• Rik (unregistered)

    Maybe a better title for this article would be "Someone ISN't trying to hack the site".

    Maybe I could change it by doing some injections...

  • Scott (unregistered)

    Very similar to some recent code I cam across:

    Function SqlInjectionScan(strFilter) Dim objRegExp:Set objRegExp = New RegExp objRegExp.Global = True objRegExp.IgnoreCase = True

    ' exec\s
    ' xp_
    ' ;
    ' [^!]--[^>]
    ' /\*.*\*/
    ' \schar\(\w+\)
    ' ascii\('.+'\)
    ' -sp_password
    ' \s@@
    ' \smaster\.
    ' \ssysusers
    ' backup\sdatabase\s
    ' create\stable\s
    ' union\sall\s
    ' [0-9]+\s*[=<>!]{1,2}\s*[0-9]+
    ' '[^']*'\s*[=<>!]{1,2}\s*'[^']*'
    objRegExp.Pattern = "exec\s|xp_|;|[^!]--[^>]|/\*.*\*/|\schar\(\w+\)|ascii\('.+'\)|-sp_password|\s@@|\smaster\.|\ssysusers|backup\sdatabase\s|create\stable\s|union\sall\s|[0-9]+\s*[=<>!]{1,2}\s*[0-9]+|'[^']*'\s*[=<>!]{1,2}\s*'[^']*'"
    If objRegExp.Test(strFilter) Then
          Dim strSqlInjectionLog:strSqlInjectionLog = Trim(a_objCpSiteProperties.Item("Sql Injection Log"))
            'Response.Write "<BR />--------------------------SqlInjectionScan--------------------------<BR />"
         If strSqlInjectionLog = "0" Then
         Else
            Dim strRemote_Address:strRemote_Address = Request.ServerVariables("REMOTE_ADDR")
            Dim objFso:Set objFso = CreateObject("Scripting.FileSystemObject")
            Dim objFile:Set objFile = objFso.OpenTextFile(Server.MapPath("\Media\SqlInjectionScan.txt"), 8, True)
           
            If strSqlInjectionLog =  "1" Then
               objFile.WriteLine Now() & vbTab & strRemote_Address & vbTab & Request.ServerVariables("SERVER_NAME") & vbTab & _
                   Request.ServerVariables("URL") & vbTab & Request.ServerVariables("QUERY_STRING") & vbTab & strFilter
            Else
               If inStr(1, strSqlInjectionLog, strRemote_Address) = 0 Then
                  objFile.WriteLine Now() & vbTab & strRemote_Address & vbTab & Request.ServerVariables("SERVER_NAME") & vbTab & _
                     Request.ServerVariables("URL") & vbTab & Request.ServerVariables("QUERY_STRING") & vbTab & strFilter                  
               End If
            End If
            objFile.Close
            Set objFile = Nothing
            Set objFso = Nothing
        End If
       
        strFilter = "ModuleSID = ''"
    End If
    
    Set objRegExp = Nothing
    SqlInjectionScan = strFilter
    

    End Function

    Parameterized queries? Nah, we'll just "scrub" the input.

  • jamface (unregistered)

    If you're seriously worrying about sql injection, you are the WTF. If your framework doesn't have a decent ORM to do a lot of the SQL for you, you should at least be using bound parameters.

  • Another Kevin (unregistered)

    so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.

    CAPTCHA: abico - what's with all the Latin, anyway?

  • me (unregistered)

    Okay, so every time someone puts in a comment with select or alter or insert in the text, you're getting email? Cool, self DOS! And bonus points for thinking that commented out debugging code is a WTF issue. It's not. It's good practice for future maintainers.

  • Tirinoarim (unregistered) in reply to Another Kevin

    Geez, its a good job you cant use a tab character in SQL...

  • Rory Fitzpatrick (unregistered)

    Its a wonder they didn't just dump strContents into the database instead of an email...

  • Matthew (unregistered)

    So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.

  • Andreas (unregistered)

    ') DELETE FROM Articles --

  • Shinhan (unregistered)

    ') DELETE FROM Articles WHERE Author_Name <> 'Jake Vinson' --

  • (cs)

    This attitude seems to bite a lot of developers who are learning about security vulnerabilities for the first time. Since a lot of them consider themselves ex-h4x0rZ turned legit, they get a charge out of trying to "nail" the "hackers". Even though they barely understand how the "hacks" work and their "hacking" experience was limited to typing IP addresses into WinNuke.

  • Yasd (unregistered)

    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!

