SQL used for evil - Jon Galloway

SQL used for evil

Yikes. I heard about a website being hacked, probably via SQL injection. This trigger was added:

CREATE TRIGGER tr_Orders_INSERT_InsteadOf ON Orders
INSTEAD OF INSERT
AS RAISEERROR("[Microsoft OLE DB Provider for SQL Server] Timeout expired",16,0)

That's a rough one to catch, because it looks to the calling function as if you're getting unexplained timeouts every time you try to add a new row to the Orders table. This is pretty much a “denial of service” type of attack in that it's designed to harm the business rather than steal from it. Not cool.

And while I'm at it, it's not a good idea to have files with non-standard extensions (.bak, .inc, .site) in a web directory since IIS doesn't know about them and will happily serve them up as text files. That can help a hacker find places where you're vulnerable to other attacks such as SQL injection.

Published Wednesday, May 5, 2004 10:36 PM by Jon Galloway
Filed under:

Comments

# re: SQL used for evil

Hey thanks...something to remeber....

Think SQLTeam just got a post like that..

Thursday, May 6, 2004 12:04 PM by Brett

# re: SQL used for evil

You can fix the .bak, .inc, .site problem by adding file mappings for these to send them first through the ASP engine.

Thursday, May 6, 2004 7:55 PM by Scullee

# re: SQL used for evil

It would be even harder to debug if you added a WAITFOR '00:01:00' before the RAISEERROR.... ouch.

Sunday, May 9, 2004 10:07 PM by Paul