Is there a way to see if database has been accessed through SQL Injection attack?How to protect MySQL...
A cancellation property for permutations
Aligning Systems of Equations
TikZtree with asymmetric siblings
Confusion about different running times of two algorithms in C
Can you wish for more wishes from an Efreeti bound to service via an Efreeti Bottle?
Why are "square law" devices important?
How can I make my enemies feel real and make combat more engaging?
Taking an academic pseudonym?
Last Reboot commands don't agree
How can I use a Module anonymously as the function for /@?
Translation for threshold (figuratively)
Cryptic cross... with words
What is the reason behind this musical reference to Pinocchio in the Close Encounters main theme?
Is it common to refer to someone as "Prof. Dr. [LastName]"?
How can I portray body horror and still be sensitive to people with disabilities?
Badly designed reimbursement form. What does that say about the company?
Is layered encryption more secure than long passwords?
How should I ship cards?
80-bit collision resistence because of 80-bit x87 registers?
Can I legally make a website about boycotting a certain company?
Exploding Numbers
Is there any danger of my neighbor having my wife's signature?
Why do we divide Permutations to get to Combinations?
Are all power cords made equal?
Is there a way to see if database has been accessed through SQL Injection attack?
How to protect MySQL database from sql-injection?intermittent MySQL crashes with error “Fatal error: cannot allocate memory for the buffer pool”“Site Offline” MySQL server failing to start and stopMySQL with slow queriesIs it safe to run optimze on mutliple tables in parallel in mysql (percona)Bringing SQL Server filegroups onlineHost not Allowed Connectivity to MySQL ServerMySQL running out of memoryMicrosoft SQL Server SQL Injection Through .NET Even With Quote EscapingTable creation on Ubuntu insanely slow?
I recently discovered that my website had a page with a SQL Injection vulnerability. Upon testing, it was easily exploitable with a pentesting tool like sqlmap. How do I figure out if the site database has been accessed with a SQL Injection attack, possibly exploiting this loophole? The server is running Apache/2.4.18 and MySQL Ver 14.14 Distrib 5.7.16.
mysql sql-injection
asked Jun 4 '17 at 15:57
delphindelphin
61
bumped to the homepage by Community♦ 50 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I recently discovered that my website had a page with a SQL Injection vulnerability. Upon testing, it was easily exploitable with a pentesting tool like sqlmap. How do I figure out if the site database has been accessed with a SQL Injection attack, possibly exploiting this loophole? The server is running Apache/2.4.18 and MySQL Ver 14.14 Distrib 5.7.16.
mysql sql-injection
asked Jun 4 '17 at 15:57
delphindelphin
61
bumped to the homepage by Community♦ 50 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
Are you logging all queries? (check stackoverflow.com/questions/303994/log-all-queries-in-mysql/…) If so... check your log for "strange" or "unusual" queries...
– joanolo
Jun 4 '17 at 16:06
1
I am logging all queries. Is there any way to map the queries to the IP addresses from which they came? I want to blacklist these IPs.
– delphin
Jun 4 '17 at 16:15
1
I don't think you can by only looking at the database log, the database is not accessed from those IPs, but from your web server. The logs of your web server might point you in the right direction. But take into account that any rogue actor might be using (probably through zombie computers) very many IP addresses.
– joanolo
Jun 4 '17 at 17:54
add a comment |
I recently discovered that my website had a page with a SQL Injection vulnerability. Upon testing, it was easily exploitable with a pentesting tool like sqlmap. How do I figure out if the site database has been accessed with a SQL Injection attack, possibly exploiting this loophole? The server is running Apache/2.4.18 and MySQL Ver 14.14 Distrib 5.7.16.
mysql sql-injection
asked Jun 4 '17 at 15:57
delphindelphin
61
I recently discovered that my website had a page with a SQL Injection vulnerability. Upon testing, it was easily exploitable with a pentesting tool like sqlmap. How do I figure out if the site database has been accessed with a SQL Injection attack, possibly exploiting this loophole? The server is running Apache/2.4.18 and MySQL Ver 14.14 Distrib 5.7.16.
