Join 132,683 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,235 people online right now. Registration is fast and FREE... Join Now!
There is a virus being spread through the use of SQL Injection. The SQL Injection inserts an iframe which loads a javascript on the visitors computer and infects the system. If you run a web site, you should look through your logs and traffic to see if there is anything abnormal.
We had a few pages in my company's site hit by this and I had to patch it up for them. It essentially injects an sql statement in binary info and casts it to nvarchar and then executes it. The binary code casted to nvarchar results in a simple insert of a javascript src tag.
Way to prevent it is simply to validate URL parameters and make sure that all parameters are of the right size and type. In addition I make sure that parameters are not more than 100 chars in length which pretty much knocks this sql injection out because the binary string itself is a few hundred chars.
We got hit on a site we maintain byt this like 5 times. WE didnt build the site, and are actually in the process of finishing the redesign, but whoever did left the whole damn site wide open. No validation on query strings. A true pain in the ass. The one we got passed in a hex value that when converted ascii was an SQL statement that tries to hit every table in the database. <rant>A true pain in the ass as we were already maxed out on time and now we gotat deal with this cause some "knows enough to be dangerous" web developer codes a vulnerability into every page thats been around for years.</rant>
Thanks for the heads up Chris! I found a kick ass QueryString validation object, it is written in VB.Net so I'm working on converting it to C#, once that is done I will share it in the form of a tutorial or blog post to help people protect their site against these kind of attacks.
SQL Injections are the scariest holes out there. They are so common, and are extremely critical.
What I always have to explain to people, is this affects server level, the attacker is running commands on your sql server under your privileges.
It's all about escaping the current query, and there are so many vectors and ways to beat filters it's crazy. Especially with MSSQL server and there xp.cmdshell.
It is very probable that someone could gain root on your sql server from this vulnerability.
We need to be escaping all variable data that goes into queries. I always build a wrapper into my database abstraction layer for this. Also, use prepared statements as much as possible, this eliminates all of the worry.
Next is something at application level, like skyhawk said, mod_security works wonders, you just have to be careful. The first time I installed it, I unwittingly grabbed some rules off different sites that were horrible about false positives.
Next, the user you use for your application for your SQL server should have only permissions needed. That way if your compromised, they only have a sandbox to play in.
Thanks for the heads up Chris! I found a kick ass QueryString validation object, it is written in VB.Net so I'm working on converting it to C#, once that is done I will share it in the form of a tutorial or blog post to help people protect their site against these kind of attacks.
Why worry about the strings? Just bind your parameters, and you're fine.
they are different and not interchangeable, example:
SQL Injection Has An Effect On Half Million Sites -- correct SQL Injection Affects Half Million Sites--correct SQL Injection Effects Half Million Sites--incorrect
Cool topic about SQL injections, thanks for the post
Sorry for being a grammar nazi
This post has been edited by KYA: 30 May, 2008 - 06:21 AM
27 May, 2008 - 01:57 PM
| 