Your idea of denying select access to the sys objects seems to make the most sense of any ideas I have read about sql injectors. That would appear to be a foolproof way of at least stopping the current attackers.
Has this worked for you?
I tried to go in and do this, but, my sql login account does not appear to have permissions (I use a share sql server database on my hosting company).
If I ask my hosting company to do the DENY is it as simple as the command you included in your post?
Yes. Deny select on .... to sql_login You need to have SysAdmin privileges to do this. Your hosting company should actually do this. I don't know if they have a DBA. I assume it will work for us. I did a test login as the sql_login used for the app and try
to run the command of the script and i got the "permission denied" error. Let me know if you have any questions. Thanks
I added this script to the website and it seems to work very well already. Only few hours after I set it up, he tried again. This time he was not able to destroy any data in the database. I got the email with the below information. Is there at all anything
that can be done to purue this guy?
No Problem, Like I said I have had this in place for months and I know that it is working. I would also suggest you download my
IIS Log File Viewer and checkout the log files in your web server. Sql Injection hack attempts are usually easy to spot becuase the query strings are so long.
As far as some of these ideas here, such as deny access to sys tables, I am sure they will work to an extent, but in a professional environment you may be dealing with hundreds or even thousands of databases
and/or users and all it really does is stops a hacker from discovering the names of database, tables and columns in your database. If your application is vulnerable to these types of attacks, you need to intercept them before they hit the database or a hacker
will still be able to gain access to sensitive data like usernames, passwords and credit card information.
As far as the post that searchs cookies, form values, and query strings, I initially went that route but saw to many false positives, especially in the form values. I would recommend filtering form values in
another manner.
' For Each Item In Request.Form
' Request.Form(Item) = getUserInput(Request.Form(Item), -1)
' Next
'
' alternately, if you know a string should be only a certing length
' specify the length -- for a first name -- getUserInput(Request.Form("FirstName"), 50)
Dim pFilteringLevel
pFilteringLevel=0
function getLoginField(input,stringLength)
' to filter login fields
dim regEx
Set regEx = New RegExp
getLoginField = left(trim(input),stringLength)
regEx.Pattern =
"([^-_A-Za-z0-9@.])"
regEx.IgnoreCase = True
regEx.Global = True
getLoginField = regEx.Replace(getLoginField, "")
Set regEx = nothing
end functionfunction getUserInput(input, stringLength)
dim newString, regEx
Set regEx = New RegExp
' only specified length
if not stringLength = -1 then
newString = left(trim(input),stringLength)
else
newString=Input
end if
if pFilteringLevel=1 then
regEx.Pattern = "([^A-Za-z0-9@=:/*|' _-]+.%)"
regEx.IgnoreCase = True
regEx.Global = True
newString = regEx.Replace(newString, "")
Set regEx = nothing
newString = replace(newString,
"--","")
newString = replace(newString,";","")
end if
if pFilteringLevel=2 then
newString = replace(newString,"--","")
newString = replace(newString,";",";")
newString = replace(newString,"=","=")
newString = replace(newString,"(","(")
newString = replace(newString,")",")")
newString = replace(newString,"'","'")
newString = replace(newString,"""",""")
end if
if pFilteringLevel=3 then
newString = replace(newString,"'","'")
newString = replace(newString,"""",""")
end if
getUserInput = newString
end functionfunction getUserInputL(input,stringLength)
' light filtering
dim tempStr
tempStr = left(input,stringLength)
tempStr = replace(tempStr,
Has any one managed to replicate the way this virus attacks the system?I’m curious because i've now
set up a test server and i’m working on testing different software packages to determine if the are viable to help protect our servers. I know that simply copy and pasting the virus code into the address bar wont work due to the string being far too long so
if anyone has found a way of replicating the attack would you please Private Message me or post here.Also anyone tried to block the
HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library)
as this seems to be the major distributor of the virus...
Thanks
Simon
asp code to filter sql injectioniis log file parseriis log file viewerSql injection filter
We were also hit by this attack although I am puzzled to here there were able to inject the SQL into our stored procedure. Now I know how SQL injection works and I have been able to verify that the page was venerable to this sort of attack.
The puzzler for me is that there managed to injected arround 2000 charactors into a stored procedure via a parameter that is declared as a varchar(10). Now in all my tests any content of the parameter over 10 characters is truncated, so how is it there
are able to run the code???
I'm checking to see if Nessus (http://www.nessus.org/nessus/) can detect an exposed site. This is the ultimate tool for detecting security exploits. If they support it, I'll post instructions.
Your strCommand variable would now look something like this:
'EXEC usp_GetProductDetail 1 DROP TABLE tblProducts'
This is a simplified example but if you happened to have a table called tblProducts and if the user account executing this code had sufficient rights, then your table could be deleted.
You can do all the checks previously mentioned on this thread and many will help improve your security.
Another thing you should do is use Parameter objects when executing SQL statements. I'm not going to go into detail as there should be lots online for whichever development language you're using.
