« Previous Next »

• 05-13-2008, 9:10 AM

  In reply to

  Flackie Joined on 05-13-2008, 7:39 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact eftennis: use [my_admin_sql_login] GO DENY SELECT ON [sys].[sysobjects] TO [my_asp_sql_login] GO As you can see, I set up a separate login account for my asp connection.  Hope this helps.   I get another error... i put the SQL admin user where you have my_admin_sql_login, and it says: "Could not locate entry in sysdatabases for database 'sa'. No entry found with that name. Make sure that the name is entered correctly."  So it thinks I am entering a db name, not a username. I notice that the response after yours showed a DB name in this gap. So I am a bit more confused now!

• 05-13-2008, 9:13 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Replace [my_asp_sql_login] with the login that your website uses to connect to the database (not the admin account you are using)

• 05-13-2008, 9:18 AM

  In reply to

  Flackie Joined on 05-13-2008, 7:39 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact DavidReabow: Replace [my_asp_sql_login] with the login that your website uses to connect to the database (not the admin account you are using)   Yes I did... my point of confusion was the first line where you had my_admin_sql_login - the error message (and the post subsequent to yours) suggested that should be the database name, not the admin username.

• 05-13-2008, 9:20 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Yes, thats an error [my_admin_sql_login] should actually be the name of the database.

• 05-13-2008, 9:31 AM

  In reply to

  Flackie Joined on 05-13-2008, 7:39 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact  Ok I think i got it working (for one site anyway, others should be simple now). I ended up creating a new admin login for myself and then using that to go into the SQL management so i knew i had full admin rights. I made sure I gave myself permissions for all the sites I need to change and then ran the code and it worked without error. I then made sure it worked and does deny access by running this using the web back end of the site (which uses the ASP user account for this site): SELECT * from sysobjects Previously this returned full results, now it returns nothing - so that seems to be job done as far as this part goes. Thanks eftennis and davidreabow for your comments, these helped me greatly.

• 05-13-2008, 9:53 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact The person(s) behind this appears to realise that he/she/they need to adapt as measures are taken to prevent these attacks. I wouldn't rely on any one single method to stop this and I wouldn't be surprised if it's back again soon in a different guise. Check all input from your websites (URL parameters, Form data, cookie data etc)  Close up the holes in the code that allows this through. (Use parameter objects) Revoke all unnecessary permissions (sys.Tables, syscolums, syscomments, INFORMATION_SCHEMA views etc) Do not allow your website user accounts to make schema changes. Do not allow your websites access to your databases with sysadmin or DBO rights.   There are probably more things that I've missed but this is a good start and I've rarely seen a site that has done all this.   Hope this helps.  David

• 05-13-2008, 11:09 AM

  In reply to

  greenlit_design Joined on 05-07-2008, 9:16 PM Posts 3

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi, A Sys Admin account in MS SQL give you access to all databases and gives you all privileges. So basically you don't need any other rights. I'm not sure if a Windows Admin account has admin right in MS SQL. I believe you need to add the Windows Account to MS SQL and grant that account proper permissions. If you were able to create a new sql login with SysAdmin privileges, then you probably had SysAdmin. Each database has a "permission admin" role which allow a sql user to grant permission. Remember, a sql login grant access at the database level (except for server roles like sysAdmin). You need to grant that sql login access to each database you want that sql login to access to. If you grant DBO rigth to a sql login to a database, that sql login becomes a user in the database. DBO rights is the highest level in a database (not database server). So you'll get creater, alter, grant, select etc... for all DB objects (view, stored proc, etc...). Security in MS SQL can get complicated. That's why it's important to involve a DBA when you're not sure. People tend to grant DBO rights because it's the easiest way. You then pay the price later. Luckily the script did not try to create tables, stored proc... Dont hesitate if you have questions Flackie:  Ok I think i got it working (for one site anyway, others should be simple now). I ended up creating a new admin login for myself and then using that to go into the SQL management so i knew i had full admin rights. I made sure I gave myself permissions for all the sites I need to change and then ran the code and it worked without error. I then made sure it worked and does deny access by running this using the web back end of the site (which uses the ASP user account for this site): SELECT * from sysobjects Previously this returned full results, now it returns nothing - so that seems to be job done as far as this part goes. Thanks eftennis and davidreabow for your comments, these helped me greatly.

  Tags: Sql injection filterMS SQL securitysql login

• 05-13-2008, 11:50 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I've been looking for a good tutorial on using parameters to pass on to some developers and found this: http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx Everyone should use parameter objects whether you use stored procedures or not. It is probably one of the most important things to do when protecting yourself from SQL Injection.

• 05-14-2008, 3:13 AM

  In reply to

  csraodel Joined on 05-14-2008, 7:11 AM Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact   Do a complete server side data validation on your forms.
  	Tags: validation

• 05-15-2008, 6:12 AM

  In reply to

  drors01 Joined on 05-15-2008, 10:02 AM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi, I  added the url filter to my site just in case... But then I started getting too many false alarms due to google's search. I is doing many sorts of phrases that include many of the words that are notallowed. So I made a change to the verify function function verify(s)    'convert the querystring to lowercase  s = lcase(s)  risk_level_counter = 0  ' badwords - a list of disallowed keywords in the url  badwords= "select 1=1 insert update delete drop -- table alter cast declare convert exec chr( union"  ' create an array list of each back word  r = split(badwords, " ")    ' loop through the bad words and return false if it is present.    for i =0 to ubound(r)     if instr(s, r(i)) > 0 then   risk_level_counter = risk_level_counter + 1     end if    next   if risk_level_counter >= 2 then   verify = false   else   verify=true   end if end function I think that I am going to give a uniqe level of risk to each word, for instance giving 3 for DECLARE, UPDATE , DROP and a level of 1 to select. I would also combine the checks with the length of the string not allowing more than 150 characters for a known need. Thanks

