Wrox Programmer Forums
|
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 30th, 2008, 05:53 AM
Authorized User
 
Join Date: May 2006
Posts: 30
Thanks: 0
Thanked 0 Times in 0 Posts
Default sql injection

Hiya!

Unfortunately one of our websites got hit by that nasty chinese spambot (same thing happended here) http://www.rsreese.com/2007/03/sql-i...ostgresql.html]

This 'nasty' creates a table t_jiaozhu in your database and uses your tables to store Javascript references that are then run on the PCs of the visitors to your site.

Although I know about SQL injection, I have never seen the result of SQL injection before, and whilst I generally check the type of values being passed to databases and run pattern matching, there were one or two places where I had forgotten to do this. That was all it took to cause havoc!
Code:
    ID = Request.Querystring("ID")
    'I should have checked that 'ID' was numeric using 'cint' before I used this ID to perform a select SQL query
I have since taken steps to plug the holes in the affected site and started trawling through other sites that may have been affected. To my horror, I saw a few instances of variables in one site that were not checked for their type. I quickly attempted a SQL injection test like so:

Code:
www.domain/page.asp?id=1;create%20table%20nasty(nasty%20varchar(200))
To my surprise, I did not create a table through this security hole like I expected, as with the previous affected site. Rather, I got this error:

Code:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1;create%20table%20nasty(nasty%20varchar(200))' to a column of data type int.
I was wondering if someone could point my in the right direction here? I was expecting to be able to run a SQL command. I am not unhappy about this, but I am confused as to why this did not happen in the way I expected.
The affected database had int datatypes for IDs/primary keys as did the database I was running the SQL injection test on. Yet the former fell to the attack and the latter did not.

I realise that it maybe impossible for someone to say with total conviction why this occured without seeing the two databases and code, but I was wondering if anyone had a any clue as to why this occurred? I am baffled.

One thing I am clear on -- I shan't forget to type user passed variables ever again! That is for sure!

Thanks in advance for any help with this!

 
Old June 16th, 2008, 09:28 AM
Registered User
 
Join Date: Jun 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Are both DB's running the same version of MSSQL?

Regards

Mych

I have not failed... I've just found 10,000 way that don't work!
 
Old June 16th, 2008, 02:54 PM
Friend of Wrox
 
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

Depends on the rest of your code.

For example, if you were to simply pass that Request("ID") into a query that is accepting a VARCHAR and which then tries to convert the varchar to integer, the message makes sense.

Also, pretty sure this is the error you'd get if you used ADODB.Recordset.AddNew instead of a SQL query. Or did update same way.

Possibly could happen with Command object? Not sure. Hmmm...even if so, I wouldn't expect that particular error message.

Well, in any case I'd want to see the code involved.





Similar Threads
Thread Thread Starter Forum Replies Last Post
SQl Injection through ASP and MS SQl 2000 cancer10 Classic ASP Databases 1 October 27th, 2007 03:21 AM
SQL Injection cygnusx04 Classic ASP Databases 1 November 6th, 2004 11:06 AM
What SQL Injection is ? minhtri Classic ASP Basics 2 October 20th, 2004 10:11 PM
Script Injection in Sql Server farhan_iac Classic ASP Professional 6 August 20th, 2004 03:41 AM
Security: Preventing SQL Injection taliesin Classic ASP Professional 2 July 4th, 2003 02:43 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.