We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Blind SQL InjectionRSS

1 reply

Last post May 19, 2021 01:53 AM by samwu

  • Blind SQL Injection

    May 18, 2021 03:58 PM|Gmajor|LINK

    I am currently working on resolving a Blind SQL vulnerability found on an IIS server hosting a web application

    Found blind SQL injection on http://x.x.x.x/null.htw?CiWebHitsFile=/<script>xss</script>.aspx&CiRestriction=none&CiHiliteType=Full using method GET

    Parameter CiHiliteType behaves differently with the following payloads:
    Full OR 95276=95276
    Full AND 95276=95277

    I would be glad to get any input or advice on how to resolve this.

    Thanks.

  • Re: Blind SQL Injection

    May 19, 2021 01:53 AM|samwu|LINK

    Hi Gmajor,

    Gmajor

    I am currently working on resolving a Blind SQL vulnerability found on an IIS server hosting a web application

    You can block SQL Injection with IIS Request Filtering.

    Configuring the Request Filter

    To create a global filtering rule for SQL Injection:

    • Open the applicationhost.config file in the following path:
    %systemroot%\system32\inetsrv\config\applicationhost.config
    • Search the applicationhost.config file for "<requestFiltering>" (without the quotes.)
    • Immediately under the <requestFiltering> tag, paste the following settings:
    <filteringRules>
        <filteringRule name="SQLInjection" scanQueryString="true">
            <appliesTo>
                <add fileExtension=".asp" />
                <add fileExtension=".aspx" />
            </appliesTo>
            <denyStrings>
                <add string="--" />
                <add string=";" />
                <add string="/*" />
                <add string="@" />
                <add string="char" />
                <add string="alter" />
                <add string="begin" />
                <add string="cast" />
                <add string="create" />
                <add string="cursor" />
                <add string="declare" />
                <add string="delete" />
                <add string="drop" />
                <add string="end" />
                <add string="exec" />
                <add string="fetch" />
                <add string="insert" />
                <add string="kill" />
                <add string="open" />
                <add string="select" />
                <add string="sys" />
                <add string="table" />
                <add string="update" />
            </denyStrings>
        </filteringRule>
    </filteringRules>
    • Save the changes to applicationhost.config.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >