ldevito
asked on
SQL Injection Hack and fix - www.nihaorr1.com/1.js
The script -www.nihaorr1.com/1.js is getting inserted into every record of my organizations SQL db. I'm the accidental techie in my office, and I'm clueless as to the vulnerability in our code. After a restore, the site gets hit every other day. I've searched around and no one seems to have an answer to this specific problem. There's no doubt in my mind that our coding has a loophole in it somewhere, but I'm not sure what to look for.
I'd appreciate any help!
Thanks,
lou
I'd appreciate any help!
Thanks,
lou
ASKER
Hi Ray,
Hope this helps...this is in the <head>
Thanks!
Hope this helps...this is in the <head>
Thanks!
<%
%>
<!-- #include file="adovb.asp" -->
<!-- #include file="VOConnect.asp" -->
<!-- #include file="date.asp" -->
<!-- #include file="includes/randomImage.asp" -->
<%
Set mainRS = Server.CreateObject("ADODB.Recordset")
mySQL = "SELECT TOP 4 * FROM events WHERE [date] >= '" & Date() & "' AND (org = 0 OR org = 1) AND highlight is NULL ORDER BY [date] "
mainRS.Open mySQL, DataConn
Set middleRS = Server.CreateObject("ADODB.Recordset")
mySQL2 = "SELECT TOP 3 * FROM events WHERE highlight <> 0 AND [date] >= '" & Date() & "' ORDER BY highlight "
middleRS.Open mySQL2, DataConn
Set nonvoRS = Server.CreateObject("ADODB.Recordset")
mySQL3 = "SELECT TOP 3 * FROM events WHERE [date] >= '" & Date() & "' AND (org <> 0 AND org <> 1) ORDER BY date "
nonvoRS.Open mySQL3, DataConn
%>
ASKER
This is also in another page:
<%@ Language=VBScript %>
<%
If (Instr(1, Request.QueryString("widget"), "true", 1) > 0 ) Then
Server.Transfer("widget.asp")
Else
%>
<!-- #INCLUDE file="adovb.asp" -->
<!-- #INCLUDE file="VOconnect.asp" -->
<!-- #INCLUDE file="date.asp" -->
<%
myID = ""
myMon = ""
myCat = ""
myPast = ""
myDay = ""
myWeek = Date()
myID = Request.Querystring("id")
myMon = Request.Form("month")
myDay = Request.Form("date")
if Request.Form("month") = "" then myMon = Request.Querystring("month")
myCat = Request.Form("category")
if Request.Form("category") = "" then myCat = Request.Querystring("category")
myPast = Request.Form("past")
if Request.Form("past") = "" then myPast = Request.Querystring("past")
myVen = Request.Form("venonly")
if Request.Form("venonly") = "" then myVen = Request.Querystring("venonly")
myInt = Request.Form("interest")
if Request.Form("interest") = "" then myInt = Request.Querystring("interest")
myWeek = Request.Form("week")
if Request.Form("week") = "" then myWeek = Request.Querystring("week")
if Request.Form("date") = "" then myDay = Request.Querystring("date")
myDay = Request.Form("date")
if myID <> "" then
Set monthRS = Server.CreateObject("ADODB.Recordset")
mySQL = "SELECT * FROM events WHERE id = " & myID
monthRS.Open mySQL, DataConn
myDate = monthRS("date")
myMonth = ConvDate(monthRS("date"), "%B")
myYear = Year(monthRS("date"))
Set mainRS = Server.CreateObject("ADODB.Recordset")
mySQL2 = "SELECT * FROM events WHERE id = " & myID
mainRS.Open mySQL2, DataConn
end if
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
if myMon <> "" AND myCat <> "" then
myMonth = Month(myMon)
myYear = Year(myMon)
'Set how many records per page we want
NumPerPage = Request.Querystring("numperpage")
if NumPerPage = "" then NumPerPage = 10
'Retrieve what page we're currently on
If Request.QueryString("CurPage") = "" then
CurPage = 1 'We're on the first page
Else
CurPage = Request.QueryString("CurPage")
End If
Set mainRS = Server.CreateObject("ADODB.Recordset")
'Set the cursor location property
mainRS.CursorLocation = adUseClient
