Getting loads of these all day in Who's Online, any ideas?
/products_new.php?sort=5d%29%2F%2A%2A%2FAND%2F%2A%2A%2F6997%3D%28SELECT%2F%2A%2A%2F6997%2F%2A%2A%2FFROM%2F%2A%2A%2FPG_SLEEP%285%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%281443%3D1443&view=all
What are they attempting to do, Hack?
-
- VIP Member
- Posts: 230
- Joined: Thu Mar 25, 2021 12:26 pm
- Has thanked: 7 times
- Been thanked: 3 times
Re: What are they attempting to do, Hack?
They try "form injection". But that doesn't mean that it worked, only that they tried.
You can copy/paste the full url yourself and see what you get to see (and thenn you know if the "hack" worked or only tried to)
regards
You can copy/paste the full url yourself and see what you get to see (and thenn you know if the "hack" worked or only tried to)
regards
-
- Lead Developer
- Posts: 2637
- Joined: Tue Nov 05, 2019 6:02 pm
- Has thanked: 4 times
- Been thanked: 181 times
Re: What are they attempting to do, Hack?
They are attempting to crack your PostgreSQL database. Which Phoenix doesn't have. So this is just a penetration test. It may be your host doing it or it may be a crack attempt.
Note that the software ignores this particular attempt, as ) and % are not parts of a valid sort value, so it will reject the parameter and use the default. But even if the attempt were to somehow reach the database (despite the fact that the sort parameter has nothing to do with the database), it's attempting to manipulate a PostgreSQL database and would therefore fail.
Note that other entries may be doing something else. This analysis is on this particular entry. But I'm not particularly worried about compromising the sort parameter, as it is not sent to the database. It's just used to select the sort column and direction. The sort direction must be the last character (either a or d), and the rest must be a number. And the number must correspond to a valid sortable column.
Incidentally, this is a SQL injection not a form injection. Regardless though, there isn't an underlying vulnerability to exploit. Because the sort parameter is never sent to the database. And it is validated before being displayed on the page.