• 05-15-2008, 7:28 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi everyone,  I'm going to suggest an alternative to the "find bad words and redirect" solution. This may not work for everyone but will hopefully break any attempts to inject SQL.  You should still search for the "bad" words but when you find them, instead of redirecting to another page, you should replace them with the same word and a character. So if you find the words "Select" or "Declare", simply replace them with "Select," or "Declare,". By inserting a "," it should be sufficient to break the sql statement and not allow it to run. This should also help where sites do pass valid text data that may contain these words.  Replace "--" with "-,-". This will break the comment. Also if valid data is identified as a false positive, rather than redirecting your user it just looks like a "typo" error if the data is stored and displayed. This will also be friendly towards things like fulltext searches.

• 05-16-2008, 1:08 PM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi all, Here are some "DENY" permission scripts I have used. I'd advice you to check that they don't break your applications/websites before using them.     -------------------------------------------------------------------------------------- Master ------------------------------------------------------------------------------------------- use [Master] GO DENY SELECT ON [INFORMATION_SCHEMA].[TABLES] TO [Public] DENY SELECT ON [INFORMATION_SCHEMA].[COLUMNS] TO [Public] DENY SELECT ON [INFORMATION_SCHEMA].[VIEW_COLUMN_USAGE] TO [Public] DENY SELECT ON [INFORMATION_SCHEMA].[CONSTRAINT_COLUMN_USAGE] TO [Public] DENY SELECT ON [INFORMATION_SCHEMA].[COLUMN_PRIVILEGES] TO [Public] GO -------------------------------------------------------------------------------------- Your Database -------------------------------------------------------------------------------- use [Your_Database_name] GO DENY SELECT ON [sys].[columns] TO [Your_User] DENY SELECT ON [sys].[tables] TO [Your_User] DENY SELECT ON [sys].[syscolumns] TO [Your_User] DENY SELECT ON [sys].[sysobjects] TO [Your_User] DENY SELECT ON [sys].[objects] TO [Your_User] DENY SELECT ON [sys].[syscomments] TO [Your_User] GO   I have also revoked all insert/update/delete permission from tables where the account does not need them.  You may also want to deny permission on CREATE statements.

• 05-18-2008, 6:08 PM

  In reply to

  lillyg Joined on 05-18-2008, 10:05 PM Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Would it work to use the CInt function to test the ID that's passed to confirm that it is an integer between -32767 and 32767?  It seems like that would force an error given the length and alpha characters that are in the script.

• 05-18-2008, 6:38 PM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi Lilly, I would still suggest using parameter objects. There are two main reasons for this; 1. You can set the data type of the parameter object and achieve the same "error checking" as you would with CInt. 2. SQL Server treats parameters slightly different to executing a single "string" statement. When a string is executed it is first interpreted or it has to be "prepared" by SQL server for execution and any mal formed character strings that can be interpreted as executable will be executed. When parameter are passed into a statement they are treated a parameters and mal formed data is not executed.   This takes care of the interface between your development language and SQL Server. I have seen Stored Procedures that take character strings and within the stored procedure build Dynamic SQL statments. If anyone is doing this you are in danger of being attacked the same way within your SP. This is particularly true where the SP accepts large character strings. To fix this you can also use parameters within TSQL (also known as prepared statements). I know it isn't always possible as some applications will have to accept long strings but where possible you should also limit the length of your character data. A combination of many of the previously mentioned solutions would be best. All you really need to achieve is to "break" the execution of the malicious code. Some people have mentioned detecting specific strings from this attack and acting on that. The problem with this approach is that the attacker could easily change something, All he/she/they need to do is add an extra %20 and your detection will fail.  I still believe that one of the most important things is to use parameter objects at your code level and paremeters (prepared statements) within your SP's. Regards David

• 05-20-2008, 1:03 AM

  In reply to

  wistex42 Joined on 12-05-2003, 3:16 AM Houston, Texas Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact In my situation, most of the input should not have a ' or a ; in it at all, so I just filter that out completely when those characters are not expected.  I place an include with the following code at the top of almost every page. <% str = request.servervariables("QUERY_STRING") if instr(str, ";") then response.redirect("/404msg.asp") str = Request.Form if instr(str, ";") then response.redirect("/404msg.asp") str = request.servervariables("QUERY_STRING") if instr(str, "--") then response.redirect("/404msg.asp") str = Request.Form if instr(str, "--") then response.redirect("/404msg.asp") str = request.servervariables("QUERY_STRING") if instr(str, "'") then response.redirect("/404msg.asp") str = Request.Form if instr(str, "'") then response.redirect("/404msg.asp") %> This won't work for everyone, but if you know for sure that a ' or ; or a -- should not be in the input, just kill it before it goes anywhere.  This code checks both GET and POST (i.e. parameters in the URL or submitted from a form) and can be used as a preemptive filter before it even gets to the rest of the code. Obviously this is not the only thing you should do, but it may be a quick way to kill certain attacks.  Combine this with proper sanitizing of variables, and it makes your site more difficult to attack.   lillyg: Would it work to use the CInt function to test the ID that's passed to confirm that it is an integer between -32767 and 32767?  It seems like that would force an error given the length and alpha characters that are in the script.   That should definitely be used for checking integers.  But depending on the application, not all parameters may be integers.   WisTex.com

  Tags: sql injection injection filter code asp cint integers