'Set the cache size = to the # of records/page
mainRS.CacheSize = NumPerPage
'Open our recordset
mySQL2 = "SELECT * FROM events WHERE (Month(date) = " & myMonth & ") AND category = " & myCat & " AND (Year(date) = '" & myYear & "') "
if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
mySQL2 = mySQL2 & " ORDER BY [date] "
mainRS.Open mySQL2, DataConn
if mainRS.EOF and mainRS.BOF then
' Do Nothing
else
mainRS.MoveFirst
mainRS.PageSize = NumPerPage
'Get the max number of pages
TotalPages = mainRS.PageCount
'Set the absolute page
mainRS.AbsolutePage = CurPage
'Counting variable for our recordset
myMonth = ConvDate(mainRS("date"), "%B")
myYear = Year(mainRS("date"))
end if
Set catRS = Server.CreateObject("ADODB.Recordset")
mySQL3 = "SELECT category FROM categories WHERE id = " & myCat
catRS.Open mySQL3, DataConn
myCatName = catRS("category")
end if
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
if myMon <> "" AND myCat = "" then
myMonth = Month(myMon)
myYear = Year(myMon)
'Set how many records per page we want
NumPerPage = Request.Querystring("numperpage")
if NumPerPage = "" then NumPerPage = 10
'Retrieve what page we're currently on
If Request.QueryString("CurPage") = "" then
CurPage = 1 'We're on the first page
Else
CurPage = Request.QueryString("CurPage")
End If
Set mainRS = Server.CreateObject("ADODB.Recordset")
'Set the cursor location property
mainRS.CursorLocation = adUseClient
'Set the cache size = to the # of records/page
mainRS.CacheSize = NumPerPage
'Open our recordset
mySQL2 = "SELECT * FROM events WHERE (Month(date) = '" & myMonth & "') AND (Year(date) = '" & myYear & "')"
if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
mySQL2 = mySQL2 & " ORDER BY [date] "
mainRS.Open mySQL2, DataConn
if mainRS.BOF and mainRS.EOF then
' Do Nothing
else
mainRS.MoveFirst
mainRS.PageSize = NumPerPage
'Get the max number of pages
TotalPages = mainRS.PageCount
'Set the absolute page
mainRS.AbsolutePage = CurPage
'Counting variable for our recordset
myMonth = ConvDate(mainRS("date"), "%B")
myYear = Year(mainRS("date"))
end if
end if
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
if myCat <> "" AND myMon = "" then
'myMonth = Month(myMon)
'myYear = Year(myMon)
'Set how many records per page we want
NumPerPage = Request.Querystring("numperpage")
if NumPerPage = "" then NumPerPage = 10
'Retrieve what page we're currently on
If Request.QueryString("CurPage") = "" then
CurPage = 1 'We're on the first page
Else
CurPage = Request.QueryString("CurPage")
End If
Set mainRS = Server.CreateObject("ADODB.Recordset")
'Set the cursor location property
mainRS.CursorLocation = adUseClient
'Set the cache size = to the # of records/page
mainRS.CacheSize = NumPerPage
'Open our recordset
mySQL2 = "SELECT * FROM events WHERE category = " & myCat & " "
if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
mySQL2 = mySQL2 & " ORDER BY [date] "
mainRS.Open mySQL2, DataConn
if mainRS.BOF and mainRS.EOF then ' Do Nothing
else
mainRS.MoveFirst
mainRS.PageSize = NumPerPage
'Get the max number of pages
TotalPages = mainRS.PageCount
'Set the absolute page
mainRS.AbsolutePage = CurPage
'Counting variable for our recordset
Set catRS = Server.CreateObject("ADODB.Recordset")
mySQL3 = "SELECT category FROM categories WHERE id = " & myCat
catRS.Open mySQL3, DataConn
myCatName = catRS("category")
end if
end if
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
if myInt <> "" then
'Set how many records per page we want
NumPerPage = Request.Querystring("numperpage")
if NumPerPage = "" then NumPerPage = 10
'Retrieve what page we're currently on
