SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2000 Forums
 SQL Server Administration (2000)
 sql injection
 New Topic  Reply to Topic
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/07/2004 :  21:29:50  Show Profile  Reply with Quote
I had the unfortunate experience of being a victim of sql injection.

The user was able to read any data, table structure, columns etc.

What I am worried about, is could they have connected to a different database? I am worried that they might have gotten in my master database. Could this happen?

Basically what they did was ad a "UNION SELECT" into the querystring. From this could they have gotten into the master.

They would have to connect to a different database from inside a stored proc that is already connected to a database.

Obviously I have alot on my plate, but is there anything else I should worry about? Any tips to recover safely?

Any tips are greatly appreciated in this time of need.

Thanks alot,
mike123

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/07/2004 :  22:11:04  Show Profile  Visit Merkin's Homepage  Reply with Quote
The dangers of not using stored procs..

OK, what user was your web app connecting as ? If you used the SA account in your ASP, you are screwed. Look in the IIS logfiles to see what they did, but they can potentially get control of your entire network if you were running SA.

If the user only had access to the one database you are probably OK.

Stored procs fix this right up :)



Damian
Go to Top of Page

robvolk
Most Valuable Yak

USA
15676 Posts

Posted - 01/07/2004 :  22:11:51  Show Profile  Visit robvolk's Homepage  Reply with Quote
quote:
Basically what they did was ad a "UNION SELECT" into the querystring. From this could they have gotten into the master.

They would have to connect to a different database from inside a stored proc that is already connected to a database.
If they were able to sneak in a UNION, they could've accessed any table in any database that can be accessed by the login used to connect.

If you search SQL Team for "SQL Injection" (and the forums too) you'll find a fair amount of material on how to protect yourself against it. The first, easiest, and best thing to do is NEVER allow ad-hoc SQL in your web pages. Change everything to stored procedures and avoid using dynamic SQL in your sprocs.

Yeah, what Damian said.

Edited by - robvolk on 01/07/2004 22:12:28
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/07/2004 :  22:50:20  Show Profile  Reply with Quote
Thanks

I did not have it setup to use SA, however the account was able to access the master. I am not sure what this means.

I actually am using a stored proc for this, but I am passing it a SQL string. This is the only situation on the website (410 sp's) where I do this.

Do you think they could have read my stored procedures?

What steps would you take if the user they were logged in as was able to connect to the master db ??

Thanks again guys,

Mike123
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/07/2004 :  22:54:28  Show Profile  Reply with Quote

Does the master database store info such as passwords for the logins etc??

What harmful things could be done with my master db ??

Thanks again
mike123
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/07/2004 :  23:00:10  Show Profile  Visit Merkin's Homepage  Reply with Quote
You are *probably* ok.
Chances are they just wanted to see the admin password of your ASP app.
Some steps to take..

1. Make sure you have a good backup from before the intrusion.
2. Do another backup now (keep the old one too)
3. Fix the security hole
4. Remove the db users permission on master
5. Go through your IIS logs. You said the hacker did a bunch of UNIONS. do a search on them and you will see exactly what he was looking for. Then, do a search for INSERT, UPDATE and EXEC. You will be able to see what he was doing.

If you don't see any nasty updates or inserts, you are probably OK. But he may now have passwords for your users. You might want to let them know it's time to change passwords.



Damian
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/07/2004 :  23:05:19  Show Profile  Reply with Quote
I was actually contacted, they told me they saw my table structure, and columns. Not sure if this gives any hints. I will go thru logs and take your recommended steps.

Thanks alot, I REALLY appreciate this help.

mike123
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/07/2004 :  23:11:43  Show Profile  Reply with Quote
I guess my biggest fear is if they used DTS to import the data. Could they theoretically do this if they could access the master db?

Thanks
mike123

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/07/2004 :  23:14:41  Show Profile  Visit Merkin's Homepage  Reply with Quote
The only way they could do DTS is if they were able to connect and if they could brute force crack your passwords. They wouldn't need SQL injection to do that.

I think they probably just did a select on your sysobjects table, that would show them the table names. The IIS logs are the way to know for sure.



Damian
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/07/2004 :  23:33:22  Show Profile  Reply with Quote
Thanks Merkin

Is there any info in the master db that I should worry about him still having? Sorry my knowledge on the function of the master db is very limited.

