Prohibit UNION queries?

• Andrew Kernodle

  SSCertifiable

  Points: 5314

  More actions

  January 10, 2014 at 1:11 pm

  #1679308

  Sean Lange (1/10/2014)

  ---

  hisakimatama (1/10/2014)

  ---

  The database most definitely isn't safe and secure if queries like those are being injected in. As Gail and the others have said, your code's open for injection, and, if the account that accesses your data via your interface has the right privileges, whoever's injecting your page has more than likely lifted some data from the system, if that last query is any indication of where they're digging.

  Whoa!!! We don't know that the code is vulnerable. We have not seen a single line of t-sql posted. All we have seen so far is a url with some query string parameters that appear to look like somebody attempting sql injection. The OP stated that all of their queries are parameterized (procs would be even better) which means the injection is not happening. It is not uncommon to log the entire URL for page loads, especially when the page throws an exception.

  Ack. Did I misstep there? The last two code blocks from the post on the first page seem to be T-SQL with some injected bits, but I may be in way-too-paranoid mode at the moment after seeing injecty-looking stuff. I'll go eat a porkchop if needed!

  - 😀

• Sean Lange

  SSC Guru

  Points: 286590

  More actions

  January 10, 2014 at 1:17 pm

  #1679310

  hisakimatama (1/10/2014)

  ---

  Sean Lange (1/10/2014)

  ---

  hisakimatama (1/10/2014)

  ---

  The database most definitely isn't safe and secure if queries like those are being injected in. As Gail and the others have said, your code's open for injection, and, if the account that accesses your data via your interface has the right privileges, whoever's injecting your page has more than likely lifted some data from the system, if that last query is any indication of where they're digging.

  Whoa!!! We don't know that the code is vulnerable. We have not seen a single line of t-sql posted. All we have seen so far is a url with some query string parameters that appear to look like somebody attempting sql injection. The OP stated that all of their queries are parameterized (procs would be even better) which means the injection is not happening. It is not uncommon to log the entire URL for page loads, especially when the page throws an exception.

  Ack. Did I misstep there? The last two code blocks from the post on the first page seem to be T-SQL with some injected bits, but I may be in way-too-paranoid mode at the moment after seeing injecty-looking stuff. I'll go eat a porkchop if needed!

  Or maybe I did, we may need to share pork chops. 😛 It seems we certainly don't quite have the full picture of the code

  from the web page.

  

  _______________________________________________________________

  Need help? Help us help you.

  Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

  Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

  Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
  Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
  Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
  Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/

• Andrew Kernodle

  SSCertifiable

  Points: 5314

  More actions

  January 10, 2014 at 1:22 pm

  #1679313

  Sean Lange (1/10/2014)

  ---

  hisakimatama (1/10/2014)

  ---

  Sean Lange (1/10/2014)

  ---

  hisakimatama (1/10/2014)

  ---

  The database most definitely isn't safe and secure if queries like those are being injected in. As Gail and the others have said, your code's open for injection, and, if the account that accesses your data via your interface has the right privileges, whoever's injecting your page has more than likely lifted some data from the system, if that last query is any indication of where they're digging.

  Whoa!!! We don't know that the code is vulnerable. We have not seen a single line of t-sql posted. All we have seen so far is a url with some query string parameters that appear to look like somebody attempting sql injection. The OP stated that all of their queries are parameterized (procs would be even better) which means the injection is not happening. It is not uncommon to log the entire URL for page loads, especially when the page throws an exception.

  Ack. Did I misstep there? The last two code blocks from the post on the first page seem to be T-SQL with some injected bits, but I may be in way-too-paranoid mode at the moment after seeing injecty-looking stuff. I'll go eat a porkchop if needed!

  Or maybe I did, we may need to share pork chops. 😛 It seems we certainly don't quite have the full picture of the code

  from the web page.

  

  Haha, no worries :-D. I was starting to worry that my code-paranoid tendencies had finally reached the tipping point of making me hallucinate code. I'll leave the self-chopper for myself on standby until further notice, then!

  - 😀

• x

  SSC-Insane

  Points: 23660

  More actions

  January 10, 2014 at 1:28 pm

  #1679316

  Sean Lange (1/10/2014)

  ---

  hisakimatama (1/10/2014)

  ---

  Sean Lange (1/10/2014)

  ---

  hisakimatama (1/10/2014)

  ---

  The database most definitely isn't safe and secure if queries like those are being injected in. As Gail and the others have said, your code's open for injection, and, if the account that accesses your data via your interface has the right privileges, whoever's injecting your page has more than likely lifted some data from the system, if that last query is any indication of where they're digging.

  Whoa!!! We don't know that the code is vulnerable. We have not seen a single line of t-sql posted. All we have seen so far is a url with some query string parameters that appear to look like somebody attempting sql injection. The OP stated that all of their queries are parameterized (procs would be even better) which means the injection is not happening. It is not uncommon to log the entire URL for page loads, especially when the page throws an exception.

  Ack. Did I misstep there? The last two code blocks from the post on the first page seem to be T-SQL with some injected bits, but I may be in way-too-paranoid mode at the moment after seeing injecty-looking stuff. I'll go eat a porkchop if needed!

  Or maybe I did, we may need to share pork chops. 😛 It seems we certainly don't quite have the full picture of the code

  from the web page.

  Yeah, I'll take a pork chop. In my defense, I think I became subconciously biased when he suggested turning a generic keyword off at the SQL server. Hopefully the web app in reality isn't vulnerable.

  On the other hand, I get truly fascinated watching hack attempts, I ran a copy of thttpd with a single picture and posted a url on one of those link sharing sites and it was amazing the traffic I attracted. Not only did these clients try any number of exploits (many cpanel login attempts with default or predictable credentials, etc), many of the clients at the time were with some pretty darn obsolete browser versions which indicated to me that probably a good percentage of these clients were themselves hacked and simply running hack attempts at the bequest of their true remote masters.

  I'll probably run another server this year as XP starts to become vulnerable just to watch the show.