• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 709
  • Last Modified:

Stopping SQL Injection ASP

hey guys and gals,
I would have never thought I would be hacked, but over the last few days that has happened.  Looks like they have flooded my db with some information, hopefully not getting anything in return...

I use Dreamweaver CS3 to do the majority of my sql statements and recordset building.  I was under the assumption that because they use prepared statements (I think that is what it is called) and parameters I was fairly safe when it came to injections.

Here is my dreamweaver generated code:
If (CStr(Request("MM_insert")) = "signupForm") Then
  If (Not MM_abortEdit) Then
    ' execute the insert
    Dim MM_editCmd

    Set MM_editCmd = Server.CreateObject ("ADODB.Command")
    MM_editCmd.ActiveConnection = MM_orderCaveBearAwesome_STRING
    MM_editCmd.CommandText = "INSERT INTO ordercave.ordercavecustomer (cusEmail, password, malID, profileActive, signDate) VALUES (?, ?, ?, ?, ?)" 
    MM_editCmd.Prepared = true
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param1", 201, 1, 255, Request.Form("signEmail")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param2", 201, 1, 255, Request.Form("signPw")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param3", 201, 1, 255, Request.Form("malID")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param4", 5, 1, -1, MM_IIF(Request.Form("profileActive"), Request.Form("profileActive"), null)) ' adDouble
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param5", 201, 1, 10, Request.Form("signDate")) ' adLongVarChar

    ' append the query string to the redirect URL
    Dim MM_editRedirectUrl
    MM_editRedirectUrl = "signupPage2.asp?login=" & request.form("signEmail")
    If (Request.QueryString <> "") Then
      If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0) Then
        MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
        MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
      End If
    End If
  End If
End If

Open in new window

It looks like they added about 150 records to my db yesterday, mostly with info like this: '));SELECT pg_sleep(3);--

How come dreamweaver's parameters didn't stop the attack?

3 Solutions
There is no validation of the parameters (from the code you provided) - they are blindly added to the SQL before execution.
I don't see you've been cracked by your description... you do have some records with data that show they tried to inject your app, but since you have bind variables, they have been used as strings and inserted as any other data would have.

If you had NOT used binds, then you would NOT see the evidence of the cracking attempts. Instead, their strings would have been taken as commands, EXECUTED, and therefore NOT recorded as data in your 150 records.

So, what evidence (if any) are you claiming proof of a supposedly successful cracking?
Slim81Author Commented:
Thanks for the info guys.

This is my first experience with being hacked, so I really don't have much to go on, other than what has transpired over the last few days.

Here is the brief history:
1) They had pointed their domain to my servers, so my site showed up live under their domain.  ** I stopped that by using:
if request.ServerVariables("SERVER_NAME") = "mysite.com" or request.ServerVariables("SERVER_NAME") = "www.mysite.com" then

Open in new window

And if they plan to use Iframes:
<script type="text/javascript">
  if (top.location != self.location) {
  top.location.href = "http://mysite.com" ;

Open in new window

2) I was sent 8,000+ emails in a few minutes time.  I have yet to stop this, I assume some type of "captcha" will stop this.

3) The 150+ entries into my db, all with info that doesn't match the system (ie: no valid email address, passwords, etc.)

I didn't know if they had gained access to the system or had even seen the contents of my db, all I know is that they have tried about 100 times.....

You say that because dreamweaver used binds, the info was just inserted and not executed?  That is nice to hear....

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Agreed with @Akenathon. Someone tried to use SQL Injection but you were saved from it.
Slim81Author Commented:
Is there any way to stop the attacks from even being tried?  or will the attackers simply get bored with the site and move on to someone else (hopefully)?

Yes, I'm saying your DB has not been compromised by THAT portion of code (which does not imply that you are safe... 99% safe is 100% exposed so check the rest of your code!!).

You cannot keep them from trying... but you can get them bored more quickly, e.g.:

- To reduce the emails, do use captchas, or registration/membership with verified email addresses before they can send you anything.
- To reduce rubbish in your database, you can sanitize your inputs, e.g. look for quotes in the parameters and cancel the transaction. You can just show an error, or see next item...
- To temporarily avoid being attacked repeatedly, whenever you detect various cracking attempts in a row from the same IP, ban the originating IP for say 15 minutes. Google for IPS (Intrusion Prevention System) for automated solutions -they detect attacks, prevent them from reaching your server, ban the IPs... everything! :-)

You'll never be safe if they use 100s of different IPs... but that's unlikely because of the resources needed, and anyway even the biggest sites cannot resist a DDOS (Distributed Denial Of Service), so your boss cannot complain if you get one of those. He should be proud that somebody actually takes that much interest in his website! :D
Slim81Author Commented:
Thanks for the input....

