Hiya!
Unfortunately one of our websites got hit by that nasty chinese spambot (same thing happended here)
http://www.rsreese.com/2007/03/sql-i...ostgresql.html]
This 'nasty' creates a table t_jiaozhu in your database and uses your tables to store Javascript references that are then run on the PCs of the visitors to your site.
Although I know about SQL injection, I have never seen the result of SQL injection before, and whilst I generally check the type of values being passed to databases and run pattern matching, there were one or two places where I had forgotten to do this. That was all it took to cause havoc!
Code:
ID = Request.Querystring("ID")
'I should have checked that 'ID' was numeric using 'cint' before I used this ID to perform a select SQL query
I have since taken steps to plug the holes in the affected site and started trawling through other sites that may have been affected. To my horror, I saw a few instances of variables in one site that were not checked for their type. I quickly attempted a SQL injection test like so:
Code:
www.domain/page.asp?id=1;create%20table%20nasty(nasty%20varchar(200))
To my surprise, I did not create a table through this security hole like I expected, as with the previous affected site. Rather, I got this error:
Code:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1;create%20table%20nasty(nasty%20varchar(200))' to a column of data type int.
I was wondering if someone could point my in the right direction here? I was expecting to be able to run a SQL command. I am not unhappy about this, but I am confused as to why this did not happen in the way I expected.
The affected database had int datatypes for IDs/primary keys as did the database I was running the SQL injection test on. Yet the former fell to the attack and the latter did not.
I realise that it maybe impossible for someone to say with total conviction why this occured without seeing the two databases and code, but I was wondering if anyone had a any clue as to why this occurred? I am baffled.
One thing I am clear on -- I shan't forget to type user passed variables ever again! That is for sure!
Thanks in advance for any help with this!