mysql sql-injection
mysql sql-injection
asked Jun 4 '17 at 15:57
delphindelphin
61
asked Jun 4 '17 at 15:57
delphindelphin
61
asked Jun 4 '17 at 15:57
delphindelphin
61
asked Jun 4 '17 at 15:57
delphindelphin
61
asked Jun 4 '17 at 15:57
delphindelphin
61
61
bumped to the homepage by Community♦ 50 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 50 secs ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
Are you logging all queries? (check stackoverflow.com/questions/303994/log-all-queries-in-mysql/…) If so... check your log for "strange" or "unusual" queries...
– joanolo
Jun 4 '17 at 16:06
1
I am logging all queries. Is there any way to map the queries to the IP addresses from which they came? I want to blacklist these IPs.
– delphin
Jun 4 '17 at 16:15
1
I don't think you can by only looking at the database log, the database is not accessed from those IPs, but from your web server. The logs of your web server might point you in the right direction. But take into account that any rogue actor might be using (probably through zombie computers) very many IP addresses.
– joanolo
Jun 4 '17 at 17:54
add a comment |
1
Are you logging all queries? (check stackoverflow.com/questions/303994/log-all-queries-in-mysql/…) If so... check your log for "strange" or "unusual" queries...
– joanolo
Jun 4 '17 at 16:06
1
I am logging all queries. Is there any way to map the queries to the IP addresses from which they came? I want to blacklist these IPs.
– delphin
Jun 4 '17 at 16:15
1
I don't think you can by only looking at the database log, the database is not accessed from those IPs, but from your web server. The logs of your web server might point you in the right direction. But take into account that any rogue actor might be using (probably through zombie computers) very many IP addresses.
– joanolo
Jun 4 '17 at 17:54
1
1
Are you logging all queries? (check stackoverflow.com/questions/303994/log-all-queries-in-mysql/…) If so... check your log for "strange" or "unusual" queries...
– joanolo
Jun 4 '17 at 16:06
Are you logging all queries? (check stackoverflow.com/questions/303994/log-all-queries-in-mysql/…) If so... check your log for "strange" or "unusual" queries...
– joanolo
Jun 4 '17 at 16:06
1
1
I am logging all queries. Is there any way to map the queries to the IP addresses from which they came? I want to blacklist these IPs.
– delphin
Jun 4 '17 at 16:15
I am logging all queries. Is there any way to map the queries to the IP addresses from which they came? I want to blacklist these IPs.
– delphin
Jun 4 '17 at 16:15
1
1
I don't think you can by only looking at the database log, the database is not accessed from those IPs, but from your web server. The logs of your web server might point you in the right direction. But take into account that any rogue actor might be using (probably through zombie computers) very many IP addresses.
– joanolo
Jun 4 '17 at 17:54
I don't think you can by only looking at the database log, the database is not accessed from those IPs, but from your web server. The logs of your web server might point you in the right direction. But take into account that any rogue actor might be using (probably through zombie computers) very many IP addresses.
– joanolo
Jun 4 '17 at 17:54
add a comment |
3 Answers
3
active
oldest
votes
To be pro-active you may have your application to use PDO instead of plain SQL query.
Measures to detect SQL Injections could be :
Alert if any query running beyond X secs or any breaching value to relevant teams.
The team could see if slow query log / show processlist contains unusual entries, if confirmed as SQL injection kill the query and remove that application user as a preventive measure.
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
add a comment |
See Apache's access.log. Interesting things show up there.
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
add a comment |
Since you log all queries against the database, look for queries that don't belong.
Start with queries that failed. Assuming your app isn't riddle with bugs, there should be very few queries submitted to the DB that fail. Attackers typically have a set of queries they execute once they find a vulnerable app. If you apply the principle of least privileges on accounts used to access the DB, you should find a bunch of failed queries. There will also be queries that fail because a less sophisticated attacker might have a bunch of queries that are not compatible with your database edition, version or vendor.
