Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi All,
I came through this tool called sqlmap and when I run its able to show me this info.
Code:
[01:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
How can I further harden by server to protect this information from being reveal out ?
You're only leaking version information here and while that will give some clues it's minor compared to being able to enumerate the database and fetch / inject data. Now that would be another thing.
Dear Unspawn,
Will I be able to close this minor leak or is it ok to leave it ? Yes I have report as below.
Quote:
sqlmap identified the following injection points with a total of 722 HTTP(s) requests:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ta=asaa&ID=74 AND 3387=3387&na=0&bc=C
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: ta=asaa&ID=74 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x78587565526f656b4e4b,0x716a707871)#&na=0&bc=C
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: ta=asaa&ID=74=74 AND SLEEP(5)&na=0&bc
I tested on the union query doest not give any result. But booleand-based blind do give the result and time based-based blind kind of stop my application? What can I do to improvise?
I did try with the option --tables but it gave me this
Quote:
[02:13:40] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[02:13:40] [WARNING] the SQL query provided does not return any output
[02:13:40] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
Dear Unspawn,
Ok the link looks quite comprehensive. But how to hide my web server and db information first? I think the on the queries I will need some time to address them.
Dear Unspawn,
Is there any files in the php config or mysql in centos where I can use to hide those information? How is the information actually retrieve so easily via sqlmap do I need to further beef up my hardening of servers?
Fundamentally, you have to ensure that the logic of the web-site is immune to any form of "SQL injection." There is no automated tool or technique that can do this ... the web-site, itself, must be "correctly designed!"
If your web-site is built in such a way that "the web-server issues SQL queries directly," which is the most common case, then at least two things must be the case:
The web-site always uses "SQL placeholders" to insert parameters into every query that it issues ... it never constructs an SQL-query string.
The web-site logs on to the web-server using minimally-capable database user-id(s).
A truly-secure web server does not have any direct access to its database. Instead, it issues transaction-requests to a completely-isolated transaction server which cannot by any means be accessed directly from the Internet, nor from the company's internal net.
If "that tool of yours" produces a-n-y results at all, then it is simply telling you that: "this web-server is bydesignh-o-p-e-l-e-s-s-l-y insecure!" No third-party tool or technique will make it otherwise. No third-party tool or technique will insulate it. "Your Emperor Has No Clothes."
Dear Sundialsvcs,
I agree with your suggestion. Yes the current queries are mostly direct queries and will be changed using prepared statement. The user which logs on the webserver is given minimal capability just to insert,update and delete thats it. For you second suggestion due to the nature of this server being a test server thus both the webserver and db server is on the same machine. In the production server only the webserver is accessible from outside world and the db is only accessible via our firewall vpn. So what is your best suggestion to secure the both the web and db server besides using prepared statement. Well I have secured the web server even using mod_security too.
The specific problem that I am pointing-out is not "what the user is authorized to do," but rather, "how the SQL statements that do it are constructed." Basically, they should not be "constructed." They should be hard-coded and unchangeable, and they should rely upon SQL placeholders ... so-called "bound query-parameters" ... to supply all user values. No user input should ever be capable of altering the SQL statement itself.
Dear Sundialsvcs,
Thank you and I am fully aware and changing those queries which was not well constructed to into prepared statement. Back to my previous question how to can sqlmap get the db information and mechanism to hide those or is this indicating something is need to be patched or closed in my server?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.