SQL Injection vulnerability in Yii1 framework-CodePudding

[error] [system.db.CDbCommand] CDbCommand::fetch()
failed: SQLSTATE[HY000]: General error: 1105 XPATH syntax error:
'\qvqbq66666666666666666666666666'. The SQL statement executed was:
SELECT * FROM `User` `t` WHERE username = '1' AND
EXTRACTVALUE(7865,CONCAT(0x5c,0x7176716271,(SELECT
REPEAT(0x36,256)),0x716a627671))-- JEUE' and email = '1' AND
EXTRACTVALUE(7865,CONCAT(0x5c,0x7176716271,(SELECT
REPEAT(0x36,256)),0x716a627671))-- JEUE' and title = 'Customer' LIMIT
1

I've been getting this kind of error logs for months, and 100 of attacks per day

I think someone is trying to hack this site which has been developed by using Yii1 framework.

I have already blocked some IP addresses, but this attack is being continued with another IP addresses and locations.

Should I ignore this attack?

CodePudding user response：

You should not ignore the attack. You should fix your code so that the attack is not possible.

The fact that the attacker is able to inject arbitrary SQL expressions and it results in errors from the SQL parser indicates that you have one or more SQL injection vulnerabilities in your code. This comes from allowing untrusted input to be copied into SQL query strings before the query is parsed.

You should not allow arbitrary input to be executed as part of your SQL query.

Use query parameters to combine input as values in SQL expressions.
Use filtering in other cases, like if you need request input to change identifiers or expressions in your SQL queries.

Review the Yii documentation on preventing SQL injection, and change your code to adopt secure habits. https://www.yiiframework.com/wiki/275/how-to-write-secure-yii1-applications#sql-injections