Next, look for queries/commands that could not have been generated by your application. For instance, if the application should never accesses system tables, system functions, information schema, etc... but you see them in your log, that's a good indicator something might be amiss and warrants deeper investigation. Looking at your OS logs might be helpful here in case they tried or succeeded in planting a backdoor/rootkit.
Once you're done with that, look for queries with unusual/unexpected behavior. For instance, queries that return significantly more data than normal. If you see queries that access all tables around the same time or ran show tables then accessed each table in order, there's a good chance you have an attacker that tried (or succeeded) to exfiltrate data. Even something seemingly innocuous like SELECT * without a WHERE clause is suspicious (assuming your app doesn't do this). Note that this applies to any possible query, not just SELECT. The attacker might be some disgruntled employee and decided to randomly DELETE or UPDATE data to get you in trouble with your auditors or worse.
Looking at IP addresses is often not helpful even if you're looking at the web server logs unless you have a narrow and/or well known band of IP addresses your users connect from. Few attackers do it from their home PC anymore. Bots and proxies are found all over the world plus IPs are easily spoofed. Unless you get your ISP or Telco provider involved, it's unlikely you'll get very far looking at your own logs. One better indicator is your corporate firewall or network logs to find unusual outbound IP targets. An attacker that exfiltrates data has to send it to some real endpoint. That is usually to a place that isn't cooperative and/or moves slowly when foreign companies or law enforcement comes knocking.
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f175375%2fis-there-a-way-to-see-if-database-has-been-accessed-through-sql-injection-attack%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
To be pro-active you may have your application to use PDO instead of plain SQL query.
Measures to detect SQL Injections could be :
Alert if any query running beyond X secs or any breaching value to relevant teams.
The team could see if slow query log / show processlist contains unusual entries, if confirmed as SQL injection kill the query and remove that application user as a preventive measure.
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
add a comment |
To be pro-active you may have your application to use PDO instead of plain SQL query.
Measures to detect SQL Injections could be :
Alert if any query running beyond X secs or any breaching value to relevant teams.
The team could see if slow query log / show processlist contains unusual entries, if confirmed as SQL injection kill the query and remove that application user as a preventive measure.
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
add a comment |
To be pro-active you may have your application to use PDO instead of plain SQL query.
Measures to detect SQL Injections could be :
Alert if any query running beyond X secs or any breaching value to relevant teams.
The team could see if slow query log / show processlist contains unusual entries, if confirmed as SQL injection kill the query and remove that application user as a preventive measure.
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
To be pro-active you may have your application to use PDO instead of plain SQL query.
Measures to detect SQL Injections could be :
Alert if any query running beyond X secs or any breaching value to relevant teams.
The team could see if slow query log / show processlist contains unusual entries, if confirmed as SQL injection kill the query and remove that application user as a preventive measure.
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
answered Jun 4 '17 at 17:32
MannojMannoj
1,04311128
1,04311128
add a comment |
add a comment |
See Apache's access.log. Interesting things show up there.
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
add a comment |
See Apache's access.log. Interesting things show up there.
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
add a comment |
See Apache's access.log. Interesting things show up there.
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
See Apache's access.log. Interesting things show up there.
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
answered Jun 4 '17 at 18:25
Rick JamesRick James
42.9k22259
42.9k22259
add a comment |
add a comment |
Since you log all queries against the database, look for queries that don't belong.
Start with queries that failed. Assuming your app isn't riddle with bugs, there should be very few queries submitted to the DB that fail. Attackers typically have a set of queries they execute once they find a vulnerable app. If you apply the principle of least privileges on accounts used to access the DB, you should find a bunch of failed queries. There will also be queries that fail because a less sophisticated attacker might have a bunch of queries that are not compatible with your database edition, version or vendor.
