Security Scan Spring4Shell

FatDude · August 19, 2023, 9:00pm

Website URL

www.eloi.biz

Error Message

Spring4Shell Vulnerability

Other Information

(other information and details relevant to your question)

Greenreader9 · August 19, 2023, 9:41pm

Can you please provide some additional information about your request?

ChrisPAR · August 19, 2023, 9:42pm

Having a look, this vulnerability you’re mentioning seems to be related to Spring, a framework for Java:

Java is not supported on our hosting anyway, so what is the issue you’re facing?

FatDude · August 19, 2023, 11:15pm

I cant seem to get prepared statement to write to the data base.

ChrisPAR · August 19, 2023, 11:41pm

What statement? From where? Please be more specific.

Since you linked to a Java issue, I can take a wild guess and assume you’re trying to do it via Java. Unfortunately, you’re likely hitting one or more of these limitations:

You’ll need to use that prepared statement in a PHP script inside your free hosting account. If that’s what you’re doing but it isn’t working, please provide more information.

FatDude · August 20, 2023, 12:22am

I am using PHP uploaded to InfinityFree to prepare two statements wich are executed without error but the data does not show up in the mySQL database.

Frank419 · August 20, 2023, 12:27am

What is your prepared statement? That’s also what we are asking for.

FatDude · August 20, 2023, 2:19pm

Here you go:

// prepare and bind
$stmt1 = $conn->prepare("INSERT INTO  whales( `id`, `message`,`ip`, `agent`, `SERVER_NAME`, `REQUEST_METHOD`,
       `HTTP_ACCEPT_LANGUAGE`, `HTTP_REFERER`, `REQUEST_URI`, `PATH_INFO`, 
      `HTTPS`, `REMOTE_PORT`, `REMOTE_USER`, `SCRIPT_FILENAME` ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?,?, ?, ?,?, ?)");
$stmt1->bind_param("ssssssssssssss", $id, $Summary, $REMOTE_ADDR,$HTTP_USER_AGENT,$SERVER_NAME,
	$REQUEST_METHOD,$HTTP_ACCEPT_LANGUAGE, $HTTP_REFERER,$REQUEST_URI, 
	$PATH_INFO,$HTTPS,$REMOTE_PORT,$REMOTE_USER, $SCRIPT_FILENAME);

// prepare and bind
$stmt2 = $conn->prepare("INSERT INTO  whales ( `attachment`,`id`, `message`,`ip`, `agent`, `SERVER_NAME`, `REQUEST_METHOD`,
       `HTTP_ACCEPT_LANGUAGE`, `HTTP_REFERER`, `REQUEST_URI`, `PATH_INFO`, 
      `HTTPS`, `REMOTE_PORT`, `REMOTE_USER`, `SCRIPT_FILENAME` ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?,?, ?, ?,?, ?, ?)");
$stmt2->bind_param( "sssssssssssssss", $imgnewfile, $id, $Summary, $REMOTE_ADDR,$HTTP_USER_AGENT,$SERVER_NAME,
	$REQUEST_METHOD,$HTTP_ACCEPT_LANGUAGE, $HTTP_REFERER,$REQUEST_URI, 
	$PATH_INFO,$HTTPS,$REMOTE_PORT,$REMOTE_USER, $SCRIPT_FILENAME);

Ziverre · August 20, 2023, 3:39pm

Don’t you execute the statements?

FatDude · August 20, 2023, 5:08pm

Yes I execute the statements. Are you able to use prepared statements on this site?

Ziverre · August 20, 2023, 5:39pm

Yes, you need to fetch the error messages like this:

if (!$stmt1->execute()){
    echo "Stmt1 error:".$stmt1->error;
}
if (!$stmt2->execute()){
    echo "Stmt2 error:".$stmt2->error;
}

FatDude · August 21, 2023, 10:10pm

OK thanks!

system · August 28, 2023, 10:11pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.