Situs klien saya kena SQL injection :(

Discussion in 'Masalah Teknik dan Keamanan' started by bedebah, 2 Sep 2010.

Thread Status:
Not open for further replies.
  1. bedebah

    bedebah Apprentice 2.0

    Messages:
    582
    Likes Received:
    4
    Trophy Points:
    18
    Log cpanel:
    IP pelaku saya samarken.
    Code:
    111.95.***.** - - [01/Sep/2010:23:33:15 +0700] "GET /link.php?what=prod&cats=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:33:15 +0700] "GET /link.php?what=prod&cats=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:33:15 +0700] "GET /link.php?what=prod&cats=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 404 - "-" "-"
    
    akhirnya tembus, si hacker berhasil mendeface situs buatan saya :(
    lognya ndak cuman itu, ada ratusan baris, mungkin ribuan.

    sptnya si hacker menggunaken tool kalo dilihat dari log, betapa banyak yg dia ketik kayaknya ndak mungkin nulis manual.

    Saya sudah mengamanken variable2 rawan...
    seperti ink.php?what=prod&cats=angka
    variable $cats, $id sudah saya filter jadi:
    Code:
    $cats=abs((int)$_GET['cats']);
    $id=abs((int)$_GET['id']);
    
     
  2. bedebah

    bedebah Apprentice 2.0

    Messages:
    582
    Likes Received:
    4
    Trophy Points:
    18
    Sepertinya si hacker gagal menembus link.php dgn SQL Injection krn flter itu (mungkin???)
    dan aksi dilanjutken dengan melakuken brute-forece mencari file administratif di folder /panel:
    Code:
    111.95.***.** - - [01/Sep/2010:23:34:21 +0700] "GET /panel/admin.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:25 +0700] "GET /panel/check.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:25 +0700] "GET /panel/relogin.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/secure/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/webmaster/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/webmaster.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/webmaster.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/autologin.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/autologin.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/userlogin.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/userlogin.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/admin_area.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:30 +0700] "GET /panel/admin_area.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/cmsadmin.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/cmsadmin.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/security/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/usr/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/secret/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/root/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/moderator.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/admin/login.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/admin/adminLogin.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/moderator.html HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/admin/login.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/admin/adminLogin.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/moderator/login.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/moderator/login.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/moderator/admin.asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/0admin/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/moderator/admin.php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/aadmin/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/0manager/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/cgi-bin/loginphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/cgi-bin/loginasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login1asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login1php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_admin/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_adminphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_adminasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_out/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_outphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_outasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:31 +0700] "GET /panel/login_userphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/login_userasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginok/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginerror/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginsave/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginsuper/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginsuperphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/logout/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/loginsuperasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/logoutphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/logoutasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/secrets/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super1/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super1php HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super1asp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super_indexphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super_loginphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super_indexasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/super_loginasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supermanagerphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supermanagerasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supermanphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supermanasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/superuserphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/superuserasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supervise/ HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supervise/Loginphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/superphp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/supervise/Loginasp HTTP/1.1" 404 - "-" "-"
    111.95.***.** - - [01/Sep/2010:23:34:32 +0700] "GET /panel/superasp HTTP/1.1" 404 - "-" "-"
    
     
  3. rendy

    rendy Hosting Guru DWH Guardian Web Hosting (Company)

    Messages:
    2,792
    Likes Received:
    240
    Trophy Points:
    63
    suspend aja lah dulu
    tunggu attacker reda
    baru buka dan investigasi
     
  4. bedebah

    bedebah Apprentice 2.0

    Messages:
    582
    Likes Received:
    4
    Trophy Points:
    18
    itu situs toko oline dgn transaksi harian gede oom :(
    solusi Anda akan merugiken klien saya :(

    berdasar apa2 yg dia lakuken, dia memang mengincar file2 di folder /panel, dan sy sudah tahu apa yg harus sy lakuken :p

    mohon doa restu dan tips2nya ...
     
  5. dpnux

    dpnux Expert 1.0

    Messages:
    455
    Likes Received:
    28
    Trophy Points:
    28
    Saya pernah begitu dan saya set ban IP yang brute force di .htaccess.

    Untuk PHP saya selalu menggunakan is_numeric() untuk menvalidasi setiap variable numerik yang masuk jika hanya integer yang diperlukan sebelum dilakukan casting.
     
  6. dewa

    dewa Poster 2.0

    Messages:
    193
    Likes Received:
    1
    Trophy Points:
    18
    Kalau trx sdh gede.. kasian si client bila di suspend sementara...
    Semoga variable2x rawan segera di amankan....
    Ternyata Bulan Ramadhan gini.. masih ada yg usil juga ya...
     
  7. rendy

    rendy Hosting Guru DWH Guardian Web Hosting (Company)

    Messages:
    2,792
    Likes Received:
    240
    Trophy Points:
    63
    notifikasi usernya lah
    biarkan mereka ikut campur dalam pengambilan keputusan
    biasanya itu diincar gara2 software yang ga update
     
  8. vkios01

    vkios01 Expert 1.0

    Messages:
    749
    Likes Received:
    18
    Trophy Points:
    18
    kalau misal dengan cara ini om? di enkrip parameternya tadi..
    http://blog.rosihanari.net/mengenkripsi-parameter-get-method-untuk-keamanan

    ini uda sip untuk sql injection..

    kalo saya pribadi tidak suka dengan ambil parameter id, biasanya dengan parameter text
    jd tidak perlu di cek integer atau bukan..dan misal tidak ada didatabase tgl buat redirect ke 404

    misal juga ;
    link.php?what=prod&cats=445

    sebaiknya di rewrite urlnya, bisa dengan .htaccess
    misal jd; /link/prod/445
    jd tidak perlu ada parameternya di URLnya.. what&cats

    CMIIWW
     
  9. JuraganWebHosting

    JuraganWebHosting Apprentice 1.0

    Messages:
    226
    Likes Received:
    13
    Trophy Points:
    18
    Setuju nih sama bro vkios01, memang sebaiknya diterapkan URL rewrite dengan htaccess... sangat membantu untuk mencegah si hacker mengetahui variable2 penting :)
     
  10. xent

    xent Beginner 1.0

    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    sebagai tambahan, bisa difilter menggunakan regex (preg_match dan sebagainya). Saya selalu make regex untuk validasi dari variabel GET/POST.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...