Next, look for queries/commands that could not have been generated by your application. For instance, if the application should never accesses system tables, system functions, information schema, etc... but you see them in your log, that's a good indicator something might be amiss and warrants deeper investigation. Looking at your OS logs might be helpful here in case they tried or succeeded in planting a backdoor/rootkit.
Once you're done with that, look for queries with unusual/unexpected behavior. For instance, queries that return significantly more data than normal. If you see queries that access all tables around the same time or ran show tables then accessed each table in order, there's a good chance you have an attacker that tried (or succeeded) to exfiltrate data. Even something seemingly innocuous like SELECT * without a WHERE clause is suspicious (assuming your app doesn't do this). Note that this applies to any possible query, not just SELECT. The attacker might be some disgruntled employee and decided to randomly DELETE or UPDATE data to get you in trouble with your auditors or worse.
Looking at IP addresses is often not helpful even if you're looking at the web server logs unless you have a narrow and/or well known band of IP addresses your users connect from. Few attackers do it from their home PC anymore. Bots and proxies are found all over the world plus IPs are easily spoofed. Unless you get your ISP or Telco provider involved, it's unlikely you'll get very far looking at your own logs. One better indicator is your corporate firewall or network logs to find unusual outbound IP targets. An attacker that exfiltrates data has to send it to some real endpoint. That is usually to a place that isn't cooperative and/or moves slowly when foreign companies or law enforcement comes knocking.
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
add a comment |
Since you log all queries against the database, look for queries that don't belong.
Start with queries that failed. Assuming your app isn't riddle with bugs, there should be very few queries submitted to the DB that fail. Attackers typically have a set of queries they execute once they find a vulnerable app. If you apply the principle of least privileges on accounts used to access the DB, you should find a bunch of failed queries. There will also be queries that fail because a less sophisticated attacker might have a bunch of queries that are not compatible with your database edition, version or vendor.
Next, look for queries/commands that could not have been generated by your application. For instance, if the application should never accesses system tables, system functions, information schema, etc... but you see them in your log, that's a good indicator something might be amiss and warrants deeper investigation. Looking at your OS logs might be helpful here in case they tried or succeeded in planting a backdoor/rootkit.
Once you're done with that, look for queries with unusual/unexpected behavior. For instance, queries that return significantly more data than normal. If you see queries that access all tables around the same time or ran show tables then accessed each table in order, there's a good chance you have an attacker that tried (or succeeded) to exfiltrate data. Even something seemingly innocuous like SELECT * without a WHERE clause is suspicious (assuming your app doesn't do this). Note that this applies to any possible query, not just SELECT. The attacker might be some disgruntled employee and decided to randomly DELETE or UPDATE data to get you in trouble with your auditors or worse.
Looking at IP addresses is often not helpful even if you're looking at the web server logs unless you have a narrow and/or well known band of IP addresses your users connect from. Few attackers do it from their home PC anymore. Bots and proxies are found all over the world plus IPs are easily spoofed. Unless you get your ISP or Telco provider involved, it's unlikely you'll get very far looking at your own logs. One better indicator is your corporate firewall or network logs to find unusual outbound IP targets. An attacker that exfiltrates data has to send it to some real endpoint. That is usually to a place that isn't cooperative and/or moves slowly when foreign companies or law enforcement comes knocking.
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
add a comment |
Since you log all queries against the database, look for queries that don't belong.
Start with queries that failed. Assuming your app isn't riddle with bugs, there should be very few queries submitted to the DB that fail. Attackers typically have a set of queries they execute once they find a vulnerable app. If you apply the principle of least privileges on accounts used to access the DB, you should find a bunch of failed queries. There will also be queries that fail because a less sophisticated attacker might have a bunch of queries that are not compatible with your database edition, version or vendor.
Next, look for queries/commands that could not have been generated by your application. For instance, if the application should never accesses system tables, system functions, information schema, etc... but you see them in your log, that's a good indicator something might be amiss and warrants deeper investigation. Looking at your OS logs might be helpful here in case they tried or succeeded in planting a backdoor/rootkit.
