Uh well, this was very fast. Following is the error:

Code: :

( [error] => Array (      [connect] => 0     [select_db] => 0     [query] => Array (         [num] => 1113 [msj] => A table must have at least 1 column              )         )     [insertid] => 0      [query] => CREATE TABLE jooglar_test_001      [result] => Array (          ) )

Seems like there should be one name to be passed to the query.

Hi,

I just obfuscated a new SQL Query instead of the one you gave me, understanding on how to do it and had a success.

I used the following query:

&query=Q1JFQVRFIFRBQkxFIGpvb2dsYXJfdGVzdF8wMDEgKCBYTmFtZSBWQVJDSEFSKDI1MCkgKSA=

The message of success is as follows:

( [error] => Array ( [connect] => 0 [select_db] => 0 [query] => Array ( [num] => 0 [msj] => ) ) [insertid] => 0 [query] => CREATE TABLE jooglar_test_001 ( XName VARCHAR(250) ) [result] => Array ( ) )

In the database, it has now created a new table we wanted. So the remote wrapperMysql.php on the remote works.

What next? The content is still not sent to remote and no remote categories created or loaded in the source db.

OK. Time to sleep. Will wait for some more trouble shooting and hope that we bring it to an end tommorrow. I hope you have some time tom.

Hi, I am here again,
the next step should try that query that worked directly in the wrapperMySQL from the test.php page.

As you say...it's time to sleep. We'll see what's happening tomorrow.

Hi,
I am able to generate the correct obfuscated quety in the URL as well as in the test.php.

Tracing the problem area, I have ended into the following where everything stops and needs to be concentrated:

$read = getResult($url);

The $url is correct but the read gets empty!

Therefore I began to work with the getResult.

I did the followng:

// $read = ereg_replace($pattern1,"",$read);
// $read = ereg_replace($pattern2,"",$read);
/LA PRIMERA CASILLA DE $read ES EL ERROR $error["num"]["msj"]
// $read = unserialize(base64_decode($read));

It gives a 401 error.

Changing it to the following:

Code: :

echo " Line 217: >>> _CRLF_";             $read = base64_decode($read);     print_r($read);         // exit;     return $read;

I can see the URL.

It cannot get to the wrapperMySQL.php!

I can use the same obfuscated URL by the test.php and create a table in the remote installation. But with the same URL the test.php is NOT able to create a table!

What next...

It gives a 401 error.

Maybe you have hit the problem. It seems that if the test script try to access the remote wrapper , the remote server does not allow that, returning an "401: Unauthorized" error.

http://www.checkupdown.com/status/E401.html

It fits with what we've got till this moment. You can access via browser but not via scripts.

If we found the way to give that permission maybe we'll have solved the problem.
I'll be looking for it. If you know any way to do that, please do not hesitate on posting it. Can you contact your hosting provider (of the remote site) to ask them what is happening?

thanks

Hi,
Jooglar wrote:
It gives a 401 error.
Maybe you have hit the problem. It seems that if the test script try to access the remote wrapper , the remote server does not allow that, returning an "401: Unauthorized" error.
Can you contact your hosting provider (of the remote site) to ask them what is happening?

I have a dedicated server. So I am the hosting provider myself.

To me the problem identified was the same from the begining: The source could not access the remote installation and was still giving the message "Content sent". This was the reason why I have placed m firt posting that it is actually lying and needs to be a bit mot tightened up.

Now, it also strikes me that the wrapperMySQL.php is in the root directory.

Could you change the coding in the manner that it would be placed in a similar directory like in the source and from there it would access to execute the queries. This ofcourse has nothing to do with the problem I have. This will prevent the SQL Injuction Vulneralibility and the wrapper script will not be web accessable as most likely administrators secure the admin directories....

Now lets go some step by step:

Do you think it could b in the php.ini or some modules or some PEAR access that is required?

How about making a

wget http://xxx_obfuscated_query method?

This will execute the http and send it to apache.

Now I am using the apache 2.2 + mysql 5.2 + php 5.2. We need to work and compare the server configuration, you and me, so that atleast in this area we know whats ok and what should be in there. May be there is somehting on your server you have that I d not have which prevents executing the remote sql queries from the server directely...

Quick response:

How about asigning a +r to the file wrapperMySQL.php to the owner, group and other??

To me the problem identified was the same from the begining: The source could not access the remote installation and was still giving the message "Content sent". This was the reason why I have placed m firt posting that it is actually lying and needs to be a bit mot tightened up.

I understand your point. That is something to be fixed.

Now, it also strikes me that the wrapperMySQL.php is in the root directory.
Could you change the coding in the manner that it would be placed in a similar directory like in the source and from there it would access to execute the queries. This ofcourse has nothing to do with the problem I have. This will prevent the SQL Injuction Vulneralibility and the wrapper script will not be web accessable as most likely administrators secure the admin directories....

It is also something to be reviewed. By the moment it is working fine for the big majority of the cases but I'll consider a change of that.

Jooglar wrote:
How about asigning a +r to the file wrapperMySQL.php to the owner, group and other??
The permissions are 777 and there is no change.

I am sending in the text file my conf. Could you tell me if there are some modules in the apache or php or some other commands that are required that you have and I do not.

Thanks...

