cancel
Showing results for 
Search instead for 
Did you mean: 

SQL Injections, high risk?

SQL Injections, high risk?

Hello,

I keep getting the following reports of errors. In the previous days I get approximately around 100 such messages per days.
I suppose somebody tries to hack our site. Is these an high risk issue?
On our store we have all the last security updates installed. I also test my site on magereport and is a "LOW RISK".
I tried to google these error messages and strange injections in URL, but no such debate.
Thank you in advance.

 

URL: http://www.mysitedomain.com/blog/tag/1'/**/OR/**/UPDATEXML(3246,CONCAT(0x2e,0x716b787a71,(SELECT/**/(ELT(3246=3246,1))),0x7170786271),9487)--/**/Mkct
IP Address: 93.103.9.93
Time: 2016-10-02 09:01:51 GMT
Error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIKE CONCAT(value,'%') and path LIKE 'web/unsecure/base_url'
                 ' at line 1, query was: SELECT `e`.`scope`, `e`.`scope_id` FROM `core_config_data` AS `e` WHERE ('http://www.mysitedomain.com/blog/tag/1'/**/OR/**/UPDATEXML(3246,CONCAT(0x2e,0x716b787a71,(SELECT/**/(ELT(3246=3246,1))),0x7170786271),9487)--/**/Mkct' LIKE CONCAT(value,'%') and path LIKE 'web/unsecure/base_url'
                    OR 'https://www.mysitedomain.com/blog/tag/1'/**/OR/**/UPDATEXML(3246,CONCAT(0x2e,0x716b787a71,(SELECT/**/(ELT(3246=3246,1))),0x7170786271),9487)--/**/Mkct' LIKE CONCAT(value,'%') and path LIKE 'web/secure/base_url'
                ) ORDER BY CHAR_LENGTH(value) DESC

Trace:
#0 /home/admin/domains/mysitedomain.com/public_html/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 /home/admin/domains/mysitedomain.com/public_html/app/code/core/Zend/Db/Statement.php(291): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 /home/admin/domains/mysitedomain.com/public_html/lib/Zend/Db/Adapter/Abstract.php(480): Zend_Db_Statement->execute(Array)
#3 /home/admin/domains/mysitedomain.com/public_html/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT `e`.`sco...', Array)
#4 /home/admin/domains/mysitedomain.com/public_html/lib/Varien/Db/Adapter/Pdo/Mysql.php(504): Zend_Db_Adapter_Pdo_Abstract->query('SELECT `e`.`sco...', Array)
#5 /home/admin/domains/mysitedomain.com/public_html/lib/Zend/Db/Adapter/Abstract.php(737): Varien_Db_Adapter_Pdo_Mysql->query('SELECT `e`.`sco...', Array)
#6 /home/admin/domains/mysitedomain.com/public_html/app/code/local/Amasty/GeoipRedirect/Model/Fpc/Front.php(337): Zend_Db_Adapter_Abstract->fetchAll(Object(Varien_Db_Select))
#7 /home/admin/domains/mysitedomain.com/public_html/app/code/local/Amasty/GeoipRedirect/Model/Fpc/Front.php(51): Amasty_GeoipRedirect_Model_Fpc_Front->getStoreId(Object(Zend_Controller_Request_Http))
#8 /home/admin/domains/mysitedomain.com/public_html/var/cache/ew/files/7a/3e/Mage/Core/Model/Cache.php(706): Amasty_GeoipRedirect_Model_Fpc_Front->extractContent(false)
#9 /home/admin/domains/mysitedomain.com/public_html/app/code/core/Mage/Core/Model/App.php(351): Mage_Core_Model_CacheOverriddenClass->processRequest()
#10 /home/admin/domains/mysitedomain.com/public_html/app/Mage.php(683): Mage_Core_Model_App->run(Array)
#11 /home/admin/domains/mysitedomain.com/public_html/index.php(95): Mage::run('', 'store')
#12 {main}

 

