mysql注入损害？ [英] mysql injection damages?

问题描述

我只是注意到我的 mysql_real_escape_string 函数不在我的一些php脚本的一个''，它容易注入和像

I Just noticed that my mysql_real_escape_string function is not inside a '' in some of my php scripts and it was vulnerable to injections and things like sleep(30) executed on my production site.

我将在PDO路由并在这里大量阅读后执行准备好的语句。但这还没有实现。

I am going the PDO route and implementing the prepared statements after lots of reading here. but this is not implemented yet.

很少有问题，我在日志中看到很多注射都是由在线人完成的，但我看不到任何损害。站点运行以执行sql查询的用户只有 update / select / delete / insert 只有特权。

Few questions, I see in my logs that lots of injections where done by people online but I can not see any damages. the user that the site runs to do sql queries has update/select/delete/insert only privileges.

但是我很担心像睡眠（30），什么不工作，如果他们有任何损害，我没有看到？

你能告诉我在哪里检查是否有损坏，或者我是否至少对重大损害负责？

他们可以更改隐藏的mysql设置或系统设置吗？

But I am woried things like sleep(30) and what not works and if they did any damages I am not seeing?
Can you tell me where to check for damages or was I safe for at least major damages?
Can they have changed hidden mysql settings or system settings?

顺便说一句，我尝试在centos 6+ linux和php上运行最新更新。

By the way, I tried to run latest updates on centos 6+ linux and php.

编辑：
只是为了澄清，数据库几乎是空的，我不担心数据在那里和密码哈希sh512。所以数据里面并不重要，因为这是我写的一个新的应用程序。但我担心如果他们改变任何系统或数据库我应该担心。一些注入我看到有java等，但日志是巨大的，它需要时间去看它。我还看到注入中的一些模式字符串。

edit: just to clarify, the database is empty almost and i am not worried about the data being there and the passwords are hashed sh512. so the data inside is not important since this is a new application i am writing. but i am worried if they changed anything on the system or the db i should be worried about. some of the injections i see have java etc but the log is huge and its going to take time to go over it. i also see some schema strings in the injections.

现在的问题是他们可以读取我的架构信息或修改它们吗？为什么像睡眠这样的功能是工作的，如果它是一个受限用户？他们可以运行什么其他功能？

now the question is can they have read my schema info or modified them? why does functions like sleep are working if it is a restricted user? what other functions could they have run?

注意，我有同一个MySQL中的其他DB。我应该担心那些？

note i have other DBs in the same MySQL. should i be woried about those?

通过''我的意思是：
select * from dbname其中id = scaped_string
i应该把它放在引号

by '' i mean: select * from dbname where id=scaped_string i should have put it in quotes

推荐答案

检查数据是否损坏取决于数据库中的数据类型。如果仔细检查后你没有看到任何错误，那么可能没有什么错。如果你的数据是任何体面的大小，这将是困难或不可能的。

Checking for damage done to your data is dependent on the kind of data you have in your database. If after careful inspection you don't see anything wrong, then there is probably nothing wrong. If your data is of any decent size, this will be difficult or impossible.

有很多自动机器人漫游互联网寻找易受SQL注入攻击的代码。他们的尝试可能是你在日志中看到的。只是因为尝试并不一定意味着发生了入侵。

There are many automated bots roaming the internet looking for code vulnerable to SQL injection attacks. Their attempts are probably what you are seeing in your logs. Just because an attempt was made does not necessarily mean an intrusion occurred.

请记住，您不一定会有数据被盗的迹象。确定这一点的最佳方法是将您的服务器日志并在当前服务器的副本上重放，检查您是否收到任何数据。

Also keep in mind that you won't necessarily have evidence of data being stolen. The best way to determine this would be to take your server logs and replay them on a copy of your current server, checking to see if you get any data back.

这篇关于mysql注入损害？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！