Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Injection removal

Posted on 2008-10-07
3
Medium Priority
?
328 Views
Last Modified: 2012-05-05
Dear Experts,

We are using IIS6 and SQL Server 2005 to host our clients websites.  One of our websites has been listed by Google with the warning 'This site may harm your computer.'

Having investigated this it would appear that the site is suffering from some kind of SQL Injection attack.  I have run the HP Scrawler tool which confirms that three pages are 'confirmed verbose'.  Having thereafter looked at these pages I cannot see anything strange in the code.  I have tried to find some information with regard to solving this problem but as yet have been unable to find a cure.

We also have SQL server 2008 installed on the server - would it help if I used SQL 2008 to host the database?

Any help would be hugely appreciated.

Regards

Grant
0
Comment
Question by:grantballantyne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 9

Expert Comment

by:CCongdon
ID: 22662951
You might find that you have had the text fields in your database appended with the following text "<script src=....."
We had that happen. Here's part of what's wrong. Say you're running an e-commerce site, right? And when you go to a product page, you'll do something like a URL that says http://www.whatever.com/product.asp?ProdID=5
And that's fine...unless you allow dbo (Database owner) rights to your DB through the user name.
I had this happen to a client recently (I didn't make the site myself). Here's what I did to correct the problem:
1) I wrote an ASP script that sanatized my db
2) I made two SQL login accounts. One that had DBReader rights, and the other was DBWriter. The one with DBR is for showing stuff, and DBW is for putting stuff in.
3) Sanatize your Request variables before using them! For instance, if your product id is numeric field, the check to see if the Request.QueryString in the above example can be parsed as a number! If not, then drop it. Strip odd characters (such as quote, double quote, and semi-colons) from your data before mating it to a SQL statement. Better yet, use a parameterized query or stored procedure to recall your data from the DB.
0
 
LVL 6

Expert Comment

by:bcsql
ID: 22663411
CCongdon is exactly correct. The problem comes in when a user tries to add SQL commands to the fields in your pages like

;select * from syslogins;

if your fields are not checked and the user has permissions then the user could get all the information requested or execute commands as desired. This is a very simplified example.
0
 
LVL 9

Accepted Solution

by:
CCongdon earned 2000 total points
ID: 22664086
@bcsql - even better, the script that hit my client had a bunch of gibberish enclosed in an EXEC statement. When revealed, the gibbersh was actually an entire SCRIPT!! This script ran through the system objects looking for accessible tables. It then scanned each of these tables for fields there were text types...and then appended rogue <script src="...."> tags onto each of these fields.... THE ENTIRE DATABASE!!!! EVERY TEXT FIELD!!!! I finally figured out how they were doing it by cranking the IIS logging up to max and keeping an eye on them. I finally noticed that most days the log files would be no more than 10MB or so...and then others where they'd be like 30-40MB. Going into those days revealed some pretty horrendous query strings on some of the catalog pages where there should have been nothing but a simple number. Took that and ran it carefully through SQL Studio and saw the ugly script. That's when I looked at the pages and realized that whoever had originally written it hadn't secured it very well.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Mark Wills Attending one of Rob Farley's seminars the other day, I heard the phrase "The Accidental DBA" and fell in love with it. It got me thinking about the plight of the newcomer to SQL Server...  So if you are the accidental DBA, or, simp…
In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question