URL: http://www.mysitedomain.com/blog/tag/1')/**/AS/**/xKtr/**/WHERE/**/8021=8021/**/AND/**/UPDATEXML(7246,CONCAT(0x2e,0x716b787a71,(SELECT/**/(ELT(7246=7246,1))),0x7170786271),7188)--/**/wxTE
IP Address: 193.106.30.130
Time: 2016-10-02 08:35:32 GMT
Error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AS/**/xKtr/**/WHERE/**/8021=8021/**/AND/**/UPDATEXML(7246,CONCAT(0x2e,0x716b787a' at line 1, query was: SELECT `e`.`scope`, `e`.`scope_id` FROM `core_config_data` AS `e` WHERE ('http://www.mysitedomain.com/blog/tag/1')/**/AS/**/xKtr/**/WHERE/**/8021=8021/**/AND/**/UPDATEXML(7246,CONCAT(0x2e,0x716b787a71,(SELECT/**/(ELT(7246=7246,1))),0x7170786271),7188)--/**/wxTE' LIKE CONCAT(value,'%') and path LIKE 'web/unsecure/base_url'
                    OR 'https://www.mysitedomain.com/blog/tag/1')/**/AS/**/xKtr/**/WHERE/**/8021=8021/**/AND/**/UPDATEXML(7246,CONCAT(0x2e,0x716b787a71,(SELECT/**/(ELT(7246=7246,1))),0x7170786271),7188)--/**/wxTE' LIKE CONCAT(value,'%') and path LIKE 'web/secure/base_url'
                ) ORDER BY CHAR_LENGTH(value) DESC

Trace:
#0 /home/admin/domains/mysitedomain.com/public_html/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 /home/admin/domains/mysitedomain.com/public_html/app/code/core/Zend/Db/Statement.php(291): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 /home/admin/domains/mysitedomain.com/public_html/lib/Zend/Db/Adapter/Abstract.php(480): Zend_Db_Statement->execute(Array)
#3 /home/admin/domains/mysitedomain.com/public_html/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT `e`.`sco...', Array)
#4 /home/admin/domains/mysitedomain.com/public_html/lib/Varien/Db/Adapter/Pdo/Mysql.php(504): Zend_Db_Adapter_Pdo_Abstract->query('SELECT `e`.`sco...', Array)
#5 /home/admin/domains/mysitedomain.com/public_html/lib/Zend/Db/Adapter/Abstract.php(737): Varien_Db_Adapter_Pdo_Mysql->query('SELECT `e`.`sco...', Array)
#6 /home/admin/domains/mysitedomain.com/public_html/app/code/local/Amasty/GeoipRedirect/Model/Fpc/Front.php(337): Zend_Db_Adapter_Abstract->fetchAll(Object(Varien_Db_Select))
#7 /home/admin/domains/mysitedomain.com/public_html/app/code/local/Amasty/GeoipRedirect/Model/Fpc/Front.php(51): Amasty_GeoipRedirect_Model_Fpc_Front->getStoreId(Object(Zend_Controller_Request_Http))
#8 /home/admin/domains/mysitedomain.com/public_html/var/cache/ew/files/7a/3e/Mage/Core/Model/Cache.php(706): Amasty_GeoipRedirect_Model_Fpc_Front->extractContent(false)
#9 /home/admin/domains/mysitedomain.com/public_html/app/code/core/Mage/Core/Model/App.php(351): Mage_Core_Model_CacheOverriddenClass->processRequest()
#10 /home/admin/domains/mysitedomain.com/public_html/app/Mage.php(683): Mage_Core_Model_App->run(Array)
#11 /home/admin/domains/mysitedomain.com/public_html/index.php(95): Mage::run('', 'store')
#12 {main}

3 REPLIES 3

Re: SQL Injections, high risk?

sql injections are possible.

and obviously magereport can not detect it, because they only check for some known exploits.

just keep everything up to date. upgrade your blog extension

 

add this type of uri args to .htaccess rule, to deny it.

 

 

------------
MagenX - Magento and Server optimization

Re: SQL Injections, high risk?

Thank you for your reply. So I can assume that these attemps of injections are quite common?

As said we have the last version do you think that these attack is not dangerous? Can you advice how to verify if there was an injection?

 

I was reading about preventing such arg in htaccess for Magento and it is not a best practice, because it can prevent normal Magento working, or you don't think so?

 

Sorry for some beginner questions, but we are quite new in such sql injections/hacks.

 

Re: SQL Injections, high risk?

I'm getting similar issues today from Securi monitoring.  

 

old/includes/src/Nwdthemes_Revslider_Helper_Framework.phpphp.spam-seo.injector.128
old/app/code/community/Nwdthemes/Revslider/Helper/Framework.phpphp.spam-seo.injector.128

 

Any suggestions or should I whitelist it?