A good place to start looking at this could be here:
Thanks for this its a long time since I've done asp I'm used to asp.net where we always use parameters. You are correct you do just build up a string like:
And it make sense that there are using the fact that we are not parsing out ' etc but as the actually parameter of the sp is a varchar(10) I would expect an data been passed to though this parameter to be trimmed down to this size. At least thats how it
happens though SQL Managment Studio although maybe asp is different.
I will look at the parameters and I have implement the script to check for SQL injection values in the querystring and form collection earlier in the thread which should keep them out.
I'm not sure if I am reading your last post correctly. Are you saying that you are using Parameter Objects and it is still getting through?
If you are just appending your parameters to the string as in my example it doesn't matter what the SP parameter is declared as.
In my example: 'EXEC usp_GetProductDetail 1 Drop Table tblProducts' only the "1" is actually passed to the stored procedure. The "Drop Table tblProducts" part is not passed to the SP but executed as a seperate statement. The fact that it is on the same
line does not mean that it is all part of the same statement.
Even if the SP was created as follows:
CREATE PROCEDURE usp_GetProductDetail
@ProductID nvarchar(1000)
AS
.......
"Drop Table tblProducts" will not be passed to the SP.
What I was trying to say rather badly is I spend 95% of my time developing in ASP.Net where we always use parameters and tell ADO.Net that we are calling a stored procedure, so I'm not used to having to deal with this sort of code.
greenlit_des...
3 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 08, 2008 06:06 AM|LINK
alexhiggins7...
5 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 08, 2008 06:26 AM|LINK
No Problem, Like I said I have had this in place for months and I know that it is working. I would also suggest you download my IIS Log File Viewer and checkout the log files in your web server. Sql Injection hack attempts are usually easy to spot becuase the query strings are so long.
As far as some of these ideas here, such as deny access to sys tables, I am sure they will work to an extent, but in a professional environment you may be dealing with hundreds or even thousands of databases and/or users and all it really does is stops a hacker from discovering the names of database, tables and columns in your database. If your application is vulnerable to these types of attacks, you need to intercept them before they hit the database or a hacker will still be able to gain access to sensitive data like usernames, passwords and credit card information.
As far as the post that searchs cookies, form values, and query strings, I initially went that route but saw to many false positives, especially in the form values. I would recommend filtering form values in another manner.
<%
' Usage <!-- #include virtual="stringfilters.asp"-->
' For Each Item In Request.Form
' Request.Form(Item) = getUserInput(Request.Form(Item), -1)
' Next
'
' alternately, if you know a string should be only a certing length
' specify the length -- for a first name -- getUserInput(Request.Form("FirstName"), 50)
Dim pFilteringLevel
function getLoginField(input,stringLength)pFilteringLevel=0
' to filter login fields
"([^-_A-Za-z0-9@.])"dim regEx
Set regEx = New RegExp
getLoginField = left(trim(input),stringLength)
regEx.Pattern =
regEx.IgnoreCase = True
regEx.Global = True
getLoginField = regEx.Replace(getLoginField, "")
Set regEx = nothing end functionfunction getUserInput(input, stringLength)
dim newString, regEx
if not stringLength = -1 thenSet regEx = New RegExp
' only specified length
newString = left(trim(input),stringLength)
else
newString=Input
end if
if pFilteringLevel=1 then
regEx.Pattern = "([^A-Za-z0-9@=:/*|' _-]+.%)"
regEx.IgnoreCase = True
regEx.Global = True
newString = regEx.Replace(newString, "")
Set regEx = nothing
newString = replace(newString,
"--","")newString = replace(newString,";","")
end if
if pFilteringLevel=2 then
if pFilteringLevel=3 thennewString = replace(newString,"--","")
newString = replace(newString,";",";")
newString = replace(newString,"=","=")
newString = replace(newString,"(","(")
newString = replace(newString,")",")")
newString = replace(newString,"'","'")
newString = replace(newString,"""",""")
end if
newString = replace(newString,"'","'")
newString = replace(newString,"""",""")
end if
getUserInput = newString
end functionfunction getUserInputL(input,stringLength)' light filtering
dim tempStr
"--","")tempStr = left(input,stringLength)
tempStr = replace(tempStr,
tempStr = replace(tempStr,";",";")
tempStr = replace(tempStr,"=","=")
tempStr = replace(tempStr,"(","(")
tempStr = replace(tempStr,")",")")
tempStr = replace(tempStr,"CHAR","CHAR")
tempStr = replace(tempStr,"'","'")
tempStr = replace(tempStr,"""",""")
getUserInputL = tempStr end function
function
formatForDb(input) dim tempStrtempStr=input
if isNull(tempStr)=false then
' replace to avoid DB errors tempStr = replace(tempStr,"'","''")
tempStr = replace(tempStr,"''''","''")
tempStr = replace(tempStr,"''''''","''")
tempStr = replace(tempStr,"''''''''","''")
tempStr = replace(tempStr,"""","""")
end
ifformatForDb = tempStr
end
function function formatNumberForDb(input) formatNumberForDb=replace(input,",",".")end
function%>
asp code to filter sql injection iis log file parser iis log file viewer Sql injection filter
Simontasker
2 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 09, 2008 09:53 AM|LINK
Morning everyone,
Has any one managed to replicate the way this virus attacks the system?I’m curious because i've now set up a test server and i’m working on testing different software packages to determine if the are viable to help protect our servers. I know that simply copy and pasting the virus code into the address bar wont work due to the string being far too long so if anyone has found a way of replicating the attack would you please Private Message me or post here.Also anyone tried to block the HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library) as this seems to be the major distributor of the virus...