If Request.QueryString("CurPage") = "" then
CurPage = 1 'We're on the first page
Else
CurPage = Request.QueryString("CurPage")
End If
Set mainRS = Server.CreateObject("ADODB.Recordset")
'Set the cursor location property
mainRS.CursorLocation = adUseClient
'Set the cache size = to the # of records/page
mainRS.CacheSize = NumPerPage
'Open our recordset
mySQL2 = "SELECT * FROM events WHERE [date] >= '" & Date() & "' AND (interest = " & myInt & " OR interest2 = " & myInt & " OR interest3 = " & myInt & ") "
if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
mySQL2 = mySQL2 & " ORDER BY [date] "
mainRS.Open mySQL2, DataConn
if mainRS.BOF and mainRS.EOF then
' Do Nothing
else
mainRS.MoveFirst
mainRS.PageSize = NumPerPage
'Get the max number of pages
TotalPages = mainRS.PageCount
'Set the absolute page
mainRS.AbsolutePage = CurPage
'Counting variable for our recordset
end if
end if
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
if myWeek <> "" then
myStartDate = Date()
myStartDate = myWeek
myEndDate = DateAdd("d", 6, myStartDate)
Set mainRS = Server.CreateObject("ADODB.Recordset")
mySQL2 = "SELECT * FROM events WHERE [date] >= '" & myStartDate & "' AND [date] <= '" & myEndDate & "' "
if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
mySQL2 = mySQL2 & " ORDER BY [date] "
mainRS.Open mySQL2, DataConn
myWeek1start = Session("myWeek1start")
myWeek2start = Session("myWeek2start")
myWeek3start = Session("myWeek3start")
myWeek4start = Session("myWeek4start")
myWeek5start = Session("myWeek5start")
myWeek6start = Session("myWeek6start")
myWeek1end = myWeek1start + 6
myWeek2end = myWeek2start + 6
myWeek3end = myWeek3start + 6
myWeek4end = myWeek4start + 6
myWeek5end = myWeek5start + 6
myWeek6end = myWeek6start + 6
end if
%>
ldevito, I read these code segments and I'm pretty sure it's not happening here. I didn't see anything but SELECT statements in this code, and while I admit I did not read every line exhaustively, it appears the data base updates are being done somewhere else.
Presumably, that script www.nihaorr1.com/1.js is getting inserted into some kind of a character field in the data base, right? If so, scan your code for references to the field name in INSERT or UPDATE queries.
Next, step backward to the script that receives the HTML form input that is used to populate that character field. You want to add some kind of editing controls to prevent that field from getting unwanted input.
If this were PHP I could stop the attacks for you instantly, but since it's not PHP, I will have to tell you a "pidgin" way to stop this. I am assuming you want input only from humans. If you have other scripts that are supposed to be able to post to your pages, you need more information and possibly a link-back confirmation (like what PayPal uses). But this strategy will almost certainly stop the attacks you're getting.
In the script that creates the HTML for form input, create a random string.
Store it in the Session("myFormToken") and place it in the form with
<input type=hidden name=myFormToken value=[random string] />
In the script that accepts the form input, test the variable myFormToken against Session("myFormToken") and if they are not equal, kill the script.
You may also want to read and follow the work of this fellow:
http://shiflett.org/blog/2005/jan/xss-cheatsheet
HTH, ~Ray
Presumably, that script www.nihaorr1.com/1.js is getting inserted into some kind of a character field in the data base, right? If so, scan your code for references to the field name in INSERT or UPDATE queries.
