Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old May 30th, 2008, 05:53 AM
Authorized User
 
Join Date: May 2006
Location: , , .
Posts: 30
Thanks: 0
Thanked 0 Times in 0 Posts
Default sql injection

Hiya!

Unfortunately one of our websites got hit by that nasty chinese spambot (same thing happended here) http://www.rsreese.com/2007/03/sql-i...ostgresql.html]

This 'nasty' creates a table t_jiaozhu in your database and uses your tables to store Javascript references that are then run on the PCs of the visitors to your site.

Although I know about SQL injection, I have never seen the result of SQL injection before, and whilst I generally check the type of values being passed to databases and run pattern matching, there were one or two places where I had forgotten to do this. That was all it took to cause havoc!
Code:
    ID = Request.Querystring("ID")
    'I should have checked that 'ID' was numeric using 'cint' before I used this ID to perform a select SQL query
I have since taken steps to plug the holes in the affected site and started trawling through other sites that may have been affected. To my horror, I saw a few instances of variables in one site that were not checked for their type. I quickly attempted a SQL injection test like so:

Code:
www.domain/page.asp?id=1;create%20table%20nasty(nasty%20varchar(200))
To my surprise, I did not create a table through this security hole like I expected, as with the previous affected site. Rather, I got this error:

Code:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1;create%20table%20nasty(nasty%20varchar(200))' to a column of data type int.
I was wondering if someone could point my in the right direction here? I was expecting to be able to run a SQL command. I am not unhappy about this, but I am confused as to why this did not happen in the way I expected.
The affected database had int datatypes for IDs/primary keys as did the database I was running the SQL injection test on. Yet the former fell to the attack and the latter did not.

I realise that it maybe impossible for someone to say with total conviction why this occured without seeing the two databases and code, but I was wondering if anyone had a any clue as to why this occurred? I am baffled.

One thing I am clear on -- I shan't forget to type user passed variables ever again! That is for sure!

Thanks in advance for any help with this!

Reply With Quote
  #2 (permalink)  
Old June 16th, 2008, 09:28 AM
Registered User
 
Join Date: Jun 2008
Location: , , United Kingdom.
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Are both DB's running the same version of MSSQL?

Regards

Mych

I have not failed... I've just found 10,000 way that don't work!
Reply With Quote
  #3 (permalink)  
Old June 16th, 2008, 02:54 PM
Friend of Wrox
 
Join Date: Jun 2008
Location: Snohomish, WA, USA
Posts: 1,652
Thanks: 3
Thanked 141 Times in 140 Posts
Default

Depends on the rest of your code.

For example, if you were to simply pass that Request("ID") into a query that is accepting a VARCHAR and which then tries to convert the varchar to integer, the message makes sense.

Also, pretty sure this is the error you'd get if you used ADODB.Recordset.AddNew instead of a SQL query. Or did update same way.

Possibly could happen with Command object? Not sure. Hmmm...even if so, I wouldn't expect that particular error message.

Well, in any case I'd want to see the code involved.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SQl Injection through ASP and MS SQl 2000 cancer10 Classic ASP Databases 1 October 27th, 2007 03:21 AM
SQL Injection cygnusx04 Classic ASP Databases 1 November 6th, 2004 10:06 AM
What SQL Injection is ? minhtri Classic ASP Basics 2 October 20th, 2004 10:11 PM
Script Injection in Sql Server farhan_iac Classic ASP Professional 6 August 20th, 2004 03:41 AM
Security: Preventing SQL Injection taliesin Classic ASP Professional 2 July 4th, 2003 02:43 AM



All times are GMT -4. The time now is 03:04 PM.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.