How to protect web server and db information?

newbie14 · 12-30-2014, 11:27 AM

Hi All,
I came through this tool called sqlmap and when I run its able to show me this info.

Code:

[01:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11

How can I further harden by server to protect this information from being reveal out ?

unSpawn · 12-30-2014, 12:07 PM

You're only leaking version information here and while that will give some clues it's minor compared to being able to enumerate the database and fetch / inject data. Now that would be another thing.

newbie14 · 12-30-2014, 12:14 PM

Dear Unspawn,
Will I be able to close this minor leak or is it ok to leave it ? Yes I have report as below.

Quote:

sqlmap identified the following injection points with a total of 722 HTTP(s) requests:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ta=asaa&ID=74 AND 3387=3387&na=0&bc=C

Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: ta=asaa&ID=74 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x78587565526f656b4e4b,0x716a707871)#&na=0&bc=C

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: ta=asaa&ID=74=74 AND SLEEP(5)&na=0&bc

I tested on the union query doest not give any result. But booleand-based blind do give the result and time based-based blind kind of stop my application? What can I do to improvise?

I did try with the option --tables but it gave me this

Quote:

[02:13:40] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[02:13:40] [WARNING] the SQL query provided does not return any output
[02:13:40] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'

unSpawn · 12-31-2014, 05:01 AM

Start here: https://www.owasp.org/index.php/SQL_...on_Cheat_Sheet ?

newbie14 · 12-31-2014, 08:32 AM

Dear Unspawn,
Ok the link looks quite comprehensive. But how to hide my web server and db information first? I think the on the queries I will need some time to address them.

unSpawn · 12-31-2014, 10:31 AM

Put it behind a load balancer or reverse proxy?

newbie14 · 01-01-2015, 10:04 AM

Dear Unspawn,
Is there any files in the php config or mysql in centos where I can use to hide those information? How is the information actually retrieve so easily via sqlmap do I need to further beef up my hardening of servers?

sundialsvcs · 01-02-2015, 10:55 AM

Fundamentally, you have to ensure that the logic of the web-site is immune to any form of "SQL injection." There is no automated tool or technique that can do this ... the web-site, itself, must be "correctly designed!"

If your web-site is built in such a way that "the web-server issues SQL queries directly," which is the most common case, then at least two things must be the case:
- The web-site always uses "SQL placeholders" to insert parameters into every query that it issues ... it never constructs an SQL-query string.
- The web-site logs on to the web-server using minimally-capable database user-id(s).
A truly-secure web server does not have any direct access to its database. Instead, it issues transaction-requests to a completely-isolated transaction server which cannot by any means be accessed directly from the Internet, nor from the company's internal net.

If "that tool of yours" produces a-n-y results at all, then it is simply telling you that: "this web-server is by design h-o-p-e-l-e-s-s-l-y insecure!" No third-party tool or technique will make it otherwise. No third-party tool or technique will insulate it. "Your Emperor Has No Clothes."

newbie14 · 01-03-2015, 01:51 AM

Dear Sundialsvcs,
I agree with your suggestion. Yes the current queries are mostly direct queries and will be changed using prepared statement. The user which logs on the webserver is given minimal capability just to insert,update and delete thats it. For you second suggestion due to the nature of this server being a test server thus both the webserver and db server is on the same machine. In the production server only the webserver is accessible from outside world and the db is only accessible via our firewall vpn. So what is your best suggestion to secure the both the web and db server besides using prepared statement. Well I have secured the web server even using mod_security too.

sundialsvcs · 01-03-2015, 09:33 PM

The specific problem that I am pointing-out is not "what the user is authorized to do," but rather, "how the SQL statements that do it are constructed." Basically, they should not be "constructed." They should be hard-coded and unchangeable, and they should rely upon SQL placeholders ... so-called "bound query-parameters" ... to supply all user values. No user input should ever be capable of altering the SQL statement itself.

newbie14 · 01-04-2015, 09:42 AM

Dear Sundialsvcs,
Thank you and I am fully aware and changing those queries which was not well constructed to into prepared statement. Back to my previous question how to can sqlmap get the db information and mechanism to hide those or is this indicating something is need to be patched or closed in my server?

Habitual · 01-04-2015, 11:25 AM

Hide the web server version

newbie14 · 01-04-2015, 09:02 PM

Dear Habitual,
Great for the tips on apache anything similar for mysql to be hidden?

Habitual · 01-05-2015, 08:43 AM

Quote:

Originally Posted by newbie14

Dear Habitual,
Great for the tips on apache anything similar for mysql to be hidden?

You are welcome.

Maybe change mysql to another port?

unSpawn · 01-05-2015, 01:02 PM

I do need to emphasise hiding such information is purely cosmetic and it doesn't change a thing security-wise.