Also, I can connect to the master DB using the username and password the web app uses. However I can't seem to find a spot where permissions are set for this login. When I look at the permissions it the green arrow is only set on the database its supposed to, and not the master. Any tips?


Thank you.

mike123
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/07/2004 :  23:38:29  Show Profile  Visit Merkin's Homepage  Reply with Quote
Can you select from any tables using that login ?

If the permissions in EM don't allow master you are probably ok.
Once again, look in your IIS logs to see what went on.



Damian
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/08/2004 :  00:07:31  Show Profile  Reply with Quote
Thanks :)

I can connect to the master db thru QA using the login that appears to only have permission to a different database. Strange, any suggestions?

I am beginning the process of going thru the IIS logs, trying to find a way to search 3gb log files :S. Do you happen to know of a good way.

Thanks once again, Im scrambling.. your assistance is gold


mike123
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/08/2004 :  00:42:22  Show Profile  Visit Merkin's Homepage  Reply with Quote
I don't understand what you mean in your first point.

For the logfiles, you are in luck

Drop into a dos prompt and go to the directory with all the logs for that website.
Use the DOS find command to seach through files looking for a string.
If you can narrow it down to a particular log file ( i.e. ex040102.log) do this :

Find "UNION" ex040102.log > out.txt

and it will parse the file looking for that string and put the results into a file called out.txt.

You can also use wildcards
Find "UNION" *.log > out.txt

hope that helps


Damian
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/08/2004 :  01:08:17  Show Profile  Reply with Quote
thanks damian, excellent solution on the log files.

Sorry about the explanation, I'll try to clear it up.

My database named "123" was the database that was jeopardized. I connect to database "123" with the login "mike".

I can also connect to the database "master" with login "mike". I need to remove this access so mike can no longer connect to db master.

Can you please help me out on how to do I do this? I can't seem to figure out how.

thanks again, damian. I owe you some beers if your ever in canada ;)
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/08/2004 :  01:14:18  Show Profile  Visit Merkin's Homepage  Reply with Quote
Mmmm beer

In enterprise manager, open up the "mike" login in the security node. Make sure the "mike" login isn't selected as having access to Master. Also, change the default database for "mike" to "123".



Damian
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/08/2004 :  01:19:29  Show Profile  Reply with Quote

Mark my words!, I promise I owe ya


Anyways, I just verified it and thats exactly how it is setup. Why can I access the master db thru QA, with login "mike"

Is this not very odd?

Thanks again
mike123
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/08/2004 :  02:18:08  Show Profile  Visit Merkin's Homepage  Reply with Quote
Can you actually select from it ?

Try SELECT * FROM master..sysdatabases

Does that return any results ?


Damian
Go to Top of Page

X002548
Not Just a Number

15586 Posts

Posted - 01/08/2004 :  13:13:20  Show Profile  Reply with Quote
Hey...

how about an injection like

"SELECT your cols FROM yournice Table WHERE whateverGODROP TABLE myTable99"

I'd look for GO

Does "mike" have only datareader? Sounds more like dbowner..

At the very least put mike in datawriter...

(and dump the tranny logs every 10 minutes....)



Brett

8-)
Go to Top of Page

joldham
Wiseass Yak Posting Master

USA
300 Posts

Posted - 01/08/2004 :  14:02:06  Show Profile  Reply with Quote
Is the Mike account a Windows Account or a SQL Account? If it is a Windows Account, then if Mike is a Machine Administrator, then he would have access to everything in the SQL database as an Administrator of the machine (I think).
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 01/08/2004 :  16:41:06  Show Profile  Visit Merkin's Homepage  Reply with Quote
quote:
Originally posted by X002548

I'd look for GO



Nope. Go isn't TSQL. GO is a batch terminator for Query Analyzer. Go won't do anything but throw an error here. You could use a semicolon though.

Given that the database is still running fine I doubt any tables have been dropped. So it's just a matter of log parsing to see how much the guy found out.

By the way, Welcome back Jeremy! It's been a while!




Damian
Go to Top of Page

joldham
Wiseass Yak Posting Master

USA
300 Posts

Posted - 01/08/2004 :  17:16:21  Show Profile  Reply with Quote
Thanks Damian! I looked today and my last post was in April 2003. I have been very busy the last year.

Mike, let me know if my post helped solve the master database access problem.
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000