Next, step backward to the script that receives the HTML form input that is used to populate that character field. You want to add some kind of editing controls to prevent that field from getting unwanted input.
If this were PHP I could stop the attacks for you instantly, but since it's not PHP, I will have to tell you a "pidgin" way to stop this. I am assuming you want input only from humans. If you have other scripts that are supposed to be able to post to your pages, you need more information and possibly a link-back confirmation (like what PayPal uses). But this strategy will almost certainly stop the attacks you're getting.
In the script that creates the HTML for form input, create a random string.
Store it in the Session("myFormToken") and place it in the form with
<input type=hidden name=myFormToken value=[random string] />
In the script that accepts the form input, test the variable myFormToken against Session("myFormToken") and if they are not equal, kill the script.
You may also want to read and follow the work of this fellow:
http://shiflett.org/blog/2005/jan/xss-cheatsheet
HTH, ~Ray
One other note... You are not alone (if that's any consolation)...
http://www.google.com/search?hl=en&q=whois+nihaorr1.com
Good luck, ~Ray
http://www.google.com/search?hl=en&q=whois+nihaorr1.com
Good luck, ~Ray
ASKER
Thanks Ray! I started looking around more, and below's code is from the only page with a form reference...
<%
myRadio = Request.Form("radio")
%>
<input name="radio" type="radio" value="week" onclick="this.form.submit()" <%if myRadio = "week" or myRadio = "" then%>checked<%end if%>>
by week
<input type="radio" name="radio" value="month" onclick="this.form.submit()"<%if myRadio = "month" then%>checked<%end if%>>
by month</nobr>
</form>
<%
myInc = 0
dtmdate = Date()
myDay = ConvDate (dtmDate, "%A")
if myDay = "Monday" then myInc = -3
if myDay = "Tuesday" then myInc = -4
if myDay = "Wednesday" then myInc = -5
if myDay = "Thursday" then myInc = -6
if myDay = "Friday" then myInc = 0
if myDay = "Saturday" then myInc = -1
if myDay = "Sunday" then myInc = -2
myStart = Date() + myInc
myWeek1start = myStart
myWeek1end = myWeek1start + 6
myWeek2start = myWeek1end + 1
myWeek2end = myWeek2start + 6
myWeek3start = myWeek2end + 1
myWeek3end = myWeek3start + 6
myWeek4start = myWeek3end + 1
myWeek4end = myWeek4start + 6
myWeek5start = myWeek4end + 1
myWeek5end = myWeek5start + 6
myWeek6start = myWeek5end + 1
myWeek6end = myWeek6start + 6
Session("myWeek1start") = myWeek1start
Session("myWeek2start") = myWeek2start
Session("myWeek3start") = myWeek3start
Session("myWeek4start") = myWeek4start
Session("myWeek5start") = myWeek5start
Session("myWeek6start") = myWeek6start
%> <form name="form2" method="post" action="activityresults.asp">
<% if myRadio = "week" or myRadio = "" then %>
<select style="font-size: 12px; font-family: arial;" name="week" id="select2">
<option value="<%Response.Write(myWeek1start)%>">
<%Response.Write(myWeek1start)%>
-
<%Response.Write(myWeek1end)%>
</option>
<option value="<%Response.Write(myWeek2start)%>">
<%Response.Write(myWeek2start)%>
-
<%Response.Write(myWeek2end)%>
</option>
<option value="<%Response.Write(myWeek3start)%>">
<%Response.Write(myWeek3start)%>
-
<%Response.Write(myWeek3end)%>
</option>
<option value="<%Response.Write(myWeek4start)%>">
<%Response.Write(myWeek4start)%>
-
<%Response.Write(myWeek4end)%>
</option>
<option value="<%Response.Write(myWeek5start)%>">
<%Response.Write(myWeek5start)%>
-
<%Response.Write(myWeek5end)%>
</option>
<option value="<%Response.Write(myWeek6start)%>">
<%Response.Write(myWeek6start)%>
-
<%Response.Write(myWeek6end)%>
</option>
