[Scalemotorcars]

I just got a DB error and searched the IP it came from and its been reported for SQL Injection. Is there a way to test to see if they were successful?

Thanks.

[Scalemotorcars]

Anyone have a clue?

[snakes1100]

What DB error did u get?

[Scalemotorcars]

I changed the DB table ID but her you go. And thanks for looking at it.

Invalid SQL:
SELECT node.nodeid AS itemid,
(node.nodeleft = 1) AS isroot, node.nodeid, node.contenttypeid, node.contentid, node.url, node.parentnode, node.styleid, node.userid,
node.layoutid, node.publishdate, node.setpublish, node.issection, parent.permissionsfrom as parentpermissions,
node.permissionsfrom, node.publicpreview, node.showtitle, node.showuser, node.showpreviewonly, node.showall,
node.showupdated, node.showviewcount, node.showpublishdate, node.settingsforboth, node.includechildren, node.editshowchildren,
node.shownav, node.hidden, node.nosearch, node.nodeleft,
info.description, info.title, info.html_title, info.viewcount, info.creationdate, info.workflowdate,
info.workflowstatus, info.workflowcheckedout, info.workflowlevelid, info.associatedthreadid,
user.username, sectionorder.displayorder, thread.replycount, parentinfo.title AS parenttitle

FROM A2Ctest_cms_node AS node
INNER JOIN A2Ctest_cms_nodeinfo AS info ON info.nodeid = node.nodeid

LEFT JOIN A2Ctest_user AS user ON user.userid = node.userid
LEFT JOIN A2Ctest_thread AS thread ON thread.threadid = info.associatedthreadid
LEFT JOIN A2Ctest_cms_sectionorder AS sectionorder ON sectionorder.sectionid = 1
AND sectionorder.nodeid = node.nodeid
LEFT JOIN A2Ctest_cms_node AS parent ON parent.nodeid = node.parentnode
LEFT JOIN A2Ctest_cms_nodeinfo AS parentinfo ON parentinfo.nodeid = parent.nodeid
INNER JOIN A2Ctest_cms_node AS rootnode
ON rootnode.nodeid = 1 AND (node.nodeleft >= rootnode.nodeleft AND node.nodeleft <= rootnode.noderight) AND node.nodeleft != rootnode.nodeleft AND node.contenttypeid <> 23 AND node.new != 1 AND ( (( (node.permissionsfrom IN (-1)) OR ( node.permissionsfrom in (1,2,5,11,45,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133 ,134,135,136,148,149,164,165,205,242,243,273,336,337,338,375,377) AND (node.parentnode IN (1,133,134,136,375,242,205,45,117,336,337,338,377) OR node.nodeid = 1) AND
node.setpublish > 0 AND node.publishdate < 1534174163 ))) OR (node.setpublish AND node.publishdate <1534174163 AND node.publicpreview > 0))AND node.hidden = 0 AND ((node.setpublish = '1' AND node.publishdate <= 1534174163 ) OR node.userid = 0)

ORDER BY node.publishdate DESC LIMIT -16, 80;

[snakes1100]

You can use these to scan for anything suspicious.


SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';


SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';


Did you locate anything in the apache/nginx etc log related to that attempted post in the cms for that time stamp?

[Scalemotorcars]

Well, using PHPmyadmin I found the below items.

I'm not sure how to do the search you're referring to. And not sure how to check apache/nginx. In laymen's terms, please.

And thanks for the help.

%base64% in _searchcore_text, _pmtext, and _post

%exec% in _autosave, _cache, _cacheevent, _widgetconfig, _widgettype, _cronlog, _datastore, dbtech_dbseo_resolvedurl, iei_img, _language, _phrase, _plugin, _pmtext, _post, _postedithistory, _productcode, _searchcore_text, _searchgroup_text, _style, _template, _templatehistory, _thread, _user

[Max Taxable]

Originally Posted by Scalemotorcars

I'm not sure how to do the search you're referring to.

I believe (pretty sure) he gave you SQL queries you can run via ACP.

[Scalemotorcars]

Not sure how to check in the ACP. Step by step if its not to much hassle.

Thanks

[Max Taxable]

ACP>Maintenance>Execute SQL Query

One at a time, paste his queries into the manual query box and click "Continue."

You have to be a Super Admin with query running permissions as defined in includes/config.php or nothing will happen, except it will let you know you don't have permission to run queries.

[Scalemotorcars]

I tried

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%'

This returned an error number: 1146

Did I get the query wrong?

Sorry I feel like a total noob. You would think after 12 years I would know how to do this.

[Max Taxable]

He posted two, complete queries. Looks like you posted only part of the first one.

The queries are:

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

And:

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

Try them one at a time.

[Scalemotorcars]

Tried that also. Im the super admin so thats not it. aLSO TRIED IN THE sql OF PHPMyAdmin. Same result

This is the complete error I get trying either one.

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

And thanks for the help I really appreciate it.

[Max Taxable]

error desc: Table 'p16t2ugb_forum.plugin' doesn't exist

I have no idea at all why it's trying to query that table, it's not called for in either query.

Need the guy who posted the queries to chime in, I may be mistaken what exactly it is he posted there. LOOKS like queries, might not be though.

Sorry i haven't been able to help you so far.

[Scalemotorcars]

Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

[Max Taxable]

Originally Posted by Scalemotorcars

Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

No idea. Can't be good though.

snakes was online today, maybe he will chime in.