Thread: sql injection
View Single Post
  #1 (permalink)  
Old May 30th, 2008, 05:53 AM
trufla trufla is offline
Authorized User
 
Join Date: May 2006
Location: , , .
Posts: 30
Thanks: 0
Thanked 0 Times in 0 Posts
Default sql injection

Hiya!

Unfortunately one of our websites got hit by that nasty chinese spambot (same thing happended here) http://www.rsreese.com/2007/03/sql-i...ostgresql.html]

This 'nasty' creates a table t_jiaozhu in your database and uses your tables to store Javascript references that are then run on the PCs of the visitors to your site.

Although I know about SQL injection, I have never seen the result of SQL injection before, and whilst I generally check the type of values being passed to databases and run pattern matching, there were one or two places where I had forgotten to do this. That was all it took to cause havoc!
Code:
    ID = Request.Querystring("ID")
    'I should have checked that 'ID' was numeric using 'cint' before I used this ID to perform a select SQL query
I have since taken steps to plug the holes in the affected site and started trawling through other sites that may have been affected. To my horror, I saw a few instances of variables in one site that were not checked for their type. I quickly attempted a SQL injection test like so:

Code:
www.domain/page.asp?id=1;create%20table%20nasty(nasty%20varchar(200))
To my surprise, I did not create a table through this security hole like I expected, as with the previous affected site. Rather, I got this error:

Code:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1;create%20table%20nasty(nasty%20varchar(200))' to a column of data type int.
I was wondering if someone could point my in the right direction here? I was expecting to be able to run a SQL command. I am not unhappy about this, but I am confused as to why this did not happen in the way I expected.
The affected database had int datatypes for IDs/primary keys as did the database I was running the SQL injection test on. Yet the former fell to the attack and the latter did not.

I realise that it maybe impossible for someone to say with total conviction why this occured without seeing the two databases and code, but I was wondering if anyone had a any clue as to why this occurred? I am baffled.

One thing I am clear on -- I shan't forget to type user passed variables ever again! That is for sure!

Thanks in advance for any help with this!

Reply With Quote