Thanks Simonasp code to filter sql injectioniis log file parseriis log file viewerSql injection filter
neilredfern
29 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 10, 2008 10:34 AM|LINK
Hello,
We were also hit by this attack although I am puzzled to here there were able to inject the SQL into our stored procedure. Now I know how SQL injection works and I have been able to verify that the page was venerable to this sort of attack.
The puzzler for me is that there managed to injected arround 2000 charactors into a stored procedure via a parameter that is declared as a varchar(10). Now in all my tests any content of the parameter over 10 characters is truncated, so how is it there are able to run the code???
Thanks
Neil
alexhiggins7...
5 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 10, 2008 09:03 PM|LINK
Please post your code. To my knowledge, this can be done in a stored procedure. You must have an issue in the code that calls your stored procedure.
steve schofi...
5681 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
May 10, 2008 11:02 PM|LINK
Here is a link on detecting a site being exposed.
http://www.securityfocus.com/infocus/1768
I'm checking to see if Nessus (http://www.nessus.org/nessus/) can detect an exposed site. This is the ultimate tool for detecting security exploits. If they support it, I'll post instructions.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
DavidReabow
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 12, 2008 01:15 PM|LINK
Hi Neil
Stored procedures can help but in this case you have to worry about how the stored procedure and parameters are "passed" to SQL server.
Lets say you had the following URL on your site:
HTTP://www.yoursite.com/ShowProduct.ASP?ProductID=1
You may not check the ProductID for "corrupt" data and simply build a string that includes the SP name and parameters; e.g.:
strCommand = 'EXEC usp_GetProductDetail ' & ProductID
If you were expecting a value of say "1" to be passed but as in the case of this injection attack the attacker calls this URL:
HTTP://www.yoursite.com/ShowProduct.ASP?ProductID=1%20DROP%20TABLE%tblProducts
Your strCommand variable would now look something like this:
'EXEC usp_GetProductDetail 1 DROP TABLE tblProducts'
This is a simplified example but if you happened to have a table called tblProducts and if the user account executing this code had sufficient rights, then your table could be deleted.
You can do all the checks previously mentioned on this thread and many will help improve your security.
Another thing you should do is use Parameter objects when executing SQL statements. I'm not going to go into detail as there should be lots online for whichever development language you're using.
A good place to start looking at this could be here:
http://msdn.microsoft.com/en-us/library/ms681010(VS.85).aspx
I hope this helps
David
neilredfern
29 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 12, 2008 04:14 PM|LINK
David,
Thanks for this its a long time since I've done asp I'm used to asp.net where we always use parameters. You are correct you do just build up a string like:
strCommand = 'EXEC usp_GetProductDetail ' & ProductID
And it make sense that there are using the fact that we are not parsing out ' etc but as the actually parameter of the sp is a varchar(10) I would expect an data been passed to though this parameter to be trimmed down to this size. At least thats how it happens though SQL Managment Studio although maybe asp is different.
I will look at the parameters and I have implement the script to check for SQL injection values in the querystring and form collection earlier in the thread which should keep them out.
Thanks
Neil
DavidReabow
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 12, 2008 04:32 PM|LINK
Hi Neil,
I'm not sure if I am reading your last post correctly. Are you saying that you are using Parameter Objects and it is still getting through?
If you are just appending your parameters to the string as in my example it doesn't matter what the SP parameter is declared as.
In my example: 'EXEC usp_GetProductDetail 1 Drop Table tblProducts' only the "1" is actually passed to the stored procedure. The "Drop Table tblProducts" part is not passed to the SP but executed as a seperate statement. The fact that it is on the same line does not mean that it is all part of the same statement.
Even if the SP was created as follows:
CREATE PROCEDURE usp_GetProductDetail
@ProductID nvarchar(1000)
AS
.......
"Drop Table tblProducts" will not be passed to the SP.
I hope this helps.
David
neilredfern
29 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
May 12, 2008 05:09 PM|LINK
David,
Thanks for the update that makes sense now.
What I was trying to say rather badly is I spend 95% of my time developing in ASP.Net where we always use parameters and tell ADO.Net that we are calling a stored procedure, so I'm not used to having to deal with this sort of code.
Thanks
Neil