Solved

SQL Injected data?

Posted on 2016-11-02
8
82 Views
Last Modified: 2016-11-04
Hello everyone!

I believe we may have been a victim of a SQL injection.  This morning we found some peculiar data in a few tables within our website database and have no clue where it came from.  Doing a google search shows that quite a few sites seem to have this same data.  Has anyone seen this for by chance?
I've found 2 variances of it:

<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>

Open in new window

and
<a href=http://<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div> ><div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div></a>

Open in new window


Thank you for your help!
0
Comment
Question by:stdmfgco
  • 3
  • 2
  • 2
  • +1
8 Comments
 

Author Comment

by:stdmfgco
Comment Utility
When you search for this part: wer54w66sf32re2  Quite a few websites have it in their code as well.  We only found it because it broke our google maps function on our website.  It's almost like a tracking key.
0
 
LVL 30

Assisted Solution

by:Alexandre Simões
Alexandre Simões earned 250 total points
Comment Utility
Hi mate,
it's strange, I've never seen this.
Looks like you've been flagged for some purpose.

The second line is even malformed HTML so it's either an error, or your parser broker but in any way, it was never meant to be displayed, but still it get's indexed by Google as you noticed when you searched by that key value.

Clean-up all that from your DB and test your application against that kind of attacks. I think it's the best you can do.

Cheers,
Alex
1
 
LVL 32

Expert Comment

by:Stefan Hoffmann
Comment Utility
Why do  you think it is SQL Injection?

In this case you need to check your database layer..
0
 
LVL 50

Expert Comment

by:Steve Bink
Comment Utility
That's a canary.

Hackers don't just find a target and sit for hours on end trying to break in.  They have a bot army run automated scans and penetration tests against ranges of IPs.  When something interesting is found, they leave a little breadcrumb to indicate that the site is vulnerable.  A live (evil) person comes back later to dress up the victim.

At the very least, that indicates you have an injection vulnerability in your site.  Time to do a code audit, and the sooner the better.  You can expect more dedicated, specifically targeted attacks in the future.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 50

Accepted Solution

by:
Steve Bink earned 250 total points
Comment Utility
Thinking about this further, this is not indicative of an injection vulnerability.  This shows that you are not scrubbing/filtering your input data as well as you probably should.  The potential vulnerability here lies in the possibility that this HTML is visible on your site.

When an attacker encounters a form, they try to push some HTML into it and detect if it is visible on any of the resulting pages.  If it is visible, then the site is vulnerable to cross-site/forgery attacks.  Imagine an attacker injecting an <iframe> instead of some garbage HTML.  That frame could point to anywhere - spam advertisement, malicious payloads, rick roll videos - and any user of that site would be a potential target.

So, still time for a code audit.  Works towards making any user input "safe".  if you're expecting a number make sure it is a number.  If you're expecting text, strip out any HTML.  If you're expecting HTML, limit the input elements you will accept.  If it comes from the client, it is unsafe.
0
 
LVL 50

Expert Comment

by:Steve Bink
Comment Utility
Luckily, this is a common and well-documented issue, with tons of ready-made solutions available to you.  The first few results of a Google search led me to a variety of workable possibilities.  The basic process is to take each piece of user input and run it through an algorithm designed to remove "bad" stuff.  In this case, you're looking for anything that looks like HTML.  

In truth, the more important aspect of this issue is to make sure you're not RENDERING the input unsafely.  Simply encoding the output into HTML entities or URL encoding should be sufficient to defend against the attack.  In the long run, though, it is better to scrub the input when you first get it rather than worry about having to encode it on each output.
0
 

Author Closing Comment

by:stdmfgco
Comment Utility
I believe we found the issue.  We had a lost password field that wasn't locked down to only allow email addresses.  So far so good! Thanks everyone!
0
 
LVL 30

Expert Comment

by:Alexandre Simões
Comment Utility
Hi mate,
make sure you "lock it" on both front and back ends.
Locking it only on the front-end is still very easy to by-pass.

Cheers,
Alex
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now