ASP.NET Developer Notes

Ryan Garaygay's ASP.NET notes online

Recent SQL Injection Attacks on ASP sites

There seems to be a number of SQL injection attacks happening lately involving adding of <script src=http://www.banner82.org/b.js></script>, adword71.com/b.js (and the likes ) to entries under string/text/varchar columns in the database targetting ASP (classic/3.0) sites and SQL Server. Note, they need not know your table or column names to mess up with you.

I definitely do not wish to play cops and robbers here but I wish to contribute a little on this. There are a number of articles on this (read along) and even more for preventing SQL injection and other related exploits such as cross-site scripting so help yourself.

As mentioned this is more targeted to ASP (classic/3.0) sites but posting nevertheless.

Read full article from Security alert : SQL injection attacks - banner82 script

Thanks to Robert Robbins post on rising SQL injection threats for making me think of cross posting here in weblogs.asp.net. I agree that this threat could be eliminated better with help/information from the community (if not MSFT itself)

Posted: May 25 2008, 01:54 AM by ryangaraygay | with 5 comment(s)
Filed under: , ,

Comments

TT said:

you can add : http://www.adw95.com/b.js to the list ...

# May 26, 2008 2:58 PM

Slim said:

To avoid the infection, you have to remove the sysobject & syscolumns rights from the database user in the GLOBAL.ASA, so the script cannot access anymore to the sys tables to list the database tables and columns and to infect them precisely; the script just won't execute itself !

Then you'll have to remove every reference to the script inside the cells but without using REPLACE because ntext, text or image fields could have been altered.

I recommend to use a script (ASP or PHP) to access the infected databases, table after table, column after column where you can find any script like '%banner82.com%' or '%adw95.com%' or '%/b.js%' etc... (there are many variants depending on the website or the name of the script 'b.js' or 'g.js' or '1.js'...).

It would even be better to use regex inside SQL server queries but you have to use a UDF to do so (you could find some around by searching for 'SQL server 2000 regex').

Once you found all occurencies you can UPDATE each field after a cleaning script.

Then you're done !

# May 27, 2008 6:46 AM

ryangaraygay said:

@TT - Thanks for pointing out one of the variants

@Slim - Yes you're absolutely right. Limiting user access to only those that are needed is key. Those two objects (view) in particular for this exploit. Moving forward, to make it even better, review the database access needed by the application/user and restrict even more. This will not only prevent this exploit but many others (even possibly those that have been initiated yet).

# May 27, 2008 10:03 AM

Chris Hawkins said:

Thanks so much for posting this script.

I look after a micro business client who has a dynamic website running on an asp database which has been repeatedly attacked.

I have been hassling him for months to do something. He finally commissioned a new site running secure php/mysql (hopefully!).

Meanwhile, I have been left with trying to keep the existing site limping along for 6 weeks until the new system is ready.

The script worked a treat.

Again Many thanks

# June 5, 2008 11:04 AM

ryangaraygay said:

Sure. Glad to have helped.

Moving to a new site with secure php/mysql sounds like a good idea though IMHO you could secure too using the ASP site with some modifications and same is true with ASP.NET. So if I may speak, if security is the only reason for migrating the site then modifications on the existing ASP code base to secure the site might take less time/effort than a complete overhaul to PHP/MySQL.

# June 11, 2008 9:07 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)