Once you're done with that, look for queries with unusual/unexpected behavior. For instance, queries that return significantly more data than normal. If you see queries that access all tables around the same time or ran show tables then accessed each table in order, there's a good chance you have an attacker that tried (or succeeded) to exfiltrate data. Even something seemingly innocuous like SELECT * without a WHERE clause is suspicious (assuming your app doesn't do this). Note that this applies to any possible query, not just SELECT. The attacker might be some disgruntled employee and decided to randomly DELETE or UPDATE data to get you in trouble with your auditors or worse.
Looking at IP addresses is often not helpful even if you're looking at the web server logs unless you have a narrow and/or well known band of IP addresses your users connect from. Few attackers do it from their home PC anymore. Bots and proxies are found all over the world plus IPs are easily spoofed. Unless you get your ISP or Telco provider involved, it's unlikely you'll get very far looking at your own logs. One better indicator is your corporate firewall or network logs to find unusual outbound IP targets. An attacker that exfiltrates data has to send it to some real endpoint. That is usually to a place that isn't cooperative and/or moves slowly when foreign companies or law enforcement comes knocking.
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
Since you log all queries against the database, look for queries that don't belong.
Start with queries that failed. Assuming your app isn't riddle with bugs, there should be very few queries submitted to the DB that fail. Attackers typically have a set of queries they execute once they find a vulnerable app. If you apply the principle of least privileges on accounts used to access the DB, you should find a bunch of failed queries. There will also be queries that fail because a less sophisticated attacker might have a bunch of queries that are not compatible with your database edition, version or vendor.
Next, look for queries/commands that could not have been generated by your application. For instance, if the application should never accesses system tables, system functions, information schema, etc... but you see them in your log, that's a good indicator something might be amiss and warrants deeper investigation. Looking at your OS logs might be helpful here in case they tried or succeeded in planting a backdoor/rootkit.
Once you're done with that, look for queries with unusual/unexpected behavior. For instance, queries that return significantly more data than normal. If you see queries that access all tables around the same time or ran show tables then accessed each table in order, there's a good chance you have an attacker that tried (or succeeded) to exfiltrate data. Even something seemingly innocuous like SELECT * without a WHERE clause is suspicious (assuming your app doesn't do this). Note that this applies to any possible query, not just SELECT. The attacker might be some disgruntled employee and decided to randomly DELETE or UPDATE data to get you in trouble with your auditors or worse.
Looking at IP addresses is often not helpful even if you're looking at the web server logs unless you have a narrow and/or well known band of IP addresses your users connect from. Few attackers do it from their home PC anymore. Bots and proxies are found all over the world plus IPs are easily spoofed. Unless you get your ISP or Telco provider involved, it's unlikely you'll get very far looking at your own logs. One better indicator is your corporate firewall or network logs to find unusual outbound IP targets. An attacker that exfiltrates data has to send it to some real endpoint. That is usually to a place that isn't cooperative and/or moves slowly when foreign companies or law enforcement comes knocking.
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
answered Jun 22 '17 at 1:38
SQLmojoeSQLmojoe
1,32037
1,32037
add a comment |
add a comment |
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f175375%2fis-there-a-way-to-see-if-database-has-been-accessed-through-sql-injection-attack%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Are you logging all queries? (check stackoverflow.com/questions/303994/log-all-queries-in-mysql/…) If so... check your log for "strange" or "unusual" queries...
– joanolo
Jun 4 '17 at 16:06
1
I am logging all queries. Is there any way to map the queries to the IP addresses from which they came? I want to blacklist these IPs.
– delphin
Jun 4 '17 at 16:15
1
I don't think you can by only looking at the database log, the database is not accessed from those IPs, but from your web server. The logs of your web server might point you in the right direction. But take into account that any rogue actor might be using (probably through zombie computers) very many IP addresses.
– joanolo
Jun 4 '17 at 17:54