CyberX

MySQL injection "qq", evil injection, OR

Today I found new for me MySQL injection thats named 'qq' and I was create escape injections functions for evil injection, bad OR and other.

Look at this code I found in query logs:

qq`;SELECT * FROM `revolver__topics`;``

It is fragment of MySQL injection thats not complite logged on perform.

This code availible to execution becuse MySQL(MySQLi, PDO, PostgreSQL, MSSQL) engines in PHP extensions have no 100% safe escaping MySQL queries. After some PHP version update we lost most of important function mysql_real_escape_string() and I have combine some injection filters.

Perhaps, I can wrote some analog function thats can escape seems all injections we known. Code below intended to cleanup variables of MySQL queries inside equally:

    // clenup
    public static function escape( $string ) {
        $safeSQL = htmlspecialchars(addslashes(preg_replace('/[x{10000}-x{10FFFF}]/u', "xEFxBFxBD", ltrim(trim($string), 'qq'))));
        $safeSQL = str_replace('--+', ';', $safeSQL);
        $safeSQL = rtrim($safeSQL, '--');
        $safeSQL = str_replace(['/*',''♯'], ['', ''], $safeSQL);
        return ltrim($safeSQL, 'QQ');
    }
    }

If you know more about MySQL injections and missuses of this code please leave comment bellow.

After some time I will put commit with security patch for DBX and RevolveR CMS.

This function for escaping OR, AND, ON issues in only WHERE statement clause:

    // cleanup inner SQL
    public static function innerEscape( $fragment ) {
        return str_replace(['OR', 'AND', 'ON', "'", ';', 'or', 'and', 'on', '/*', '', '--', '--+'], ['', '', '', '\'', '', '', '', '', '', '', '', ''], $fragment);
    }

Next function intended to block last OR, AND, ON bad clause execution of SQL queries:

    public static function escapeOuter( $string ) {
        return preg_replace(['♯/(OR/)+$♯','♯/(or/)+$♯','♯/(AND/)+$♯','♯/(and/)+$♯','♯/(ON/)+$♯','♯/(on/)+$♯'], ['$1 ;', '$1 ;', '$1 ;', '$1 ;', '$1 ;', '$1 ;'], $string);
    }

Please, optimize escape() regular expressions also. Be carefull with passwords to becuse we can't use some symbols by security reasons. Also be careful with HTML encoding symbols in represented code because after filtering contents not all special symbols are injected in database fileds(replace ♯ with shift + 3 keyboard analog).

Regards,
CyberX

RevolveR CMS next release with SPAx support

Hi there! Some time I don't make commits for RevolveR CMS and become a time when I want to talk about next release. It should be same system with same options but it will support new layout mode named Single Pages Application Extended(SPAx).

Idea is simple. Every node created for some category have magic options to be the block for SPA thats renders for main page(index).

You can create nodes for some category, next choose category for render SPA and next you can switch some options for view and look. All nodes will work with REST technique and may have comments.

Basic RevolveR template for now switched to grid system 1440px and I modify some colors.

How to run FreeBSD under AMD Ryzen laptops

New laptops with AMD Ryzen APUs wont boot FreeBSD system because some firmware and hardware feutures are different. If you can't boot FreeBSD distros need to switch hw.pci.mcfg parameter to zero.

In loader promt before system begin boot process type two commands:

set hw.pci.mcfg=0
boot

System will boot without any problems.

How to fix NTFS file permissions for MAMP

For unknown reasons Windows 10 broke some file permissons when cloud storage OneDrive is active. There are many questions about how to avoid 403 Apache error with "forbidden message" when you create new public directory for local web site domains.

Example. You have installed MAMP Pro and you want to create new local domain for development. After you type domain name and change folder you try to get access to web scripts via browser and look at 403 Forbidden message.

Fix permissions on web server access for Windows 10
Fix permissions on web server access for Windows 10

I spent some time and was found fix for this issue. One simple utility can drop and fix permissions recursively for all contents in public directory. Than we can use browser to access our scripts directly.

Download NTFS filesystem permissions fix utility.

Radeon software super high resolution on any video

Many people ask a question: "How to improve screen resolution to maximum?".

Few days ago I was install windows update for AMD Radeon software thats allows some new futures for any compatible video adapters. Whats new?

This update integrate new controll center in Windows 10 for activating customization some hiden vide card futures.

Radeon software for Windows 10
Radeon software for Windows 10

Most of great settings I found is enabling support of super high resolution emulation in all Windows 10 applications such as games and other software and desktop.

Resolution Controll with support of super high modes in Windows 10
Resolution Controll with support of super high modes in Windows 10

I have only Vega 11 integrated video adapter and Radeon RX 560X discrete video card. For this adapters having maximum resolution of 1920x1080 availible to high resolution of 3800+px. It's great.