Link to home
Start Free TrialLog in
Avatar of Carletto
CarlettoFlag for Italy

asked on

Is this a sql injection and how I can defend myself?

Hi,
today I've found several injections from different IP addresses.
the injection is almost the same from every ip

Line 307537: 173.254.216.68 - - [13/Nov/2012:20:17:46 +0100] "GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+and(/*!select*/+1+/*!from*/(/*!select*/+count(*),concat_ws(0x3a,substring((SELECT+count(*)+FROM+typo3_db_prod_DB.user_MyCompany_contacts_),1,64),floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+ HTTP/1.0" 200 12296 "-" "-"
	

Open in new window

     

We have a server patched and typo3, the cms as well, the developers are telling me also that the problem could be an extension wfqbe developed by a company .

Can you please tell me what this injection is doing and how do i know if my system is secure.
Thank you
Carlo
ASKER CERTIFIED SOLUTION
Avatar of oheil
oheil
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Carletto

ASKER

Webformat informed that this is a tentative of sqj injection.
working on this and let you know.
Carlo
Yes, that is a SQLi attack.
Followed the instructions reported here
http://typo3.org/extension-manuals/wfqbe/2.0.0/view/1/5/

honestly this extension is not the maximum on security so We decided to remove the extension, we saw that the hacker was able to get the list of users on typo3 db
bye
thanks