hits like this?

I get about 10/day

I also get /index.php?id=113%27+and+not+1=7--+a


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#7 2012-07-30 11:55:16

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Script kiddie playground

colak wrote:

I get about 10/day

I also get /index.php?id=113%27+and+not+1=7--+a

The latest are common mysql injections, but index.php?id=65index.php?id=15 is weird, makes think of some bug if they are not coming from a same address. But I am all but security guy:)

Offline

Board footer

Powered by FluxBB