| Author |
Topic |
|
suhanasoft
Starting Member
1 Post |
 Posted - 2008-05-23 : 05:32:52
|
| Hi friends, we have a website http://www.barneguiden.dk we have been constanly been attacked by virus. A malicious script enters into sql server database and stops the site.can any one please suggest us how we can prevent it. I think it is going from our search field.Any help will be appriciated.Thanks,Umar RahmanSuhanasoft |
|
|
sunil
Constraint Violating Yak Guru
282 Posts |
Posted - 2008-05-23 : 05:36:21
|
| Have a look at this thread.http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=102737 |
 |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-23 : 05:40:09
|
At least this experience have learned to NEVER EVER concatenate string and send to database.Always use parametrized queries as a first line of defence.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-23 : 05:40:53
|
What did the script do?Add things to (n)varchar/(n)char/(n)text columns?Or other things?
E 12°55'05.25"N 56°04'39.16" |
|
|
|
tedmanowar
Starting Member
31 Posts |
Posted - 2008-05-28 : 06:24:42
|
| Hello,I had a "look" at your site and I think your problems are typical for an asp site.If you are using the post method in your forms, try and parse the querystring for SQL keywords, like: SELECT, UPDATE, DELETE etc. and if you find any just e.g. Response.Redirect to the home page or a custom error page.Let me know if you need any more help...TedManowar |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2008-05-28 : 07:16:28
|
quote:
Originally posted by tedmanowar
Hello,I had a "look" at your site and I think your problems are typical for an asp site.If you are using the post method in your forms, try and parse the querystring for SQL keywords, like: SELECT, UPDATE, DELETE etc. and if you find any just e.g. Response.Redirect to the home page or a custom error page.Let me know if you need any more help...TedManowar
No. That is exactly the opposite of what you want to do. Simply rewrite your ASP code *properly* using *parameters* and so that it *never* concatenates your input with your SQL. That's it. This is ridiculously easy to do. Time to learn how to code using best practices.- Jeffhttp://weblogs.sqlteam.com/JeffS |
|
|
|
tedmanowar
Starting Member
31 Posts |
Posted - 2008-05-28 : 08:16:33
|
| lol jsmith8858"Simply rewrite" a huge asp site?I was just offering a simple/temp solution for an old web site.It is well known that sql parameters is the only way to go, anyway...TedManowar |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-28 : 08:26:35
|
I agree with Jeff.If you are going to edit the page anyway to check for certain keywords, why not rewrite to use stored procedure?Yes, it is wellknown but yet people tend to ignore it.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2008-05-28 : 08:34:57
|
quote:
Originally posted by tedmanowar
lol jsmith8858"Simply rewrite" a huge asp site?I was just offering a simple/temp solution for an old web site.It is well known that sql parameters is the only way to go, anyway...TedManowar
Either you rewrite the whole website to check all inputs for any possible sql keyword or bad characters, or you rewrite your whole website to use parameters. I think the second option makes more sense, don't you? And, if it is just a few pages or places to add your keyword/bad character check, then it is also just a few places/pages to ensure you are using parameters, right? Which is easier to implement and better overall in the short term? How about the long term? (hint: the answer to both is using parameters)With the keyword check, you are not catching all injection errors, you are potentially filtering out valid input that may happen to contain any of those words, and you are making your code slower and more complicated. Then, you still have to explicitly deal with issues like ' characters, date and boolean (bit) formats, and things like that, which you do not have to do when using parameters.http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspxIn short, sorry for being blunt, but even for a quick short-term solution, the "manually try to find any possible keyword or bad character in a string and either escape it or throw an error" approach is simply the wrong way to go and will only make things worse.Unless ... you want to be featured here:http://thedailywtf.com/Articles/Some-one-is-trying-to-Hack-the-Site.aspx- Jeffhttp://weblogs.sqlteam.com/JeffS |
|
|
|
tedmanowar
Starting Member
31 Posts |
Posted - 2008-05-28 : 09:39:36
|
| OK, let me start over.Structured ASP sites usually have some part that is included in all pages, something like top.asp (from my experience).So, I insist that an easy solution is to check the QueryString with code written in such an .asp file and flag up or ignore suspicious keywords.It has worked for me many times when I was called to maintain such 10-year-old websites when the customer didn't really want to pay for SQL-Injection protection.I am well aware that you guys are gurus and that most of the times are 110% right, however, I firmly believe that it is a quick, low-budget technique for such problems.TedManowar |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2008-05-28 : 09:48:11
|
quote:
I firmly believe that it is a quick, low-budget technique for such problems.
That is absolutely correct, you make a good point there. Just as removing all 4 tires from a car instead of replacing a flat tire is a "quick, low-budget technique" to make the car drive "better" when you have a flat tire.- Jeffhttp://weblogs.sqlteam.com/JeffS |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-05-28 : 09:48:56
|
The problem is (as shown with Jeff's link) that the problem is NOT solved.You can check how much you want (including CAPS and not caps, trailing space, %20 and so on).And when you are done, Valter Borges cannot login.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
tedmanowar
Starting Member
31 Posts |
Posted - 2008-05-28 : 14:45:19
|
| I guess that you guys must have the last word...And since "Dr. Cross Join" & "Patron Saint of Lost Yaks" are great titles to have (all for the girls of course:) ) let me just state that, for the record, I totally agree with you in everything apart from the part where I would have to re-write an ASP site...In that case I would rather scrap the whole thing and use .NETTedManowar |
|
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
Posted - 2008-05-28 : 14:58:22
|
>> In that case I would rather scrap the whole thing and use .NET.NET will not save you either. you can write an app in .net that is just as vulnerable to sql injection as any other platform.what you need to do is re-write your calls to the server using parameters. did someone say that already? 
elsasoft.org |
|
|
|
LoztInSpace
Aged Yak Warrior
940 Posts |
Posted - 2008-05-29 : 23:48:06
|
| What I don't understand the mentality of the 'I'll do it myself' routinr. I need to change (psuedo code):SQL="select * from blah where blahID='" + blahID + "'"command.Executeinto eitherSQL="select * from blah where blahID='" + MyCheckSuspiciousStuff(blahID) + "'"command.ExecuteorSQL="select * from blah where blahID=?"command.Parameters.Add(blahID)command.executeYou've saved nothing whatsoever by doing it incorrectly. You have the same number of function calls, your SQL is easier and the library does all the hard work and will almost certainly do a better job. |
|
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2008-05-30 : 10:51:16
|
quote:
Originally posted by tedmanowar
So, I insist that an easy solution is to check the QueryString with code written in such an .asp file and flag up or ignore suspicious keywords.
You can insist all you want, but this will not catch instances where the SQL is being injected as a binary string. There was a hacker doing this about a month ago, and it would not surprise me if that it the attack that the OP is experiencing.e4 d5 xd5 Nf6 |
|
|
|
|
Sql Injection problem.