</select>
<%
else
Set months2RS = Server.CreateObject("ADODB.Recordset")
mySQL10 = "SELECT * FROM months ORDER BY startdate "
months2RS.Open mySQL10, DataConn
%>
<select style="font-size: 12px; font-family: arial;" name="month" id="select2">
<% Do While Not months2RS.EOF %>
<option value="<%=months2RS("startdate")%>"><%=months2RS("month")%></option>
<% months2RS.MoveNext
Loop
end if%>
</select>
<br>
<input name="venonly" type="checkbox" id="venonly" value="checkbox" checked>
<font size="1">Venture Outdoors activities only</font><br>
<br>
<input type=image src="images/SearchButtons/SearchByDate.gif" name="Submit2" value="Search by Date">
</form></td>
</tr>
</table>
</td>
<td valign="top">
<div align="center"><strong><font color="#FF0000">OR</font></strong></div></td>
<td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td bgcolor="#0066CC" class="whitetext"><div align="center">Search
by Activity</div></td>
</tr>
<tr>
<td class="blueborder">
<form name="form3" method="post" action="activityresults.asp">
<%
Set cats2RS = Server.CreateObject("ADODB.Recordset")
mySQL11 = "SELECT * FROM categories "
cats2RS.Open mySQL11, DataConn
%>
<form name="form3" method="post" action="activityresults.asp">
<p>
<select style="font-size: 12px; font-family: arial;" name="category" id="category" size="1">
<% Do While Not cats2RS.EOF %>
<option value="<%=cats2RS("id")%>"><%=cats2RS("category")%></option>
<% cats2RS.MoveNext
Loop %>
</select>
<br>
<input name="venonly" type="checkbox" id="venonly" value="checkbox" checked>
<font size="1">Venture Outdoors activities only</font></p>
<p> </p>
<p>
<input type=image src="images/SearchButtons/SearchByActivity.gif" name="Submit2" value="Search by Date">
</p>
</form>
</td>
</tr>
</table>
</td>
<td valign="top">
<div align="center"><strong><font color="#FF0000">OR</font></strong></div></td>
<td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td bgcolor="#0066CC" class="whitetext"><div align="center">Search
by Interest Group</div></td>
</tr>
<tr>
<td class="blueborder">
<%
Set interestRS = Server.CreateObject("ADODB.Recordset")
mySQL12 = "SELECT * FROM interest ORDER BY name "
interestRS.Open mySQL12, DataConn
%>
<form name="form4" method="post" action="activityresults.asp">
<p>
<select style="font-size: 12px; font-family: arial;" name="interest" id="select4">
<% Do While Not interestRS.EOF %>
<option value="<%=interestRS("id")%>"><%=interestRS("name")%></option>
<% interestRS.MoveNext
Loop %>
</select>
<br>
<input name="venonly" type="checkbox" id="venonly" value="checkbox" checked>
<font size="1">Venture Outdoors activities only</font></p>
<p> </p>
<p>
<input type=image src="images/SearchButtons/SearchByInterest.gif" name="Submit2" value="Search by Date">
</p>
</form>
</td>
</tr>
</table>
</td>
</tr>
</table>
<form name="form1" method="post" action="activityresults.asp">
<table width="100%" border="1" cellpadding="3" cellspacing="0">
<tr>
<td><div align="center">
<p><font color="#000000"><strong>View Past Events</strong></font></p>
<p>By month:
<select style="font-size: 12px; font-family: arial;" name="month" id="select">
<%
currentdate = Date()
myMonthS = Month(currentdate)
myYearS = Year(currentdate)
myDateS = ""&myMonthS&"/1/"&myYearS&""
For m = 0 to 11
myDateS = ""&myMonthS&"/1/"&myYearS&""
myMonthNameS = ConvDate (myDateS, "%B")
%>
<option value="<%Response.Write(myDateS)%>">
<%Response.Write(myMonthNameS)%>
<%Response.Write(myYearS)%>
</option>
<%
myMonthS = myMonthS - 1
if myMonthS = 0 then
myMonthS = 12
myYearS = myYearS - 1
end if
Next %>
</select>
By category:
<select style="font-size: 12px; font-family: arial;" name="category" id="select3" size="1">
