What are they attempting to do, Hack?

Ask the community for help and support.
Post Reply
User avatar
mhsuffolk
VIP Member
VIP Member
Posts: 146
Joined: Sat Oct 26, 2019 9:13 am
Has thanked: 8 times
Been thanked: 5 times

What are they attempting to do, Hack?

Post by mhsuffolk »

Getting loads of these all day in Who's Online, any ideas?

/products_new.php?sort=5d%29%2F%2A%2A%2FAND%2F%2A%2A%2F6997%3D%28SELECT%2F%2A%2A%2F6997%2F%2A%2A%2FFROM%2F%2A%2A%2FPG_SLEEP%285%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%281443%3D1443&view=all
Live shop Phoenix 1.0.9.0 on PHP 8.0
loop
VIP Member
VIP Member
Posts: 230
Joined: Thu Mar 25, 2021 12:26 pm
Has thanked: 7 times
Been thanked: 3 times

Re: What are they attempting to do, Hack?

Post by loop »

They try "form injection". But that doesn't mean that it worked, only that they tried.
You can copy/paste the full url yourself and see what you get to see (and thenn you know if the "hack" worked or only tried to)
regards
ecartz
Lead Developer
Lead Developer
Posts: 2637
Joined: Tue Nov 05, 2019 6:02 pm
Has thanked: 4 times
Been thanked: 181 times

Re: What are they attempting to do, Hack?

Post by ecartz »

mhsuffolk wrote: Mon Jul 19, 2021 1:33 pm PG_SLEEP
They are attempting to crack your PostgreSQL database. Which Phoenix doesn't have. So this is just a penetration test. It may be your host doing it or it may be a crack attempt.

Note that the software ignores this particular attempt, as ) and % are not parts of a valid sort value, so it will reject the parameter and use the default. But even if the attempt were to somehow reach the database (despite the fact that the sort parameter has nothing to do with the database), it's attempting to manipulate a PostgreSQL database and would therefore fail.

Note that other entries may be doing something else. This analysis is on this particular entry. But I'm not particularly worried about compromising the sort parameter, as it is not sent to the database. It's just used to select the sort column and direction. The sort direction must be the last character (either a or d), and the rest must be a number. And the number must correspond to a valid sortable column.

Incidentally, this is a SQL injection not a form injection. Regardless though, there isn't an underlying vulnerability to exploit. Because the sort parameter is never sent to the database. And it is validated before being displayed on the page.
Post Reply