Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
giantmidget
Regular
Regular


Joined: Nov 27, 2005
Posts: 53

PostPosted: Mon Dec 05, 2005 9:26 pm Reply with quote

People keep making submissions for downloads with links like this:

Code:
' UNION SELECT '<?echo 'Hi Master';print `$_GET[cmd]`;?>' INTO OUTFILE '../../www/phpnuke/shell.php'


Is this a threat ? I just delete the submissions. What exactly is the person attempting to do, and could it be possible for Sentinel to pickup this type of entry if it is a threat ?
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Dec 05, 2005 9:44 pm Reply with quote

Very, very, much a threat, albeit kiddie land. NukeSentinel(tm) should have no problem handling this.
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Dec 05, 2005 11:51 pm Reply with quote

Yep, its a SQL hack. The Patched files should be blocking this, if not, message me the entire URL they used to insert it

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
giantmidget
PostPosted: Tue Dec 06, 2005 6:39 pm Reply with quote

They are not actually "inserting" anything. They are not uploading anything that I know of. They are submitting a "link" and that link contains that text. Of course, I never approve the submission, nor have I clicked them.

They add that exact text for the "Page URL" in /modules.php?name=Web_Links&l_op=AddLink like they were submitting a link to another website.


Oh, and I found this:
Only registered users can see links on this board! Get registered or login!

I use 7.6 fully patched with sentinel. Sentinel does not show any new IP's blocked.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Dec 06, 2005 7:46 pm Reply with quote

Funny that this thread should come up, I have just had quite a few trying to insert url links into the news comments with
Code:
www.mysite.com/modules.php?name=News&file=comments&subject=www usefull resources&comment=Nice info  <A href=http

SNIPPED
&op=Ok!&pid=&sid=109&mode=0&order=0&thold=0&posttype=html

I havent seen this particular one before.
 
View user's profile Send private message Send e-mail
evaders99
PostPosted: Tue Dec 06, 2005 7:57 pm Reply with quote

Yep, we know about this script already. It should be patched

Mm the second one looks like generic spammer. Probably not a hack
 
Guardian2003
PostPosted: Tue Dec 06, 2005 8:15 pm Reply with quote

Evaders99 wrote:
Yep, we know about this script already. It should be patched

Mm the second one looks like generic spammer. Probably not a hack

Yes, obviously a kid as when his attempt failed, he signed up on my site in order to attempt posting links in news comments again but this time as a registered user.
As he wasnt sensible enough to use a free email account I have emailed his ISP.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©