<option value=""<%if myCat = "" then%>selected<%end if%>>All</option>
<% cats2RS.MoveFirst
Do While Not cats2RS.EOF %>
<option value="<%=cats2RS("id")%>"
<%if Int(myCat) = cats2RS("id") then%>selected<%end if%>><%=cats2RS("category")%></option>
<% cats2RS.MoveNext
Loop %>
</select>
<br>
<input name="venonly22" type="checkbox" id="venonly2" value="checkbox" checked>
<font size="1">Search only Venture Outdoors Activities<br>
</font>
<input type="hidden" name="past" value="1">
<input type="submit" name="Submit22" value="List Activities">
</p>
</div>
</td>
</tr>
</table>
</form>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is not enough too set read permission on sysobject, you have to take care of this in your code. Just read on the link below about sql injection, and you will see how easy there is to hack your database with or without permission to sysobject.
I think the best way is to you use request.querystring and check that the string don't have commands that can use your sql statement illegal. You can eks. check for -- and ; and eks update, insert, +++
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
I think the best way is to you use request.querystring and check that the string don't have commands that can use your sql statement illegal. You can eks. check for -- and ; and eks update, insert, +++
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
This is a fairly straight forward injection vulnerability, based around statements like this one in your code:
mySQL = "SELECT * FROM events WHERE id = " & myID
Since myID comes from the URL, it is possible to hack that value with code like:
&myID=1;UPDATE CUSTOMERS SET Password = 'ICanAccessThisNow'; SELECT * FROM Customers;--
(URLEncode this as needed - I'm too lazy to do so right now :)
This is a simple example (who keeps a password in the Customers file, after all ;), but the one injecting dubdubdub.nihaorr1.com scripts is more sophisticated, including variables, a CAST of a hex string, and an EXEC of that string. It's out there quite a lot now (over 500k sites show the strings in a Google search now), and has hit all sorts of sites, including the U.S. Dep't of Homeland Security.
Simple fixes, such as removing semicolons and doubling up single quotes in parameters can keep the vast majority of these attacks from succeeding.
mySQL = "SELECT * FROM events WHERE id = " & myID
Since myID comes from the URL, it is possible to hack that value with code like:
&myID=1;UPDATE CUSTOMERS SET Password = 'ICanAccessThisNow'; SELECT * FROM Customers;--
(URLEncode this as needed - I'm too lazy to do so right now :)
This is a simple example (who keeps a password in the Customers file, after all ;), but the one injecting dubdubdub.nihaorr1.com scripts is more sophisticated, including variables, a CAST of a hex string, and an EXEC of that string. It's out there quite a lot now (over 500k sites show the strings in a Google search now), and has hit all sorts of sites, including the U.S. Dep't of Homeland Security.
Simple fixes, such as removing semicolons and doubling up single quotes in parameters can keep the vast majority of these attacks from succeeding.
ASKER
Thank you for all of your help. Can any of you offer advice or a starting point to have my form validate content...with request.querystring...
Or can you let me know the cost of having someone with more skills than I to come in and fix it...
thanks
Or can you let me know the cost of having someone with more skills than I to come in and fix it...
thanks
Just a quick note to everyone.
This is a SQL Injection Attack. Typically this is done through your form fields during a submit.