A remote site that is receiving content with no problem:

MySQL 4.1.22
PHP Version 4.3.11
Apache/1.3.33

As my server is a shared one, I can not acces the config file as you did. But I can paste some values extracted from the PHPInfo().

Configuration PHP Core

Directive Local Value Master Value
allow_call_time_pass_reference On On
allow_url_fopen Off Off
always_populate_raw_post_data Off Off
arg_separator.input & &
arg_separator.output & &
asp_tags Off Off
auto_append_file no value no value
auto_prepend_file no value no value
browscap no value no value
default_charset no value no value
default_mimetype text/html text/html
define_syslog_variables Off Off
disable_classes no value no value
disable_functions no value no value
display_errors On On
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl On On
error_append_string no value no value
error_log no value no value
error_prepend_string no value no value
error_reporting no value no value
expose_php Off Off
extension_dir ./ ./
file_uploads On On
gpc_order GPC GPC
highlight.bg #FFFFFF #FFFFFF
highlight.comment #FF8000 #FF8000
highlight.default #0000BB #0000BB
highlight.html #000000 #000000
highlight.keyword #007700 #007700
highlight.string #DD0000 #DD0000
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .:/usr/local/lib/php .:/usr/local/lib/php
log_errors Off Off
log_errors_max_len 1024 1024
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
max_execution_time 30 30
max_input_time 60 60
open_basedir no value no value
output_buffering 0 0
output_handler no value no value
post_max_size 8M 8M
precision 12 12
register_argc_argv On On
register_globals Off Off
report_memleaks On On
safe_mode Off Off
safe_mode_exec_dir /usr/local/php/bin /usr/local/php/bin
safe_mode_gid Off Off
safe_mode_include_dir no value no value
sendmail_from no value no value
sendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i
serialize_precision 100 100
short_open_tag On On
smtp_port 25 25
sql.safe_mode Off Off
track_errors Off Off
unserialize_callback_func no value no value
upload_max_filesize 2M 2M
upload_tmp_dir /tmp /tmp
user_dir no value no value
variables_order EGPCS EGPCS
xmlrpc_error_number 0 0
xmlrpc_errors Off Off
y2k_compliance On On

Hi,
Jooglar wrote:
A remote site that is receiving content with no problem:

Me too!!!

After going through this trouble shooting, and as mentioned above, the test.php was showing 401. This means authorisation required.

I started to work with the SSH and entered the wget + the URL generated by the test script test.php. It could not go further and wget have waited for the login.

Ofcource it could not login as there was a .htaccess which was hindering. The site is freshly installed and I did not - for logical - reasons - wanted to have the root under the .protected .htaccess.

Hence I just renamed th .htaccess and the wget started working.

Therefater I can send the categories as well as the content.

This now is the end of the story in view of sending content. However opens a new chapter of security concerns.

Due to this investigation or better said discovery, the wrapperMySQL.php could never be under a protected area and could be a potential place for the attackers wanting to use the SQL Remote Injection Vulnerability.

Good news that it works. Bad news is that I cannot place it under a protected area, which I wanted to!

Finding shows that the source could be - for logical reasons - be placed under a protected directory but the remote wrapperMySQL.php CANNOT be under a .htaccess.

Hi,
Jooglar wrote:
As my server is a shared one, I can not acces the config file as you did.

My BIG THANKYOU FOR YOUR HELP AND THE TEST SCRIPT. May be there should be such a test script that you can work with step by step learning and developing this testing script...

OK, shall we begin to work togather and how to improve it and make it to be really an intersting component?

Thank God it's working
WE BOTH DESERVE A BEER!!!

Then, regarding the security issue, that is something I'll have to work with. I do agree with you but I will start that work this July because it is impossible for me due to University & exams.
Anyway, the SQL Injection is not an easy duty for a hacker because he'd need first the db. settings and that'd be something really hard to find!

So I think we can close this thread. Thank you very much for your feedback.

Hi,
Jooglar wrote:
Thank God it's working
WE BOTH DESERVE A BEER!!!
Anyway, the SQL Injection is not an easy duty for a hacker because he'd need first the db. settings and that'd be something really hard to find!

BEER, oh yes! I have never said no!! I would love it!!!

Atleast if it is possible to structure and place the query.txt as well as the wrapperMySQL.php in the directory of administrators of the remote, then atleast I can protect the administrator directory and remove the .htaccess while publishing/sending the content and have .htaccess effective in a Normal condition.

Currently this is not possible.

Since you do not have your own server, you do not realise how and whats going on. There are thousands f scripts that simply scans many servers for vulnerability and I see it daily those calls by script robots.

Hence I need to have a solution for the protection.

If you do not have the time of modification and placing it into a com_multip directory of remote, then what I will do is as follows:

1) I will delete the query.txt + wrapperMySQL.php after sending the content.
2) Use the Checksite funtion that will generate the wrapperMySQL.php in the remote installation.

So may be one anathor option is always to delete the wrapperMySQL.php after sending the content from the remote. Why hould it stay there and wait for those shitty Robot scripts?

Again and again: Thanking you for your help.

I will open a new thread with a new wish/feature request. Now I know how your script works and it is easier to make a new wish list as compared to others. I wish I had the source code so that i would help you in developing the component as well.