  • (cs) in reply to Yasd
    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    Only if you're one of those people who thinks an equals signs *does* something. This code is fairly obviously vbscript (although it's all in lower case which would confuse most programmers...) which means = is the equality operator as well as the assignment operator.
  • thedave (unregistered)

    ') DELETE FROM Articles --

  • Luke (unregistered)

    spelling the word 'detials' won't scare many people off either ;)

  • (cs) in reply to Matthew
    Matthew:
    So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.
    Well, obviously, it's a Detial of Service.
  • (cs)

    My condolences to the poor shmuck who has to maintain this after this kid's gone.

  • (cs) in reply to Yasd
    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    Not in classic ASP / VB :)
  • (cs)

    Let me be the first one to say %44%52%4F%50%20TABLE Articles; and hope for the best...

  • tragomaskhalos (unregistered)

    "Some one (sic) is trying to Hack the Site, conveniently using lowercase SQL"

  • Alex H. (unregistered)

    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

  • (cs) in reply to Luke

    Back when I was working on the 'The Beast' http://thedailywtf.com/Articles/The-Beast.aspx

    We had an interesting injection attack hole... There was some document processing code that sucked in word files, pulled them it to bits and shoved it all into the database.

    Unfortunately this was all done with in-line SQL, and we found a nice injection attack where a user could send their CV into an Agency and when our organization processed it off-line, if a user happened to write 'DROP TABLE ...', at the end of a particular section in their CV there would have been a few problems...

    Worse, it was mainly IT job agencies that used our CV processing engine... (If there was a group of people likely to try that)

    Anyhow, before someone beats me to it

    Little Bobby Tables http://xkcd.com/327/

  • James M (unregistered) in reply to Alex H.
    Alex H.:
    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

    I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything

  • Hacker, lol (unregistered)

    'delete * from articles

  • Poor Hacker, lol (unregistered)

    ') DELETE FROM Articles --

  • (cs) in reply to Alex H.
    Alex H.:
    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

    That's OK, the original h@xx0r^Wdeveloper only used lowercase, so obviously everyone else must also only use lowercase. And, apart from the binary comparison so it is case sensitive (giving you 15 different ways to DrOp (or Drop, or drOP) something, but it will also report a hack attempt if the QueryString is zero length. I hope this code isn't used on every page in the site...

  • (cs) in reply to James M
    James M:
    Alex H.:
    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

    I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything

    InStr automatically assumes a binary comparison, so is case sensitive by default; but even if it wasn't, InStr(1,Request.QueryString,idx(i),0) specifies a binary search (it would be 1 for a textual comparison) so the coder in this example was clearly only concerned about people trying to hack in lowercase. Perhaps he had taken a back-hander from some powerful UPPER-CASE hackers?

  • Anon (unregistered)

    ') DELETE FROM Articles WHERE Author_Name = 'Jake Vinson' --

  • NewbiusMaximus (unregistered) in reply to Another Kevin

    Ah, the unfortunate lives of people with names like little Bobby Tables.

  • 1337 hax0r (unregistered)

    '); DELETE FROM comments WHERE comment LIKE '%TRWTF%';

    UPDATE comments SET comment = SUBSTRING(comment,0,PATINDEX('CAPTCHA', comment)-1) WHERE PATINDEX('CAPTCHA', comment) > 0;

  • (cs)

    So that's where Micheal Bolton went after his singing career died...

  • ClaudeSuck.de (unregistered)

    "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

    I wonder how this can help. Or, what would happen to the following post?

    "For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

  • (cs)
    sqlArray = "brillant%20|paula%20bean|wooden%20table|lolcat%20|got%20the%20monkey|plz%20send%20me%20teh%20codz"
    idx = Split(sqlArray, "|")
    InjectionFound = false
    For i = 0 to UBound(idx)
        pos = InStr(1,Request.QueryString, idx(i), 0)
        if pos <> 0 then
            InjectionFound = true          
            Exit For
        End If
    Next
    
    If InjectionFound Then 
        strContents =  "Someone is trying to inject humor into the Site." & "

    " '...etc...
  • (cs) in reply to Poor Hacker, lol

    ') DELETE FROM Articles WHERE text='') DELETE FROM Articles --' --

  • (cs)

    Where to begin...

    sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"
    idx = split(sqlArray,"|")

    As was pointed out, if whitespace characters other than space are used then injection can squeeze by (the whitespace has nothing to do with the keyword and shouldn't be checked). Also, even if it would work with just a space character, the space character would be redundantly stored in each "element". Also, sqlArray is actually a string, not an array; doesn't appear to be used in string format and therefore wastes instructions converting. I don't see any meaning in the identifier name idx... :-/

    Also, and obviously less serious, [one of] the author[s] wrote in lower-case for a language that, while case-insensitive, is generally camel-cased for consistency and clarity. (i.e. "split" should be "Split", IMO). That goes for keywords and built in functions throughout the code (For, To, UBound, If, Then, True, Exit, Else, False, End, Next).

    pos=InStr(1,Request.QueryString,idx(i),0)

    Here we have the use of a literal instead of a built-in constant (vbBinaryCompare). Also, using vbBinaryCompare instead of vbTextCompare makes the search case-sensitive, meaning that "Select ", "SELECT ", "seLect ", etc., won't be caught. Obviously, we also have the obvious, and previously pointed out, fact that keywords are assumed to mean injection, when in reality they are valid words in many fields...

    else
        InjectionFound = false

    Unnecessary operation. InjectionFound should already be false anytime this code executes.

