10 Replies - 2022 Views - Last Post: 30 May 2008 - 07:33 AM

#1 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1871
  • View blog
  • Posts: 20,282
  • Joined: 17-March 01

SQL Injection Affects Half Million Sites

Posted 27 May 2008 - 02:57 PM

There is a virus being spread through the use of SQL Injection. The SQL Injection inserts an iframe which loads a javascript on the visitors computer and infects the system. If you run a web site, you should look through your logs and traffic to see if there is anything abnormal.

2008-04-28 - No New IIS Or Microsoft SQL Server Vulnerabilities, Despite Claims
http://www.webmaster...net/3636835.htm

2008-04-28 - Half a million sites hit by huge web hack
http://www.techworld...fm?newsid=12100

2008-05-15 - Phishing botnet turns to SQL-injection attack
http://www.techworld...m?newsid=101510

2008-05-05 - Under Attack! Hacker attacked DB with link to virus
http://www.webmaster...net/3641891.htm

2007-11-19 - Avoiding SQL injection attacks without the need to replace words
http://www.webmaster...net/3509272.htm

How To: Protect From SQL Injection in ASP.NET
http://msdn.microsof...y/ms998271.aspx

How To: Protect From Injection Attacks in ASP.NET
http://msdn.microsof...y/bb355989.aspx

Anti-Cross Site Scripting Library
http://msdn.microsof...y/aa973814.aspx


For those of you running an Apache/Linux box, I would HIGHLY recommend installing mod_security with the latest rules.

For the rest of you... fix your damn code.

Is This A Good Question/Topic? 0
  • +

Replies To: SQL Injection Affects Half Million Sites

#2 RodgerB  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 66
  • View blog
  • Posts: 2,284
  • Joined: 21-September 07

Re: SQL Injection Affects Half Million Sites

Posted 27 May 2008 - 03:04 PM

Holy crap! :o
Was This Post Helpful? 0
  • +
  • -

#3 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4332
  • View blog
  • Posts: 12,127
  • Joined: 18-April 07

Re: SQL Injection Affects Half Million Sites

Posted 27 May 2008 - 03:11 PM

We had a few pages in my company's site hit by this and I had to patch it up for them. It essentially injects an sql statement in binary info and casts it to nvarchar and then executes it. The binary code casted to nvarchar results in a simple insert of a javascript src tag.

Way to prevent it is simply to validate URL parameters and make sure that all parameters are of the right size and type. In addition I make sure that parameters are not more than 100 chars in length which pretty much knocks this sql injection out because the binary string itself is a few hundred chars.

:)
Was This Post Helpful? 1

#4 Mikhail  Icon User is offline

  • Bastard Operator From Hell
  • member icon

Reputation: 58
  • View blog
  • Posts: 1,378
  • Joined: 26-October 07

Re: SQL Injection Affects Half Million Sites

Posted 27 May 2008 - 06:51 PM

None of the sites I know were hit, However that is a large number.
Was This Post Helpful? 0
  • +
  • -

#5 Sonic88  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 166
  • Joined: 19-February 08

Re: SQL Injection Affects Half Million Sites

Posted 28 May 2008 - 06:45 AM

We got hit on a site we maintain byt this like 5 times. WE didnt build the site, and are actually in the process of finishing the redesign, but whoever did left the whole damn site wide open. No validation on query strings. A true pain in the ass. The one we got passed in a hex value that when converted ascii was an SQL statement that tries to hit every table in the database. <rant>A true pain in the ass as we were already maxed out on time and now we gotat deal with this cause some "knows enough to be dangerous" web developer codes a vulnerability into every page thats been around for years.</rant>
Was This Post Helpful? 0
  • +
  • -

#6 PsychoCoder  Icon User is offline

  • Google.Sucks.Init(true);
  • member icon

Reputation: 1639
  • View blog
  • Posts: 19,853
  • Joined: 26-July 07

Re: SQL Injection Affects Half Million Sites

Posted 28 May 2008 - 07:43 AM

Thanks for the heads up Chris! I found a kick ass QueryString validation object, it is written in VB.Net so I'm working on converting it to C#, once that is done I will share it in the form of a tutorial or blog post to help people protect their site against these kind of attacks.
Was This Post Helpful? 0
  • +
  • -

#7 jjsaw5  Icon User is offline

  • I must break you
  • member icon

Reputation: 90
  • View blog
  • Posts: 3,060
  • Joined: 04-January 08

Re: SQL Injection Affects Half Million Sites

Posted 28 May 2008 - 09:02 AM

We've been having issues with this.
Was This Post Helpful? 0
  • +
  • -

#8 joeyadms  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Re: SQL Injection Affects Half Million Sites

Posted 29 May 2008 - 08:15 AM

SQL Injections are the scariest holes out there. They are so common, and are extremely critical.

What I always have to explain to people, is this affects server level, the attacker is running commands on your sql server under your privileges.

It's all about escaping the current query, and there are so many vectors and ways to beat filters it's crazy. Especially with MSSQL server and there xp.cmdshell.

It is very probable that someone could gain root on your sql server from this vulnerability.

We need to be escaping all variable data that goes into queries. I always build a wrapper into my database abstraction layer for this. Also, use prepared statements as much as possible, this eliminates all of the worry.

Next is something at application level, like skyhawk said, mod_security works wonders, you just have to be careful. The first time I installed it, I unwittingly grabbed some rules off different sites that were horrible about false positives.

Next, the user you use for your application for your SQL server should have only permissions needed. That way if your compromised, they only have a sandbox to play in.
Was This Post Helpful? 0
  • +
  • -

#9 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Re: SQL Injection Affects Half Million Sites

Posted 29 May 2008 - 04:00 PM

View PostPsychoCoder, on 28 May, 2008 - 07:43 AM, said:

Thanks for the heads up Chris! I found a kick ass QueryString validation object, it is written in VB.Net so I'm working on converting it to C#, once that is done I will share it in the form of a tutorial or blog post to help people protect their site against these kind of attacks.

Why worry about the strings? Just bind your parameters, and you're fine.
Was This Post Helpful? 0
  • +
  • -

#10 KYA  Icon User is offline

  • g++ jameson.cpp -o beverage
  • member icon

Reputation: 3101
  • View blog
  • Posts: 19,141
  • Joined: 14-September 07

Re: SQL Injection Affects Half Million Sites

Posted 30 May 2008 - 07:19 AM

I'm sorry, but this bothers me:

effect: noun, something that happens

affect: verb, to make something happen like above

they are different and not interchangeable, example:

SQL Injection Has An Effect On Half Million Sites -- correct
SQL Injection Affects Half Million Sites--correct
SQL Injection Effects Half Million Sites--incorrect

Cool topic about SQL injections, thanks for the post



Sorry for being a grammar nazi :)

This post has been edited by KYA: 30 May 2008 - 07:21 AM

Was This Post Helpful? 0
  • +
  • -

#11 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1871
  • View blog
  • Posts: 20,282
  • Joined: 17-March 01

Re: SQL Injection Affects Half Million Sites

Posted 30 May 2008 - 07:33 AM

Fixed.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1