Suspect data in SQL tables

  • We have just encountered what appears to be suspect data in a lot of our SQL databases that house backend data for internal and external websites. For the tables affected, all of the fields defined as varchar(max) have the following code appended to data.

    <div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>

    Anyone encountered this?

  • rjaye03 (11/2/2016)


    We have just encountered what appears to be suspect data in a lot of our SQL databases that house backend data for internal and external websites. For the tables affected, all of the fields defined as varchar(max) have the following code appended to data.

    <div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>

    Anyone encountered this?

    SQL Server did not put that there by itself. Something, somewhere, has written it.

    The absence of evidence is not evidence of absence
    - Martin Rees
    The absence of consumable DDL, sample data and desired results is, however, evidence of the absence of my response
    - Phil Parkin

  • If the database is passing a consistency check, then it's something in your apps that's doing that. It could be a trigger though. I'd check that too.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • Some of these databases don't even have apps using or accessing them. One database I just created a couple of days ago with one table and I manually keyed test data into it. We suspected a SQL injection, but not all databases are used. It's just concerning that "something" outside the scope of an app is randomly adding text to our character fields. And when it happens, it happens to all rows in table. I searched Google and Bing for this string of data and a LOT of sites came up. It doesn't appear to affect the apps that do use these tables, but quite alarming all the same. We only found it because we passed data to Google API that could not accept any embedded html.

    Thanks for the reply

  • Gut feel - SQL Injection vulnerability somewhere. It is a concern, because if your site is known (to malicious apps/users) to be vulnerable, they can do more fun things than just add html. Like extract all the data, or embed malware.

    Try setting up an extended events session to capture where the data is coming from.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • I'm inclined to agree with Gail's gut instinct - SQL injection. If you don't have any apps accessing the database, take a look at the database permissions and see if that gets you anywhere. You need to find out what/who is embedding HTML and how they're doing it. If you don't, this will happen...or has already happened:

    GilaMonster (11/2/2016)


    Like extract all the data, or embed malware.

  • Rather than SQL Injection (embedding SQL into the URL), it appears that a user is simply pasting javascript fragments into a text field, so it gets saved to your varchar column when the web application form is submitted. What this will do is cause the script to be rendered when the form data is subsequently viewed by other users. Preventing this from happening is a basic website design consideration, so let the application developer know. Meanwhile, from the database side, to confirm who and what is doing this, you can implement an audit trace.

    Also, to double dog prevent this happening ever again, you can implement check constraints on varchar columns that get inserted from free-form user input. The example below will block any operation that attempts to insert or update a value containing an HTML tag. It will also raise an error for which you can trap programmatically or using an event trace.

    create table MyTable

    (

    col1 varchar(120) not null

    constraint MyTable_Col1_SuspectedSQLInjection

    check ( col1 not like '%<%>%</%>%' )

    );

    insert into MyTable ( col1 )

    values ('<div style="display:none">wer54w66sf32re2</div>

    <div style="display:none">wer54w66sf32re2</div>');

    Msg 547, Level 16, State 0, Line 11

    The INSERT statement conflicted with the CHECK constraint

    "MyTable_Col1_SuspectedSQLInjection". The conflict occurred

    in database "MyDB", table "dbo.MyTable

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (11/3/2016)


    Rather than SQL Injection (embedding SQL into the URL), it appears that a user is simply pasting javascript fragments into a text field, so it gets saved to your varchar column when the web application form is submitted. What this will do is cause the script to be rendered when the form data is subsequently viewed by other users. Preventing this from happening is a basic website design consideration, so let the application developer know. Meanwhile, from the database side, to confirm who and what is doing this, you can implement an audit trace.

    Also, to double dog prevent this happening ever again, you can implement check constraints on varchar columns that get inserted from free-form user input. The example below will block any operation that attempts to insert or update a value containing an HTML tag. It will also raise an error for which you can trap programmatically or using an event trace.

    create table MyTable

    (

    col1 varchar(120) not null

    constraint MyTable_Col1_SuspectedSQLInjection

    check ( col1 not like '%<%>%</%>%' )

    );

    insert into MyTable ( col1 )

    values ('<div style="display:none">wer54w66sf32re2</div>

    <div style="display:none">wer54w66sf32re2</div>');

    Msg 547, Level 16, State 0, Line 11

    The INSERT statement conflicted with the CHECK constraint

    "MyTable_Col1_SuspectedSQLInjection". The conflict occurred

    in database "MyDB", table "dbo.MyTable

    Those are HTML tags, although Javascript would (in theory) work as well. I like your design idea.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply