What is SQL injection?
SQL injection involves the insertion of harmful SQL code by a malicious actor into the input fields of your web application, including forms, URLs, or cookies. They aim to execute this code on your database server, potentially leading to data theft, corruption, or deletion, along with unauthorized access, privilege escalation, or code execution. Any web application utilizing a relational database, such as Joomla, can be susceptible to SQL injection.
Tidak Ada Pembatasan Akses Database
Selain itu, SQL Injection menjadi sangat berbahaya kalau berhasil dilakukan jika developer tidak membatasi akses pada database. Akses suatu user pada database haruslah memiliki akses yang sesedikit mungkin (least privilege rule). Jika website kamu hanya dapat membaca database, maka user yang digunakan untuk mengakses database haruslah hanya memiliki akses baca. Jangan berikan juga akses tulis atau bahkan admin!
Bagaimana SQL Injection Bekerja
Cara kerja SQL Injection adalah dengan menyisipkan perintah SQL jahat ke dalam suatu SQL yang akan dijalankan oleh suatu database. Cara SQL Injection ini bekerja dalam suatu sistem sangatlah bergantung pada implementasi sistem tersebut. Masing-masing sistem memiliki cara yang mungkin berbeda-beda.
Salah satu contoh cara menggunakan SQL Injection untuk mengetahui cara kerjanya,
Kamu memiliki suatu website yang dapat melakukan login. SQL paling sederhana untuk melakukan pengecekan apakah username dan passwordnya benar atau salah adalah seperti ini,
Pengguna akan memasukkan username dan password pada suatu formulir login yang kamu sediakan. Username dan password tersebut akan dijadikan variabel untuk mengisi nilai $username dan $password.
Apa yang terjadi jika pengguna jahat memasukkan username yang isinya seperti ini?
Saat sistemmu menggunakan data masukan pengguna jahat tanpa dicek maupun divalidasi, maka SQL yang terbentuk akan seperti ini:
Bagian SQL setelah tanda -- dianggap sebagai komentar dan SQL tersebut akan menjadi:
Karena SQL yang dijalankan adalah yang bawah tersebut, bisa-bisa pengguna jahat tersebut mendapatkan akses ke user “admin” tanpa perlu tahu password-nya!
Kegunaan SQL Injection
Bagi penyerang, SQL Injection digunakan sebagai salah satu cara untuk mengakses database korban. Di dalam database ini biasanya berisi data-data yang penting. Jika penyerang berhasil masuk ke database dan memiliki akses yang cukup, penyerang dapat mengambil data-data ini.
Data-data ini bisa digunakan untuk di jual kembali di pasar gelap, melakukan blackmailing kepada seseorang, atau kejahatan keuangan seperti carding dan pinjaman online ilegal.
SQL Injection: The Danger it Poses for Joomla
The danger posed by SQL Injection is profound. Among the arsenal of hacking techniques, SQL Injection stands as one of the most perilous. Through this malicious tactic, an attacker can swiftly obliterate not just a table but an entire database using a straightforward command executed via your website. In the contemporary landscape, it is absolutely unacceptable for any website to exhibit a vulnerability to SQL Injection, given that security professionals have been sounding the alarm about this threat for at least a decade. Addressing SQL Injection is a recognized and extensively documented procedure.
How to Protect Joomla Websites Against SQL Injection Attacks
Modifying the default database prefix offers an effective countermeasure against SQL injections, a favored tactic employed by malicious actors to acquire super administrator privileges. While Joomla's latest versions implement this during the initial setup, the steps below elucidate the process of changing the default database prefix for pre-existing installations and provide insight into accessing the Joomla! database directly.
Liều dùng thuốc Aminopoly Injection
Liều tham khảo ở người lớn:
Lưu ý: Liều thuốc Aminopoly Injection trên chỉ mang tính chất tham khảo. Liều thuốc Aminopoly Injection cụ thể tùy thuộc vào thể trạng và mức độ diễn tiến của bệnh. Để có liều Aminopoly Injection phù hợp, người bệnh cần tham khảo ý kiến bác sĩ hoặc chuyên viên y tế.
