| Author |
Topic |
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
 Posted - 2004-01-07 : 21:29:50
|
I had the unfortunate experience of being a victim of sql injection.  The user was able to read any data, table structure, columns etc.What I am worried about, is could they have connected to a different database? I am worried that they might have gotten in my master database. Could this happen?Basically what they did was ad a "UNION SELECT" into the querystring. From this could they have gotten into the master.They would have to connect to a different database from inside a stored proc that is already connected to a database.Obviously I have alot on my plate, but is there anything else I should worry about? Any tips to recover safely?Any tips are greatly appreciated in this time of need.Thanks alot,mike123 |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-07 : 22:11:04
|
| The dangers of not using stored procs..OK, what user was your web app connecting as ? If you used the SA account in your ASP, you are screwed. Look in the IIS logfiles to see what they did, but they can potentially get control of your entire network if you were running SA.If the user only had access to the one database you are probably OK.Stored procs fix this right up :)Damian |
 |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2004-01-07 : 22:11:51
|
quote:
Basically what they did was ad a "UNION SELECT" into the querystring. From this could they have gotten into the master.They would have to connect to a different database from inside a stored proc that is already connected to a database.
If they were able to sneak in a UNION, they could've accessed any table in any database that can be accessed by the login used to connect.If you search SQL Team for "SQL Injection" (and the forums too) you'll find a fair amount of material on how to protect yourself against it. The first, easiest, and best thing to do is NEVER allow ad-hoc SQL in your web pages. Change everything to stored procedures and avoid using dynamic SQL in your sprocs.Yeah, what Damian said.  |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-07 : 22:50:20
|
| Thanks I did not have it setup to use SA, however the account was able to access the master. I am not sure what this means.I actually am using a stored proc for this, but I am passing it a SQL string. This is the only situation on the website (410 sp's) where I do this.Do you think they could have read my stored procedures?What steps would you take if the user they were logged in as was able to connect to the master db ??Thanks again guys,Mike123 |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-07 : 22:54:28
|
| Does the master database store info such as passwords for the logins etc??What harmful things could be done with my master db ??Thanks againmike123 |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-07 : 23:00:10
|
| You are *probably* ok.Chances are they just wanted to see the admin password of your ASP app.Some steps to take..1. Make sure you have a good backup from before the intrusion.2. Do another backup now (keep the old one too)3. Fix the security hole4. Remove the db users permission on master5. Go through your IIS logs. You said the hacker did a bunch of UNIONS. do a search on them and you will see exactly what he was looking for. Then, do a search for INSERT, UPDATE and EXEC. You will be able to see what he was doing.If you don't see any nasty updates or inserts, you are probably OK. But he may now have passwords for your users. You might want to let them know it's time to change passwords.Damian |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-07 : 23:05:19
|
| I was actually contacted, they told me they saw my table structure, and columns. Not sure if this gives any hints. I will go thru logs and take your recommended steps.Thanks alot, I REALLY appreciate this help.mike123 |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-07 : 23:11:43
|
| I guess my biggest fear is if they used DTS to import the data. Could they theoretically do this if they could access the master db?Thanks mike123 |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-07 : 23:14:41
|
| The only way they could do DTS is if they were able to connect and if they could brute force crack your passwords. They wouldn't need SQL injection to do that.I think they probably just did a select on your sysobjects table, that would show them the table names. The IIS logs are the way to know for sure.Damian |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-07 : 23:33:22
|
| Thanks MerkinIs there any info in the master db that I should worry about him still having? Sorry my knowledge on the function of the master db is very limited.Also, I can connect to the master DB using the username and password the web app uses. However I can't seem to find a spot where permissions are set for this login. When I look at the permissions it the green arrow is only set on the database its supposed to, and not the master. Any tips?Thank you.mike123 |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-07 : 23:38:29
|
| Can you select from any tables using that login ?If the permissions in EM don't allow master you are probably ok. Once again, look in your IIS logs to see what went on.Damian |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-08 : 00:07:31
|
| Thanks :)I can connect to the master db thru QA using the login that appears to only have permission to a different database. Strange, any suggestions?I am beginning the process of going thru the IIS logs, trying to find a way to search 3gb log files :S. Do you happen to know of a good way.Thanks once again, Im scrambling.. your assistance is goldmike123 |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-08 : 00:42:22
|
| I don't understand what you mean in your first point.For the logfiles, you are in luckDrop into a dos prompt and go to the directory with all the logs for that website.Use the DOS find command to seach through files looking for a string.If you can narrow it down to a particular log file ( i.e. ex040102.log) do this :Find "UNION" ex040102.log > out.txtand it will parse the file looking for that string and put the results into a file called out.txt.You can also use wildcards Find "UNION" *.log > out.txthope that helpsDamian |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-08 : 01:08:17
|
| thanks damian, excellent solution on the log files.Sorry about the explanation, I'll try to clear it up.My database named "123" was the database that was jeopardized. I connect to database "123" with the login "mike". I can also connect to the database "master" with login "mike". I need to remove this access so mike can no longer connect to db master.Can you please help me out on how to do I do this? I can't seem to figure out how.thanks again, damian. I owe you some beers if your ever in canada ;) |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-08 : 01:14:18
|
| Mmmm beer In enterprise manager, open up the "mike" login in the security node. Make sure the "mike" login isn't selected as having access to Master. Also, change the default database for "mike" to "123".Damian |
|
|
|
mike123
Master Smack Fu Yak Hacker
1462 Posts |
Posted - 2004-01-08 : 01:19:29
|
Mark my words!, I promise I owe ya  Anyways, I just verified it and thats exactly how it is setup. Why can I access the master db thru QA, with login "mike"Is this not very odd?Thanks againmike123 |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-08 : 02:18:08
|
| Can you actually select from it ?Try SELECT * FROM master..sysdatabasesDoes that return any results ?Damian |
|
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-01-08 : 13:13:20
|
| Hey...how about an injection like"SELECT your cols FROM yournice Table WHERE whateverGODROP TABLE myTable99"I'd look for GODoes "mike" have only datareader? Sounds more like dbowner..At the very least put mike in datawriter...(and dump the tranny logs every 10 minutes....)Brett8-) |
|
|
|
joldham
Wiseass Yak Posting Master
300 Posts |
Posted - 2004-01-08 : 14:02:06
|
| Is the Mike account a Windows Account or a SQL Account? If it is a Windows Account, then if Mike is a Machine Administrator, then he would have access to everything in the SQL database as an Administrator of the machine (I think). |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-01-08 : 16:41:06
|
quote:
Originally posted by X002548I'd look for GO
Nope. Go isn't TSQL. GO is a batch terminator for Query Analyzer. Go won't do anything but throw an error here. You could use a semicolon though.Given that the database is still running fine I doubt any tables have been dropped. So it's just a matter of log parsing to see how much the guy found out.By the way, Welcome back Jeremy! It's been a while!Damian |
|
|
|
joldham
Wiseass Yak Posting Master
300 Posts |
Posted - 2004-01-08 : 17:16:21
|
| Thanks Damian! I looked today and my last post was in April 2003. I have been very busy the last year. Mike, let me know if my post helped solve the master database access problem. |
|
|
|
Next Page
|
sql injection