SysAdmin | /usr/local.com

SQL exploits

April 11th, 2012 | by matt | security, sysadmin

Apr
11

You know its going to be a bad day when you get the following email:

Did someone hack our website? It looks like a Chinese news listing entry has been added with today’s date.

Ballsack!

Time to roll up the sleeves. How bad is the damage?

From the looks of it, other sites on the web server had not been damaged. Doing a search for modified files found nothing out of the ordinary had been changed. Log files sure but nothing out of the ordinary. A search through the web logs of the site showed that this appeared to be an attack on the Content Management System (CMS) for the site.

Whichever jackass wrote that code should be beaten! Get the torches and pitchforks, death to the programmer!! Oh wait, that was me. Death to the evil script kiddie that attacked my beautiful code!!!!!!!!!

Searching through the logs, I started seeing some interesting logs. A bunch of them that had variations such as this:

http://unigleeclub.com/news.phtml?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,(SELECT%20concat(0x7e,0x27,Hex(cast(user.username%20as%20char)),0x27,0x7e)%20FROM%20`gleeclub`.user%20LIMIT%203,1)%20,0x31303235343830303536,0x31303235343830303536--

This one is actually after a lot of hits from the attacker of figuring out the tables and then getting down to the nitty gritty of pulling out a username and password.

The issue was that I had forgotten to sanitize my data. Like a jackass, I didn’t check that $id was an actual integer variable and when they ran thier script they were able to pull out a hex string that, with the use of such tools as this site, you can easily translate this into text.

The Quick Fix

I put in 2 fixes to ensure that we were dealing with an integer value here. First, I did some simple math to the variable that changes its type if it is not an integer.

$id = $id+0;

If you have a string, you’ll get back a zero. If you have an integer value, you’re good to go.

Also in the code, I expanded the if statement that was around the code to grab the specific news item. Instead of just checking to see if the $id variable was set, I now check to see if it is set and greater than zero, another layer in ensuring that we have a number instead of a string of text.

//Before:
if(isset($id) && $id != "")

//After:
if(isset($id) && $id != "" && $id > 0)

We’re all human and humans make mistakes. This code that was exploited was written 8 years ago at a time when I should have known better, but missed it. It lived in the wild up until last year when it was finally exploited. I’m lucky that it took that long for it to expose itself, but kind of embarrassed that it was there in the first place. While I tend to come down hard on people for not doing these sort of things, its only because I’ve learned my lesson the hard way and have seen people continually mess this stuff up. While this happened to me a while ago, I’ve had friends get bit by this very recently so I figured it was time to finish off this post and get it out the door. An ounce of prevention sort of thing.

To lear more about SQL Inject attacks, here is a good article by Bhanu Mahesh on Quality Software Connection on how to prevent them.

Comments Closed

Puppet Presentation

January 25th, 2012 | by matt | sysadmin, tips & tricks

Jan
25

For those looking for the slides from the puppet presentation that I gave last week, here they are.

I’ll be working on getting a screen cast of the demo up in the next week or so. Too many other things distracting me at this moment.

Comments Closed

Puppet Presentation

January 17th, 2012 | by matt | sysadmin, tips & tricks

Jan
17

For those that haven’t seen my twitter feed…

I’m going to be doing a presentation in the coming days for the local linux user group (CIALUG) on Puppet from Puppet Labs.

Free pizza and some swag will be thrown around.

The event is 100% free and should hopefully get you acquainted with all the cool stuff you can automate. Signup for your free ticket!

Comments Closed

Pizza and Puppet

December 15th, 2011 | by matt | in the news, sysadmin, tips & tricks

Dec
15

For those looking to see my handsome mug in person and listen to my beautiful tenor voice, I will be giving a Puppet demonstration at the January 2012 CIALUG meeting. Details on the event can be found on the events page of the cialug.org site.

Puppetlabs has stepped up to offer sponsorship of the event so besides my insightful talk, there will be pizza and t-shirts that will be handed out while supplies last or whatever game we come up with to give them away. I have a whole box of them so hopefully many of you are sporting the latest in puppet wear before the night is through.

So put it in your calendar now to join me for Pizza and Puppet on January 18th at 7PM in the LightEdge corporate headquarters.

Comments Closed

vmkfstool for the win

December 14th, 2011 | by matt | sysadmin, vmware

Dec
14

Got a call tonight concerning a VM that was having some issues. We had p2v’d our Virtual Center and when the new vCenter came online, apparently DRS decided to balance the heck out of things and somewhere in the process, a VM got squished and had a variety of issues.

When I was brought in, it wasn’t powering up and throwing an error concerning a lock. So here is what I tried.

Remove the VM from inventory and re-add it. Based on past support calls with VMware, this trick seems to be a tried and true ‘do this first’ method of debugging a VM. I’m not going to go into great detail on why this might work, but needless to say, I’m dealing with a file system lock and re-adding it really does nothing for me here. In theory, it might remove the lock, but unfortunately method failed.
Snapshot shuffle. This is where you take a snapshot of the VM and then attempt to do a Delete All in the snapshot manager. The VM was acting as though it had a snapshot on the system and wasn’t letting it go. By doing a delete all, VMware will look for other snapshots and remove them if they are in the chain, even if they are not showing up in the snapshot manager. This method also failed.
vmkfstools for the win. I’m a unix admin so getting in the shell doesn’t bother me. For others, you might be a bit afraid by this. But I ssh’d into the host, found my VM directory and did a check on each of the VMDK files using vmkfstools. Each came back clean so then I moved onto the breaking of the lock file also with vmkfstools. The command technically stated that it didn’t complete successfully but I found that it did indeed work and I was able to power on the VM. Mission accomplished! Here is a run down of the commands used in this method:
To check a VMDK:
vmkfstools -x check virtualMachine.vmdk

To remove a lock:
vmkfstools -B virtualMachine.vmdk

To list all vmkfstools options:
vmkfstools -h
-or-
man vmkfstools

Hopefully you don’t run into this issue anytime soon, but if you do, try a few of these methods and see where you end up. If all else fails, build a new VM and restore from backup. Or…call VMware support, they’re really good at this sort of thing.

Comments Closed