|
|
| Non-WTF Job: Mobile Campaign Engineer at 5th Finger (San Francisco, California) |
|
|
|
| Non-WTF Job: Mobile Campaign Engineer at 5th Finger (San Francisco, California) |
| « Anything You Can Do Lyle Can Do Better | Skills.Equals(null) » |
When it comes to SQL injection detection, we at The Daily WTF could be doing better. It's not that I don't trust Alex's modifications to our CMS system to be injection-proof, I'm just saying that I'd prefer that you people didn't post comments like "') DELETE FROM Articles --". Or, if you must, at least "') DELETE FROM Articles WHERE Author_Name <> 'Jake Vinson' --".
But I'm getting ahead of myself. The point here is that we should've employed a strategy that B. V. tipped us off to so we could learn when "Some one [was] trying to Hack the Site."
sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"
idx = split(sqlArray,"|")
InjectionFound = false
for i = 0 to ubound(idx)
'Response.Write(idx(i))
pos=InStr(1,Request.QueryString,idx(i),0)
if pos <> 0 then
InjectionFound = true
exit for
else
InjectionFound = false
end if
next
if InjectionFound = false then
'Response.Write("Injection(s) Not Found")
else
strContents = "Some one is trying to Hack the Site please check detials given below" & "<br><br>"
strContents = strContents &"QUERY_STRING = " & Request.ServerVariables("QUERY_STRING") & "<br>"
strContents = strContents & "REMOTE_ADDR = " & Request.ServerVariables("REMOTE_ADDR") & "<br>"
strContents = strContents & "REMOTE_HOST = " & Request.ServerVariables("REMOTE_HOST") & "<br>"
strContents = strContents & "REMOTE_USER = " & Request.ServerVariables("REMOTE_USER") & "<br>"
strContents = strContents & "REQUEST_METHOD = " & Request.ServerVariables("REQUEST_METHOD") & "<br>"
strContents = strContents & "SCRIPT_NAME = " & Request.ServerVariables("SCRIPT_NAME") & "<br>"
strContents = strContents & "SERVER_NAME = " & Request.ServerVariables("SERVER_NAME") & "<br>"
Set objCDO = Server.CreateObject("CDONTS.NewMail")
objCDO.MailFormat = 0 ' html format
objCDO.BodyFormat = 0 ' html format
objCDO.To = "support@initrodeglobal.com"
objCDO.From = "mbolton@initrodeglobal.com"
objCDO.Importance = 2
objCDO.Subject = Request.ServerVariables("SERVER_NAME") & " | Hacker Info"
objCDO.Body = strContents
objCDO.Send
Response.Redirect("/")
Response.end
end if
My favorite part is the commented-out "Injection(s) Not Found" alert. Prior to its removal, I wonder how many hundreds or thousands of requests helpfully informed users that they weren't trying to hack the site.
Re: Some one is trying to Hack the Site
2008-05-22 08:39
•
by
Another Kevin
(unregistered)
|
|
so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.
CAPTCHA: abico - what's with all the Latin, anyway? |
Re: Some one is trying to Hack the Site
2008-05-22 08:52
•
by
Rory Fitzpatrick
(unregistered)
|
|
Its a wonder they didn't just dump strContents into the database instead of an email...
|
|
This attitude seems to bite a lot of developers who are learning about security vulnerabilities for the first time. Since a lot of them consider themselves ex-h4x0rZ turned legit, they get a charge out of trying to "nail" the "hackers". Even though they barely understand how the "hacks" work and their "hacking" experience was limited to typing IP addresses into WinNuke.
|
Re: Some one is trying to Hack the Site
2008-05-22 09:19
•
by
tragomaskhalos
(unregistered)
|
|
"Some one (sic) is trying to Hack the Site, conveniently using lowercase SQL" |
| « Anything You Can Do Lyle Can Do Better | Skills.Equals(null) » |