    I think the most reliable way to prevent SQL injection from VBScript is to convert all integral data types to numeric data and escape all single-quotes (replace each single-quote with two)(assuming the DBMS is SQL Server). Of course, the better approach is to use stored procedures and parameters.

    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)
  • (cs) in reply to xtremezone
    xtremezone:
    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)
    The Real WTF is that some people just can't leave this alone. It was dull years ago, it's duller now. Come on! Find a new stupid language WTF to gripe about. It's VB; there must be masses available...
  • Stu (unregistered) in reply to tragomaskhalos

    ') DELETE FROM Articles --

  • Anonymous (unregistered) in reply to Stu

    Geesh you tools. Forgetting semicolons much?

    '); DELETE FROM Articles --

  • Tim (unregistered)

    I'm sure that the commented-out alert is left over from some hasty runtime debugging.

  • Sean O'Leary (unregistered) in reply to Another Kevin
    Another Kevin:
    so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.

    I'm Sean O'Leary, and my favorite thing to do when hitting a new site it so break it with my last name.

    It's sad the number of sites that reject it. Most things that take a payment get all uppity.

    Sean.

  • tation (unregistered)

    I was once working on a site that was a windows based apache/PHP. It has a down loader script where the file called to be downloaded was passed though a GET var.

    You could call

    http://www.blah.com/download.php?filename=C%3A%5CProgram%20Files%5CApache%20Group%5CApache2%5Cconf%5Chttpd.conf

    To get the location of all of the web sites, then download the source of the files contained within them. If you really wanted to. You could start downloading the data folder from mySQL or MSSQL. I don't remember they DB type on the box...

  • i win (unregistered)

    '); DELETE FROM Articles WHERE Type = 'Mandatory Fun Day'--

  • '); DELETE FROM Articles; -- (unregistered) in reply to i win

    '); DELETE FROM Articles; --

  • (cs) in reply to ClaudeSuck.de
    ClaudeSuck.de:
    "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

    I wonder how this can help. Or, what would happen to the following post?

    "For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

    It wouldn't for all of them, the %20 is a space, the ones you did not include a space afterwards (all the ones you put inside of words, selection, created...) would not show up. Delete and Update WOULD have shown up, but you made them BOLD, so, your post would NOT have triggered it, despite all the SQL Keywords you used.

    Trippy.

  • NippleBlockage (unregistered) in reply to xtremezone
    xtremezone:
    Where to begin... I don't see any meaning in the identifier name idx... :-/

    I wonder if you're a native english speaker. "idx" can be short for "index".

    You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.

  • NippleBlockage (unregistered) in reply to NippleBlockage
    NippleBlockage:
    xtremezone:
    Where to begin... I don't see any meaning in the identifier name idx... :-/

    I wonder if you're a native english speaker. "idx" can be short for "index".

    You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.

    ...and I used "it's" instead of "its". I never said I was gooder with this english stuffs!

  • DXN (unregistered)

    '); DELETE FROM Comments WHERE Type = 'Attempt to be witty in SQL'; --

  • Paul (unregistered)

    Nothing to do with SQL injection, but I once found a little bug in a web-based email program I worked on (yes, it was my fault, I admit). No, this isn't one of the more widely used webmail apps ...

    Although all our links and operations on the page used POSTs, I found that I could send an HTML-formatted email message with a couple of carefully crafted img tags, like this: [image] [image]

    Guess what that did.

    More useful, I could do this: [image]

    and all email would be forwarded to "me@mycorp.com"

    The fix was easy, but it was scary that it took me a few months and couple of releases to the public before this occurred to me. Luckily not many people used the app.

  • dave (unregistered)

    '); UPDATE comments SET featured = 'Y' where user = 'dave'; --

  • Paul (unregistered) in reply to Paul
    Paul:
    ... I found that I could send an HTML-formatted email message with a couple of carefully crafted img tags, like this: [image] [image]

    Guess what that did.

    More useful, I could do this: [image]

    and all email would be forwarded to "me@mycorp.com" ...

    Actually, I just remembered, you didn't need to include the host, so: [image] [image] [image]

    would work as "intended".

Leave a comment on “Some one is trying to Hack the Site”

Log In or post as a guest

Replying to comment #:

« Return to Article