Site matters -- looking at the access logs

There was a string of interesting entries that I saw when I was checking this site's access log last week. Said entries of interest were in the following form:

[13/Apr/2012:10:03:30 +0000] "GET /blog.php?dispPage=2+AND+1=2+UNION+ALL+SELECT+0x346e64337273306e31346e64337273336e-- HTTP/1.0" 200 12613 "-" "Mozilla/5.0"
[13/Apr/2012:10:03:31 +0000] "GET /blog.php?dispPage=2+AND+1=2+UNION+ALL+SELECT+0x346e64337273306e31346e64337273336e,0x346e64337273306e32346e64337273336e-- HTTP/1.0" 200 12650 "-" "Mozilla/5.0"
... (and many more with an increasing number of values added after SELECT)

If you know your web security basics, you will know that this is basically an attempt to test for vulnerability to SQL injection; if you don't, erm, well, it's an attempt to test for SQL injection. The wikipedia article on it is pretty informative.

What it does is -- and this is a very simplified explanation -- it makes the values given after the SELECT appear on the webpage if it is vulnerable to SQL injection. In my case, the values did show, but probably not where you'd expect.

You see, I do protect my database access from SQL injection, but I display the page number directly from the URL query string. Therefore, the bottom of my blog page will display something like "Page 2 AND 1=2 UNION ALL SELECT 0x346e64337273306e31346e64337273336e-- of 4", which is pretty weird looking, though decidedly harmless. Still, I wonder if the appearance of the values on the page will register as a false positive on vulnerability to whoever is doing the attacking. Either way, I have changed my code to do some formatting to the page number before displaying.
Permalink | Posted 12:26AM 20-4-2012 by Quentin.


There are no comments.

Don't fill this in!