Comment On Some one is trying to Hack the Site

Maybe a better title for this article would be "Someone ISN't trying to hack the site".

Maybe I could change it by doing some injections...

Very similar to some recent code I cam across:

Function SqlInjectionScan(strFilter)
Dim objRegExp:Set objRegExp = New RegExp
objRegExp.Global = True
objRegExp.IgnoreCase = True

' exec\s
' xp_
' ;
' [^!]--[^>]
' /\*.*\*/
' \schar\(\w+\)
' ascii\('.+'\)
' -sp_password
' \s@@
' \smaster\.
' \ssysusers
' backup\sdatabase\s
' create\stable\s
' union\sall\s
' [0-9]+\s*[=<>!]{1,2}\s*[0-9]+
' '[^']*'\s*[=<>!]{1,2}\s*'[^']*'
objRegExp.Pattern = "exec\s|xp_|;|[^!]--[^>]|/\*.*\*/|\schar\(\w+\)|ascii\('.+'\)|-sp_password|\s@@|\smaster\.|\ssysusers|backup\sdatabase\s|create\stable\s|union\sall\s|[0-9]+\s*[=<>!]{1,2}\s*[0-9]+|'[^']*'\s*[=<>!]{1,2}\s*'[^']*'"
If objRegExp.Test(strFilter) Then
Dim strSqlInjectionLog:strSqlInjectionLog = Trim(a_objCpSiteProperties.Item("Sql Injection Log"))
'Response.Write "<BR />--------------------------SqlInjectionScan--------------------------<BR />"
If strSqlInjectionLog = "0" Then
Else
Dim strRemote_Address:strRemote_Address = Request.ServerVariables("REMOTE_ADDR")
Dim objFso:Set objFso = CreateObject("Scripting.FileSystemObject")
Dim objFile:Set objFile = objFso.OpenTextFile(Server.MapPath("\Media\SqlInjectionScan.txt"), 8, True)

If strSqlInjectionLog = "1" Then
objFile.WriteLine Now() & vbTab & strRemote_Address & vbTab & Request.ServerVariables("SERVER_NAME") & vbTab & _
Request.ServerVariables("URL") & vbTab & Request.ServerVariables("QUERY_STRING") & vbTab & strFilter
Else
If inStr(1, strSqlInjectionLog, strRemote_Address) = 0 Then
objFile.WriteLine Now() & vbTab & strRemote_Address & vbTab & Request.ServerVariables("SERVER_NAME") & vbTab & _
Request.ServerVariables("URL") & vbTab & Request.ServerVariables("QUERY_STRING") & vbTab & strFilter
End If
End If
objFile.Close
Set objFile = Nothing
Set objFso = Nothing
End If

strFilter = "ModuleSID = ''"
End If

Set objRegExp = Nothing
SqlInjectionScan = strFilter
End Function

Parameterized queries? Nah, we'll just "scrub" the input.

If you're seriously worrying about sql injection, you are the WTF. If your framework doesn't have a decent ORM to do a lot of the SQL for you, you should at least be using bound parameters.

Okay, so every time someone puts in a comment with select or alter or insert in the text, you're getting email? Cool, self DOS!
And bonus points for thinking that commented out debugging code is a WTF issue. It's not. It's good practice for future maintainers.

Geez, its a good job you cant use a tab character in SQL...

So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.

') DELETE FROM Articles --

') DELETE FROM Articles WHERE Author_Name <> 'Jake Vinson' --

isnt the real WTF
"if InjectionFound = false then"
instead of
"if InjectionFound == false then" ?!

Yasd:

isnt the real WTF
"if InjectionFound = false then"
instead of
"if InjectionFound == false then" ?!

Only if you're one of those people who thinks an equals signs *does* something. This code is fairly obviously vbscript (although it's all in lower case which would confuse most programmers...) which means = is the equality operator as well as the assignment operator.

') DELETE FROM Articles --

spelling the word 'detials' won't scare many people off either ;)

Matthew:

So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.

Well, obviously, it's a Detial of Service.

My condolences to the poor shmuck who has to maintain this after this kid's gone.

Yasd:

isnt the real WTF
"if InjectionFound = false then"
instead of
"if InjectionFound == false then" ?!