You can google this -SQL Injection Attack-.and find endless advice.
HOWEVER - This attack is on the parameters used in your UL strings like:
../DisplayGrid.asp?sort=fn ame
The attack will see the Name:Value pair in the URL and substitute the malicious SQL string in the Value parameter.
I always take the stance that ALL USER INPUT IS EVIL.
I have attached a snippet of a common code block I use to clean out SQL operators and keywords as well as single quotes, ampersands, etc.....
I use this for all inputs, for example:
strFirstName = CleanseSQL (Request.Form(FirstName))
strSort = CleanseSQL(Request.QuerySt ring(sort))
I hope this helps&&
Mack Daniels
'************************* ********** ********** ********** ********** **********
' function: CleanseSQL - Cleanse the variables for malicious SQL insertions
'************************* ********** ********** ********** ********** **********
Function CleanseSQL(strString)
strString = trim(strString)
strString = Replace(strString, "'", "''")
strString = Replace(strString, ",", "")
strString = Replace(strString, "`", "")
strString = Replace(strString, "&", "And")
strString = Replace(strString, "=", "")
strString = Replace(strString, "--", "")
strString = Replace(strString, ";", "")
strString = Replace(strString, "declare", "")
strString = Replace(strString, "select", "")
strString = Replace(strString, "drop", "")
strString = Replace(strString, "insert", "")
strString = Replace(strString, "delete", "")
strString = Replace(strString, "update", "")
strString = Replace(strString, "xp_", "")
strString = Replace(strString, "dt_", "")
strString = Replace(strString, "sp_", "")
strString = Replace(strString, "sysobjects", "")
strString = Replace(strString, "syscolumns", "")
CleanseSQL = strString
End Function
This is a SQL Injection Attack. Typically this is done through your form fields during a submit.
You can google this -SQL Injection Attack-.and find endless advice.
HOWEVER - This attack is on the parameters used in your UL strings like:
../DisplayGrid.asp?sort=fn
The attack will see the Name:Value pair in the URL and substitute the malicious SQL string in the Value parameter.
I always take the stance that ALL USER INPUT IS EVIL.
I have attached a snippet of a common code block I use to clean out SQL operators and keywords as well as single quotes, ampersands, etc.....
I use this for all inputs, for example:
strFirstName = CleanseSQL (Request.Form(FirstName))
strSort = CleanseSQL(Request.QuerySt
I hope this helps&&
Mack Daniels
'*************************
' function: CleanseSQL - Cleanse the variables for malicious SQL insertions
'*************************
Function CleanseSQL(strString)
strString = trim(strString)
strString = Replace(strString, "'", "''")
strString = Replace(strString, ",", "")
strString = Replace(strString, "`", "")
strString = Replace(strString, "&", "And")
strString = Replace(strString, "=", "")
strString = Replace(strString, "--", "")
strString = Replace(strString, ";", "")
strString = Replace(strString, "declare", "")
strString = Replace(strString, "select", "")
strString = Replace(strString, "drop", "")
strString = Replace(strString, "insert", "")
strString = Replace(strString, "delete", "")
strString = Replace(strString, "update", "")
strString = Replace(strString, "xp_", "")
strString = Replace(strString, "dt_", "")
strString = Replace(strString, "sp_", "")
strString = Replace(strString, "sysobjects", "")
strString = Replace(strString, "syscolumns", "")
CleanseSQL = strString
End Function
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think you should check this also.
http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html
sorry about 2 posts
http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html
sorry about 2 posts
this works to filter this out. i got the same problem few days ago then i added this function to my toppage and it works 100%
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
Here's a script to clean an entire database, using just about the same code used for the injection. It replaces the value with nothing leaving the original value.
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+'] = replace(rtrim(convert(varchar,['+@C+'])),''<script src=http://www.nihaorr1.com/1.js></script>'','''')')
select @T as tble, @C as clmn
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
Standing by, ~Ray