[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

QueryStrings 500points

Posted on 2006-05-22
9
Medium Priority
?
411 Views
Last Modified: 2012-05-05
I have just been looking into the server logs for a site of mine and saw a request with the querystring:

/ViewProduct.asp?ProductID=42%20or%201=convert(int,(select%20@@version%2b'/'%2b@@servername%2b'/'%2bdb_name()%2b'/'%2bsystem_user))--sp_password

Which when entered into an explorer page displays...

[Microsoft][ODBC Microsoft Access Driver] Syntax error. in query expression 'intProductID = 42 or 1=convert(int,(select @@version+'/'+@@servername+'/'+db_name()+'/'+system_user))--sp_password'.

/includes/view_product.asp, line 6


Was this someone trying to gain access to the DB and see whats in it?

I would be greatful for any information of what this query string is trying to do.

Regards,
Carl

0
Comment
Question by:net-workx
  • 5
  • 4
9 Comments
 
LVL 25

Accepted Solution

by:
kevp75 earned 2000 total points
ID: 16734207
yes.  That was someone trying to hack into your server.

and it is possible they got in.  This is a type of SQL injection attack that is easily enough thwarted.

Use a function to strip characters off your querystrings, and form fields.  Something along the lines of this:

function killC(strWords)
      badChars = array("'","’","‘")
      newChars = strWords
      for i = 0 to uBound(badChars)
            if ISNULL(newChars) then
            else
                  newChars = replace(newChars, badChars(i), "`")
            end if
      next
      if ISNULL(newChars) then
      else
            'newChars = replace(replace(replace(newChars,vbcrlf,"<br />"),vbcr,"<br />"),vblf,"<br />")
      end if
      killC = newChars
      'Bad Word Array

end function



to use this, just wrap your requests with it...for example

strValue = killC(request.form("Field"))

or

strValue = killC(request.querystring("Querystring"))

you can go a few steps further as well, just add to the badChars array above to strip out the bad stuff.

HTAH
0
 

Author Comment

by:net-workx
ID: 16734368
Ok i now have this...

<!--#include virtual="/includes/functions.asp"-->
ProductID = killC(Request.QueryString("ProductID"))
SQL statement says SQL = "SELECT * FROM tblXXX WHERE ID = " & ProductID
RS.Open SQL,MyConn,3,3

The function is included in a function.asp file at the top.

However when i run this it still comes up with the same in the server logs...

I take it that this would be the case as the server would still get the same query string..  is there any way to test this is all working ok as i want to ensure is it secure.

Thanks,
Carl
0
 
LVL 25

Expert Comment

by:kevp75
ID: 16734471
you could try the same thing they did

->   /ViewProduct.asp?ProductID=42%20or%201=convert(int,(select%20@@version%2b'/'%2b@@servername%2b'/'%2bdb_name()%2b'/'%2bsystem_user))--sp_password)

and see if it throws up that error.  Easiest way to check is to do /ViewProduct.asp?ProductID='1

then on the requested page do a response.write(killC(request.querystring("ProductID")))

if it rights out the ` instead of the '  you'll know it works.    A single quote in a SQL statement escapes the SQL allowing other code to be potentially run.  What it looks like they tried to do was get your databases connection info (dbName, server, username, password)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:net-workx
ID: 16734493
ok ill go and try...

just for further info the request came from Microsoft URL Control - 6.00.8169 on IP address: 58.187.52.17

i have just done form research on MS URL Control and it all points to something nasty at the other end!
0
 

Author Comment

by:net-workx
ID: 16734525
ok i did this...

<%
ProductID = killC(Request.QueryString("ProductID"))
%>
QueryString: <% response.write(killC(request.querystring("ProductID"))) %>
<%
Set RS = Server.CreateObject("ADODB.Recordset")
SQL = "SELECT * FROM tblProducts WHERE intProductID = " & ProductID
RS.Open SQL,Connection,3,3
%>

and the page displays..

QueryString: `1
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Missing ), ], or Item in query expression 'intProductID = `1'.

/includes/view_product.asp, line 11


So i take it is all working ok then?
0
 
LVL 25

Expert Comment

by:kevp75
ID: 16734577
Microsoft URL Control - 6.00.8169  is the first time I've seen anything like this, but now that you mention it, I have searched around a little bit.  Looks like this "spider" looks for certain files on you site, to try to exploit the site.   I'm almost positive that it doesn't have anything to do with the querystring you saw, it may be a freak coincidence.
0
 
LVL 25

Expert Comment

by:kevp75
ID: 16734589
->So i take it is all working ok then?<-    yes.
0
 

Author Comment

by:net-workx
ID: 16734607
Good good, sorry to be a pain, its just re-assuring when you confirm it with someone else when it comes down to security.

Points awards for excellent answer.
0
 
LVL 25

Expert Comment

by:kevp75
ID: 16734719
no problem at all.

Thanks for the grade  :)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Loops Section Overview
Suggested Courses
Course of the Month20 days, 10 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question