Not in classic ASP / VB :)

Let me be the first one to say
%44%52%4F%50%20TABLE Articles;
and hope for the best...

TRWTF is that the underestimated the power of the almighty capital letter !

DELETE will go through....

Back when I was working on the 'The Beast' http://thedailywtf.com/Articles/The-Beast.aspx

We had an interesting injection attack hole... There was some document processing code that sucked in word files, pulled them it to bits and shoved it all into the database.

Unfortunately this was all done with in-line SQL, and we found a nice injection attack where a user could send their CV into an Agency and when our organization processed it off-line, if a user happened to write 'DROP TABLE ...', at the end of a particular section in their CV there would have been a few problems...

Worse, it was mainly IT job agencies that used our CV processing engine... (If there was a group of people likely to try that)

Anyhow, before someone beats me to it

Little Bobby Tables
http://xkcd.com/327/

Alex H.:

TRWTF is that the underestimated the power of the almighty capital letter !

DELETE will go through....

I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything

'delete * from articles

') DELETE FROM Articles --

Alex H.:

TRWTF is that the underestimated the power of the almighty capital letter !

DELETE will go through....

That's OK, the original h@xx0r^Wdeveloper only used lowercase, so obviously everyone else must also only use lowercase. And, apart from the binary comparison so it is case sensitive (giving you 15 different ways to DrOp (or Drop, or drOP) something, but it will also report a hack attempt if the QueryString is zero length. I hope this code isn't used on every page in the site...

James M:

Alex H.:

TRWTF is that the underestimated the power of the almighty capital letter !

DELETE will go through....

I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything

InStr automatically assumes a binary comparison, so is case sensitive by default; but even if it wasn't, InStr(1,Request.QueryString,idx(i),0) specifies a binary search (it would be 1 for a textual comparison) so the coder in this example was clearly only concerned about people trying to hack in lowercase. Perhaps he had taken a back-hander from some powerful UPPER-CASE hackers?

') DELETE FROM Articles WHERE Author_Name = 'Jake Vinson' --

Ah, the unfortunate lives of people with names like little Bobby Tables.

');
DELETE FROM comments WHERE comment LIKE '%TRWTF%';

UPDATE comments
SET comment = SUBSTRING(comment,0,PATINDEX('CAPTCHA', comment)-1)
WHERE PATINDEX('CAPTCHA', comment) > 0;
--

So that's where Micheal Bolton went after his singing career died...

"select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

I wonder how this can help. Or, what would happen to the following post?

"For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

sqlArray = "brillant%20|paula%20bean|wooden%20table|lolcat%20|got%20the%20monkey|plz%20send%20me%20teh%20codz"

idx = Split(sqlArray, "|")

InjectionFound = false

For i = 0 to UBound(idx)

    pos = InStr(1,Request.QueryString, idx(i), 0)

    if pos <> 0 then

        InjectionFound = true          

        Exit For

    End If

Next



If InjectionFound Then 

    strContents =  "Someone is trying to inject humor into the Site." & "<br><br>"

    '...etc...

') DELETE FROM Articles WHERE text='\') DELETE FROM Articles --' --

Where to begin...

sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

idx = split(sqlArray,"|")

As was pointed out, if whitespace characters other than space are used then injection can squeeze by (the whitespace has nothing to do with the keyword and shouldn't be checked). Also, even if it would work with just a space character, the space character would be redundantly stored in each "element". Also, sqlArray is actually a string, not an array; doesn't appear to be used in string format and therefore wastes instructions converting. I don't see any meaning in the identifier name idx... :-/

Also, and obviously less serious, [one of] the author[s] wrote in lower-case for a language that, while case-insensitive, is generally camel-cased for consistency and clarity. (i.e. "split" should be "Split", IMO). That goes for keywords and built in functions throughout the code (For, To, UBound, If, Then, True, Exit, Else, False, End, Next).

pos=InStr(1,Request.QueryString,idx(i),0)

Here we have the use of a literal instead of a built-in constant (vbBinaryCompare). Also, using vbBinaryCompare instead of vbTextCompare makes the search case-sensitive, meaning that "Select ", "SELECT ", "seLect ", etc., won't be caught. Obviously, we also have the obvious, and previously pointed out, fact that keywords are assumed to mean injection, when in reality they are valid words in many fields...

else

    InjectionFound = false

Unnecessary operation. InjectionFound should already be false anytime this code executes.