I am thinking about trying to implement some type of IP restriction.  But I need to understand how they are attacking the site/page/db....

If i was to simply deny the following characters: ", ', =, <,> my data, wouldn't that stop the attack?  If either of those characters exist, then I will stop the page from loading.  I am only collecting an email address, password, and something similar to an affiliate ID, all of which don't require the above characters.

Also, is there a safe way to log someones IP address?  Would storing that information in a session variable and then starting a type of counter work?  Wouldn't the session IP be susceptible to attacks as well?


As already mentioned, sanitize your input.  For your inserts, switch them to stored procedures with strongly-typed parameters.  Additionally, you can add some httpHandlers that will deal with all requests to remove any incoming stop words, such as insert, drop, delete, etc.  The OWASP project can provide you with great starting points to help clean up your code:


Taking anything straight from Dreamweaver (or Visual Studio for that matter) without adding your own security is essentially asking for trouble.  A classic guide, though it's a heavy read, to secure web applications can be downloaded here:


It provides a broad level of enterprise level tactics to deal with code issues.

For more SQL specific details, review the articles here:


It may take a while to walk through all these articles and fully grasp what they are suggesting, but, once you make these essential changes to your coding culture (assuming it's not just you) secure coding will come second nature from now on for SQL Injection.
sql injection is top rated web Application attack these days. There are many insecure code over the net and also there are several ways to protect ASP.NET application from sql injection attacks. sql injection can occur when an application uses input to construct dynamic sql statements or when it uses stored procedures to connect to the database. Methods of sql injection exploitation are classified according to the DBMS type and exploitation conditions  Vulnerable request can implement Insert, update, delete. It is possible to inject sql code into any part of sql request Blind sql injection Features of sql implementations used in various dbms. Successful sql injection attacks enable attackers to execute commands in an application's database and also take over the server.

my recommendation:
- Basically, make sure your web server is up-to-date with latest security fixes/patches.
- Make sure you have filter every user input and output as proper encoding like UTF-8.
Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
- try tom imlement web application scanner , check this link http://trac.ush.it/ush/wiki/SecurityTools
- i use ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/  to scan all my web application, also use Backtrack + Meta for vulnerability, Nessus (Linux if you can) http://www.nessus.org/nessus/ , Nikto (Linux) http://www.cirt.net/nikto2, MBSA (discutable) http://technet.microsoft.com/en-us/security/cc184923.aspx

Here is the site's newsletter "Security Database Tools Watch"
This letter summarizes the articles and news items published since 7 days.

check google more how to protect against sql injection
regarding Microsoft issue check http://msdn.microsoft.com/en-us/library/ms998271.aspx
search http://www.sans.org/  "sql injection"
WASC: http://projects.webappsec.org/SQL-Injection
OWASP: http://www.owasp.org/index.php/SQL_Injection
CodeProject http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
Hakin9: http://hakin9.org/article-html/9355-sql-injection-attacks-tutorial
@Slim81: I see you've been provided with more than enough (good) reading material for the next year, so I'll focus on your specific thoughts:

1) Sanitizing is NOT blacklisting: if you just ban a bunch of characters and accept everything else by default, you never know if you are still leaving out some awkward combination. Maybe not today, but who knows what's possible in the next DBMS version? That's why you should consider whitelisting: REJECT BY DEFAULT, just as you do when you're configuring any kind of firewall, and only allow properly formed input to enter your precious database. So, use e.g. regular expresions for names, emails, etc. and trash everything else which does not look as it should. Blacklisting is also called "known BAD", and is NOT recommended. Whitelisting is the way to go, AKA "known good". Pattern matching is a way of doing either.

2) It's great that you ban the IPs on the app itself, but nowadays you still need an IPS just as much as you need a firewall and an antivirus. The only way to know whether any of your ideas it works or not is to try and see if it can be cracked easily. You can hire an ethical hacker for that, but yes... session IP piggybacking and IP spoofing are some of the approaches to bypass banning. Nothing is 100% sure if it needs to work!
Slim81Author Commented:
Thanks to all that has supplied input to my hacking matter!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now