mysql injection damages?

Question

I Just noticed that my mysql_real_escape_string function is not inside a \'\' in some of my php scripts and it was vulnerable to injections and things like

Answer 1

If you have anything like admin panel you should check for webshells and other backdoor-like tools on your server, because attacker could easily read your credentials from appropriate table. And, ofcourse, look for any changes in your pages (look for iframes and suspicious JS code).

Worst case scenario is executing INTO OUTFILE in writeable directory and then accesing it via local include or directly.

But, first of all, before worrying you should consider this as most common automated sql-injection checkers (bots you might say) and if you don't see any damage - mose probably there was no intrusion. But be careful - most intruders nowadays don't look for any visible damage, most probably they will inject some malicious code in your pages (like iframes with their exploits).

So, don't be too paranoid, but still cautious :)

Answer 2

Checking for damage done to your data is dependent on the kind of data you have in your database. If after careful inspection you don't see anything wrong, then there is probably nothing wrong. If your data is of any decent size, this will be difficult or impossible.

There are many automated bots roaming the internet looking for code vulnerable to SQL injection attacks. Their attempts are probably what you are seeing in your logs. Just because an attempt was made does not necessarily mean an intrusion occurred.

Also keep in mind that you won't necessarily have evidence of data being stolen. The best way to determine this would be to take your server logs and replay them on a copy of your current server, checking to see if you get any data back.

Answer 3

As far as I know, there is not hidden mysql setting other than sanitizing your inputs to protect your data from being injected.

You said, you saw lots of injections done by people into the site, and yet you can not see any damage, maybe they were just injecting a plain HTML tags, or trying XXS attacks, because the real mysql injection, can delete your tables, update, reset every data subjected to mysql injection, so if I were you, I would implement PDO right away.

Answer 4

Without any further information, we have to assume the worst case: An attacker is able to read, write, and delete arbitrary data in your database, and possibly even files on your file system, which may lead to compromise of your whole server (e.g. command execution via PHP file, privilege escalation, etc.).

---

Now let’s have a closer look at the possible impact:

Since PHP’s MySQL extension does not allow multiple statements, so called stacked statement attacks are not possible. So the remaining possibilities depend on the actual statement verb and the context, i.e. the clause inside the statement:

• SELECT statement:
  • Reading any accessible data (e.g. sub-queries, unions, boolean-based blind, etc.)
  • Reading files (LOAD_FILE())
  • Writing files (… INTO OUTFILE …)
• UPDATE statement:
  • Obviously updating any accessible data, possibly not just in the current table
  • Reading any accessible data (e.g. sub-queries, boolean-based blind)
• DELETE statement:
  • Obviously deleting any accessible data, possibly not just from the in the current table
  • Reading any accessible data (e.g. sub-queries, boolean-based blind)
• INSERT statement:
  • Obviously inserting arbitrary data
  • Reading any accessible data (e.g. sub-queries)

Some of these may not have a direct impact but may be used to exploit other vulnerabilities. In the end, it depends on the actual vulnerable statement.