I think the most reliable way to prevent SQL injection from VBScript is to convert all integral data types to numeric data and escape all single-quotes (replace each single-quote with two)(assuming the DBMS is SQL Server). Of course, the better approach is to use stored procedures and parameters.

Yasd:

isnt the real WTF
"if InjectionFound = false then"
instead of
"if InjectionFound == false then" ?!

If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)

xtremezone:

Yasd:

isnt the real WTF
"if InjectionFound = false then"
instead of
"if InjectionFound == false then" ?!

If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)

The Real WTF is that some people just can't leave this alone. It was dull years ago, it's duller now. Come on! Find a new stupid language WTF to gripe about. It's VB; there must be masses available...

') DELETE FROM Articles --

Geesh you tools. Forgetting semicolons much?

'); DELETE FROM Articles --

I'm sure that the commented-out alert is left over from some hasty runtime debugging.

Another Kevin:

so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.

I'm Sean O'Leary, and my favorite thing to do when hitting a new site it so break it with my last name.

It's sad the number of sites that reject it. Most things that take a payment get all uppity.

Sean.

I was once working on a site that was a windows based apache/PHP. It has a down loader script where the file called to be downloaded was passed though a GET var.

You could call

http://www.blah.com/download.php?filename=C%3A%5CProgram%20Files%5CApache%20Group%5CApache2%5Cconf%5Chttpd.conf

To get the location of all of the web sites, then download the source of the files contained within them. If you *really* wanted to. You could start downloading the data folder from mySQL or MSSQL. I don't remember they DB type on the box...

'); DELETE FROM Articles WHERE Type = 'Mandatory Fun Day'--

'); DELETE FROM Articles; --

ClaudeSuck.de:

"select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

I wonder how this can help. Or, what would happen to the following post?

"For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

It wouldn't for all of them, the %20 is a space, the ones you did not include a space afterwards (all the ones you put inside of words, selection, created...) would not show up. Delete and Update WOULD have shown up, but you made them BOLD, so, your post would NOT have triggered it, despite all the SQL Keywords you used.

Trippy.

xtremezone:

Where to begin...
I don't see any meaning in the identifier name idx... :-/

I wonder if you're a native english speaker. "idx" can be short for "index".

You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.

NippleBlockage:

xtremezone:

Where to begin...
I don't see any meaning in the identifier name idx... :-/

I wonder if you're a native english speaker. "idx" can be short for "index".

You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.

...and I used "it's" instead of "its". I never said I was gooder with this english stuffs!

'); DELETE FROM Comments WHERE Type = 'Attempt to be witty in SQL'; --

Nothing to do with SQL injection, but I once found a little bug in a web-based email program I worked on (yes, it was my fault, I admit). No, this isn't one of the more widely used webmail apps ...

Although all our links and operations on the page used POSTs, I found that I could send an HTML-formatted email message with a couple of carefully crafted img tags, like this:
<img src="host/moveAll?src=INBOX&trgt=TRASH"/>
<img src="host/emptyTrash" />

Guess what that did.

More useful, I could do this:
<img src="host/addFwd?fwd=me@mycorp.com"/>

and all email would be forwarded to "me@mycorp.com"

The fix was easy, but it was scary that it took me a few months and couple of releases to the public before this occurred to me. Luckily not many people used the app.

'); UPDATE comments SET featured = 'Y' where user = 'dave'; --

Paul:

... I found that I could send an HTML-formatted email message with a couple of carefully crafted img tags, like this:
<img src="host/moveAll?src=INBOX&trgt=TRASH"/>
<img src="host/emptyTrash" />

Guess what that did.

More useful, I could do this:
<img src="host/addFwd?fwd=me@mycorp.com"/>

and all email would be forwarded to "me@mycorp.com"
...

Actually, I just remembered, you didn't need to include the host, so:
<img src="moveAll?src=INBOX&trgt=TRASH"/>
<img src="emptyTrash" />
<img src="addFwd?fwd=me@mycorp.com"/>

would work as "intended".