My PHP application is being attacked by adding a UNION statement to input of username. Specifically, where I check for input of a valid username the sql is modified to be
select username from user where username = '-8546' UNION ALL SELECT CONCAT(0x71626a7071,0x6d6557557a76694b6c4d,0x71786b7a71)#
This has been going on for several days with various variations of the username,with multiple consecutive attepts
This results in me being notified of sql error "The used SELECT statements have a different number of columns".
Because I’m notified of the error, I presume no damage is being done but what is the hacker trying to achieve?
I added code to detect the ip adress of the hacker, $_SERVER['REMOTE_ADDR'], mailed it to me and added it to my list of denied addresses in webmin.
2
Answers
The hacker is just trying to find out which web requests they can exploit. They try to use a negative number as the username, which is almost certainly going to get no match. Then they UNION a row with literal values that they can check for. That is, if they can make your website respond that user "qbjpqmeWUzviKlMqxkzq" exists, then they know they have succeeded in exploiting an SQL injection vulnerability.
Once they determine that, they can use that vulnerability to read other more sensitive information.
I agree with the comments above that you shouldn’t just block the attacker’s IP address. They can just use a VPN to masquerade as a different IP address, and start their attacks again.
What you should do is fix your code. You apparently have some SQL injection flaws in your code, for example using request variables directly in SQL strings.
You should use query parameters instead of copying unsafe variables into your SQL. Query parameters make sure the content is treated as a string literal, not as SQL syntax like
UNION..., so any attempted attack will not be successful regardless of their IP address.This is a problem with a clear and long-known solution. You have no excuse to run code on the internet with SQL injection vulnerabilities.
The significance of UNION in SQL injection is that it can allow the attacker to access other tables and return extra information without breaking a legitimate query, especially if the query in question is only expected to return one row and the client code doesn’t notice the presence of extra rows. You are seeing a probe that attempts to determine which such queries will work.
If your site is really allowing arbitrary query execution then you are horribly vulnerable to attack and you should fix that vulnerability as soon as possible. Do not take any reassurance from the fact that you are getting notified of those errors. There could well be a much larger number of successfully injected queries which are leaking information or doing other damage with no errors reported.