Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Script kiddie playground
The latest round of people trying to break into my site have been using this curious fella added to any site URL that takes a parameter, such as ?pg=2:
%27+and+(7=11+xor+1=4)--+aThe math expression varies every time (another example: and+not+1=7) but always equates to true. Clearly it must be some kind of injection attempt, trying to short circuit any input that’s not escaped. Good old smd_prognostics has caught the lot so far (yay!) but I’m unsure what this apparent exploit is supposed to be targeting exactly.
The %27 (apostrophe) is not always included — probably an attempt to end some prior statement or variable — then the math expression equates true, which would essentially bypass anything on the line up to that point. What I can’t fathom is the -- a. Doesn’t -- on its own indicate the end of options in most script languages so that what comes after is implied as an input/output file (depending on script). If so, why the a? Is this just a primer to see if the file called ‘a’ gets read/written to, and would the injection continue with a second wave if this first part succeeded?
Some injection attempts are clever and after studying them I can see what they’re trying to do. But I just can’t see the point behind this one, nor the hole it’s trying to breach. Maybe I’m missing something obvious?
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Script kiddie playground
-- is mysql comment, I think it’s trying to inject something like ' OR 1 -- as $user into “SELECT * WHERE user=’$user’ AND pwd=’$pwd’”.
I’ve got many '%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20''=' and such from 114.227.11.153 this morning. Any ideas?
Offline
Re: Script kiddie playground
etc wrote:
--is mysql comment, I think it’s trying to inject something like' OR 1 --as$userinto “SELECT * WHERE user=’$user’ AND pwd=’$pwd’”
Ahhhh, makes sense. Didn’t realise it was a MySQL comment, thanks.
I’ve got many
'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20''='and such from 114.227.11.153 this morning.
I got a few of those too last week; different IP of course. No idea what they were about either, but didn’t seem to affect me in any way. I just serve a rude message from smd_prognostics and it seems to kill off most attempts on the 2nd try. when the script realises the site isn’t going to roll over. The reason the one I posted stood out was because they were persistent, like 18 times persistent. Clearly got nothing better to do.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Script kiddie playground
still on the topic does anyone know what these kids are trying?
index.php?id=65index.php?id=15
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Script kiddie playground
colak wrote:
still on the topic does anyone know what these kids are trying?
index.php?id=65index.php?id=15
Wish I knew what this could break. Are you getting many hits like this?
Offline
Re: Script kiddie playground
etc wrote:
Wish I knew what this could break. Are you getting many hits like this?
I get about 10/day
I also get /index.php?id=113%27+and+not+1=7--+a
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Script kiddie playground
colak wrote:
I get about 10/day
I also get /index.php?id=113%27+and+not+1=7--+a
The latest are common mysql injections, but index.php?id=65index.php?id=15 is weird, makes think of some bug if they are not coming from a same address. But I am all but security guy:)
Offline
Pages: 1