p2p.wrox.com Forums

p2p.wrox.com Forums (http://p2p.wrox.com/)
-   Classic ASP Basics (http://p2p.wrox.com/classic-asp-basics-61/)
-   -   sql injection (http://p2p.wrox.com/classic-asp-basics/68493-sql-injection.html)

trufla May 30th, 2008 05:53 AM

sql injection
 
Hiya!

Unfortunately one of our websites got hit by that nasty chinese spambot (same thing happended here) http://www.rsreese.com/2007/03/sql-i...ostgresql.html]

This 'nasty' creates a table t_jiaozhu in your database and uses your tables to store Javascript references that are then run on the PCs of the visitors to your site.

Although I know about SQL injection, I have never seen the result of SQL injection before, and whilst I generally check the type of values being passed to databases and run pattern matching, there were one or two places where I had forgotten to do this. That was all it took to cause havoc!
Code:

    ID = Request.Querystring("ID")
    'I should have checked that 'ID' was numeric using 'cint' before I used this ID to perform a select SQL query

I have since taken steps to plug the holes in the affected site and started trawling through other sites that may have been affected. To my horror, I saw a few instances of variables in one site that were not checked for their type. I quickly attempted a SQL injection test like so:

Code:

www.domain/page.asp?id=1;create%20table%20nasty(nasty%20varchar(200))
To my surprise, I did not create a table through this security hole like I expected, as with the previous affected site. Rather, I got this error:

Code:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1;create%20table%20nasty(nasty%20varchar(200))' to a column of data type int.
I was wondering if someone could point my in the right direction here? I was expecting to be able to run a SQL command. I am not unhappy about this, but I am confused as to why this did not happen in the way I expected.
The affected database had int datatypes for IDs/primary keys as did the database I was running the SQL injection test on. Yet the former fell to the attack and the latter did not.

I realise that it maybe impossible for someone to say with total conviction why this occured without seeing the two databases and code, but I was wondering if anyone had a any clue as to why this occurred? I am baffled.

One thing I am clear on -- I shan't forget to type user passed variables ever again! That is for sure!

Thanks in advance for any help with this!


Mych June 16th, 2008 09:28 AM

Are both DB's running the same version of MSSQL?

Regards

Mych

I have not failed... I've just found 10,000 way that don't work!

Old Pedant June 16th, 2008 02:54 PM

Depends on the rest of your code.

For example, if you were to simply pass that Request("ID") into a query that is accepting a VARCHAR and which then tries to convert the varchar to integer, the message makes sense.

Also, pretty sure this is the error you'd get if you used ADODB.Recordset.AddNew instead of a SQL query. Or did update same way.

Possibly could happen with Command object? Not sure. Hmmm...even if so, I wouldn't expect that particular error message.

Well, in any case I'd want to see the code involved.


All times are GMT -4. The time now is 04:23 AM.

Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
2013 John Wiley & Sons, Inc.