Limit Access to the Joomla Admin Backend
Prudent restriction of access to the Joomla admin backend is essential, given its sensitive nature. You can achieve this by implementing IP filtering, and the same can be applied to other critical Joomla directories following these steps:1: Begin by creating a .htaccess file if it's not already present in the directory you intend to safeguard.2: Insert the following code into the .htaccess file:Order Deny, AllowDeny from allAllow from xx.xx.xx.xx3: Replace "xx.xx.xx.xx" with the specific IP address from which you wish to permit access.Consider employing security extensions that offer IP filtering capabilities to restrict access to the Joomla admin backend, along with other features that enhance your Joomla website's security.
As there will forever be a level of risk, the ongoing nature of Joomla security necessitates regular evaluation of potential attack vectors. Website proprietors and administrators must consistently enhance their website security to minimize the likelihood of a breach.Ultimately, we trust that you discover this article pragmatic and beneficial. If you require assistance in fortifying your Joomla website, please feel free to share your inquiries in contact form, and we will gladly provide our assistance.
I recently had an SQL injection exploit on my site and since I'm not well versed in this subject I was hoping someone here might have some suggestions as to how it could've happend and, if possible, how to prevent it.
Win2008/IIS7.5 (patched up-to-date)
The exploit inserted new URLs (with marketing/spam titles) into the JoomSEF component. Clearing the cache seems to have got rid of them. Otherwise, there were no apparent damage to the existing URL-mappings or the site as a whole.
The injected URLs typically looked like this:
index.php?option=com_doc&sid=-1 union select 0,1,2,concat(0x217e,password,0x3a,username,0x3a,usertype,0x7e21),4,5,6,7,8,9,10,11 from #__users where gid=25 or gid=24--&task=view
I went through the "list", changed all passwords etc. I also ran Webcruiser a number of times to analyse the site. On a couple of occations it found one or two pages that had "cookie SQL injection vulnarability. Otherwise there were no other vulnerabilities.
So my questions are as follows:
1. What do you think happend here? Ie. is there a way to determine how the hack was able to access to the JoomSEF SQL tables?
2. Likewise: any way to determine which component was at fault here?
Could it be related to the Joomla core bug?:
3. Any suggestions on how to prevent a similar attack, say configuration issues. I am aware that there are newer versions of Joomla, MySQL, PHP and JoomSEF (although the changelog at Artio doesn't mention any security fixes in v4.5.2).
4. Probably a tough question to answer: That it seems to have been limited to JoomSEF, and that it only inserted new URLs (ie. didn't scramble the existing ones), can we speculate on the general security on the site? Ie. did the hacker simply hit a wall and gave up?
I would be very greatful for any insights or suggestions into this. Thank you.
SQL Injection Cheat Sheet
Berikut ini beberapa contoh input yang bisa digunakan untuk melakukan SQL Injection. Gunakan Cheat Sheet ini untuk melindungin website buatan kamu, dan bukan untuk melakukan penyerangan!
Metode ini sudah dicontohkan pada contoh di atas. Input yang dimasukkan diakhiri dengan syntax comment sehingga query menjadi terpotong.
Input ini memotong query target dan mengubah makna dari query tersebut.
Chống chỉ định dùng thuốc Aminopoly Injection
Không dùng thuốc Aminopoly Injection cho các đối tượng sau:
Chống chỉ định là tuyệt đối. Điều này có nghĩa là không vì bất cứ lý do gì mà có thể dùng thuốc Ceftarol trong trường hợp bị chống chỉ định. Mọi quyết định về liều lượng và cách dùng thuốc Aminopoly Injection cần phải tuân theo chỉ định từ bác sĩ.