net-workx
asked on
QueryStrings 500points
I have just been looking into the server logs for a site of mine and saw a request with the querystring:
/ViewProduct.asp?ProductID =42%20or%2 01=convert (int,(sele ct%20@@ver sion%2b'/' %2b@@serve rname%2b'/ '%2bdb_nam e()%2b'/'% 2bsystem_u ser))--sp_ password
Which when entered into an explorer page displays...
[Microsoft][ODBC Microsoft Access Driver] Syntax error. in query expression 'intProductID = 42 or 1=convert(int,(select @@version+'/'+@@servername +'/'+db_na me()+'/'+s ystem_user ))--sp_pas sword'.
/includes/view_product.asp , line 6
Was this someone trying to gain access to the DB and see whats in it?
I would be greatful for any information of what this query string is trying to do.
Regards,
Carl
/ViewProduct.asp?ProductID
Which when entered into an explorer page displays...
[Microsoft][ODBC Microsoft Access Driver] Syntax error. in query expression 'intProductID = 42 or 1=convert(int,(select @@version+'/'+@@servername
/includes/view_product.asp
Was this someone trying to gain access to the DB and see whats in it?
I would be greatful for any information of what this query string is trying to do.
Regards,
Carl
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you could try the same thing they did
-> /ViewProduct.asp?ProductID =42%20or%2 01=convert (int,(sele ct%20@@ver sion%2b'/' %2b@@serve rname%2b'/ '%2bdb_nam e()%2b'/'% 2bsystem_u ser))--sp_ password)
and see if it throws up that error. Easiest way to check is to do /ViewProduct.asp?ProductID ='1
then on the requested page do a response.write(killC(reque st.queryst ring("Prod uctID")))
if it rights out the ` instead of the ' you'll know it works. A single quote in a SQL statement escapes the SQL allowing other code to be potentially run. What it looks like they tried to do was get your databases connection info (dbName, server, username, password)
-> /ViewProduct.asp?ProductID
and see if it throws up that error. Easiest way to check is to do /ViewProduct.asp?ProductID
then on the requested page do a response.write(killC(reque
if it rights out the ` instead of the ' you'll know it works. A single quote in a SQL statement escapes the SQL allowing other code to be potentially run. What it looks like they tried to do was get your databases connection info (dbName, server, username, password)
ASKER
ok ill go and try...
just for further info the request came from Microsoft URL Control - 6.00.8169 on IP address: 58.187.52.17
i have just done form research on MS URL Control and it all points to something nasty at the other end!
just for further info the request came from Microsoft URL Control - 6.00.8169 on IP address: 58.187.52.17
i have just done form research on MS URL Control and it all points to something nasty at the other end!
ASKER
ok i did this...
<%
ProductID = killC(Request.QueryString( "ProductID "))
%>
QueryString: <% response.write(killC(reque st.queryst ring("Prod uctID"))) %>
<%
Set RS = Server.CreateObject("ADODB .Recordset ")
SQL = "SELECT * FROM tblProducts WHERE intProductID = " & ProductID
RS.Open SQL,Connection,3,3
%>
and the page displays..
QueryString: `1
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Missing ), ], or Item in query expression 'intProductID = `1'.
/includes/view_product.asp , line 11
So i take it is all working ok then?
<%
ProductID = killC(Request.QueryString(
%>
QueryString: <% response.write(killC(reque
<%
Set RS = Server.CreateObject("ADODB
SQL = "SELECT * FROM tblProducts WHERE intProductID = " & ProductID
RS.Open SQL,Connection,3,3
%>
and the page displays..
QueryString: `1
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Missing ), ], or Item in query expression 'intProductID = `1'.
/includes/view_product.asp
So i take it is all working ok then?
Microsoft URL Control - 6.00.8169 is the first time I've seen anything like this, but now that you mention it, I have searched around a little bit. Looks like this "spider" looks for certain files on you site, to try to exploit the site. I'm almost positive that it doesn't have anything to do with the querystring you saw, it may be a freak coincidence.
->So i take it is all working ok then?<- yes.
ASKER
Good good, sorry to be a pain, its just re-assuring when you confirm it with someone else when it comes down to security.
Points awards for excellent answer.
Points awards for excellent answer.
no problem at all.
Thanks for the grade :)
Thanks for the grade :)
ASKER
<!--#include virtual="/includes/functio
ProductID = killC(Request.QueryString(
SQL statement says SQL = "SELECT * FROM tblXXX WHERE ID = " & ProductID
RS.Open SQL,MyConn,3,3
The function is included in a function.asp file at the top.
However when i run this it still comes up with the same in the server logs...
I take it that this would be the case as the server would still get the same query string.. is there any way to test this is all working ok as i want to ensure is it secure.
Thanks,
Carl