• Rik (unregistered)

    Maybe a better title for this article would be "Someone ISN't trying to hack the site".

    Maybe I could change it by doing some injections...

  • Scott (unregistered)
    Comment held for moderation.
  • jamface (unregistered)

    If you're seriously worrying about sql injection, you are the WTF. If your framework doesn't have a decent ORM to do a lot of the SQL for you, you should at least be using bound parameters.

  • Another Kevin (unregistered)

    so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.

    CAPTCHA: abico - what's with all the Latin, anyway?

  • me (unregistered)

    Okay, so every time someone puts in a comment with select or alter or insert in the text, you're getting email? Cool, self DOS! And bonus points for thinking that commented out debugging code is a WTF issue. It's not. It's good practice for future maintainers.

  • Tirinoarim (unregistered) in reply to Another Kevin

    Geez, its a good job you cant use a tab character in SQL...

  • Rory Fitzpatrick (unregistered)

    Its a wonder they didn't just dump strContents into the database instead of an email...

  • Matthew (unregistered)

    So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.

  • Andreas (unregistered)

    ') DELETE FROM Articles --

  • Shinhan (unregistered)

    ') DELETE FROM Articles WHERE Author_Name <> 'Jake Vinson' --

  • Aaron (cs)

    This attitude seems to bite a lot of developers who are learning about security vulnerabilities for the first time. Since a lot of them consider themselves ex-h4x0rZ turned legit, they get a charge out of trying to "nail" the "hackers". Even though they barely understand how the "hacks" work and their "hacking" experience was limited to typing IP addresses into WinNuke.

  • Yasd (unregistered)

    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!

  • JimM (cs) in reply to Yasd
    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    Only if you're one of those people who thinks an equals signs *does* something. This code is fairly obviously vbscript (although it's all in lower case which would confuse most programmers...) which means = is the equality operator as well as the assignment operator.
  • thedave (unregistered)

    ') DELETE FROM Articles --

  • Luke (unregistered)

    spelling the word 'detials' won't scare many people off either ;)

  • real_aardvark (cs) in reply to Matthew
    Matthew:
    So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.
    Well, obviously, it's a Detial of Service.
  • DOA (cs)

    My condolences to the poor shmuck who has to maintain this after this kid's gone.

  • StarLite (cs) in reply to Yasd
    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    Not in classic ASP / VB :)
  • Sad Bug Killer (cs)

    Let me be the first one to say %44%52%4F%50%20TABLE Articles; and hope for the best...

  • tragomaskhalos (unregistered)

    "Some one (sic) is trying to Hack the Site, conveniently using lowercase SQL"

  • Alex H. (unregistered)

    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

  • Grovesy (cs) in reply to Luke

    Back when I was working on the 'The Beast' http://thedailywtf.com/Articles/The-Beast.aspx

    We had an interesting injection attack hole... There was some document processing code that sucked in word files, pulled them it to bits and shoved it all into the database.

    Unfortunately this was all done with in-line SQL, and we found a nice injection attack where a user could send their CV into an Agency and when our organization processed it off-line, if a user happened to write 'DROP TABLE ...', at the end of a particular section in their CV there would have been a few problems...

    Worse, it was mainly IT job agencies that used our CV processing engine... (If there was a group of people likely to try that)

    Anyhow, before someone beats me to it

    Little Bobby Tables http://xkcd.com/327/

  • James M (unregistered) in reply to Alex H.
    Alex H.:
    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

    I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything

  • Hacker, lol (unregistered)

    'delete * from articles

  • Poor Hacker, lol (unregistered)

    ') DELETE FROM Articles --

  • JimM (cs) in reply to Alex H.
    Alex H.:
    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

    That's OK, the original h@xx0r^Wdeveloper only used lowercase, so obviously everyone else must also only use lowercase. And, apart from the binary comparison so it is case sensitive (giving you 15 different ways to DrOp (or Drop, or drOP) something, but it will also report a hack attempt if the QueryString is zero length. I hope this code isn't used on every page in the site...

  • JimM (cs) in reply to James M
    James M:
    Alex H.:
    TRWTF is that the underestimated the power of the almighty capital letter !

    DELETE will go through....

    I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything

    InStr automatically assumes a binary comparison, so is case sensitive by default; but even if it wasn't, InStr(1,Request.QueryString,idx(i),0) specifies a binary search (it would be 1 for a textual comparison) so the coder in this example was clearly only concerned about people trying to hack in lowercase. Perhaps he had taken a back-hander from some powerful UPPER-CASE hackers?

  • Anon (unregistered)

    ') DELETE FROM Articles WHERE Author_Name = 'Jake Vinson' --

  • NewbiusMaximus (unregistered) in reply to Another Kevin
    Comment held for moderation.
  • 1337 hax0r (unregistered)

    '); DELETE FROM comments WHERE comment LIKE '%TRWTF%';

    UPDATE comments SET comment = SUBSTRING(comment,0,PATINDEX('CAPTCHA', comment)-1) WHERE PATINDEX('CAPTCHA', comment) > 0;

  • BlueKnot (cs)

    So that's where Micheal Bolton went after his singing career died...

  • ClaudeSuck.de (unregistered)

    "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

    I wonder how this can help. Or, what would happen to the following post?

    "For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

  • FredSaw (cs)
    sqlArray = "brillant%20|paula%20bean|wooden%20table|lolcat%20|got%20the%20monkey|plz%20send%20me%20teh%20codz"
    idx = Split(sqlArray, "|")
    InjectionFound = false
    For i = 0 to UBound(idx)
        pos = InStr(1,Request.QueryString, idx(i), 0)
        if pos <> 0 then
            InjectionFound = true          
            Exit For
        End If
    Next
    
    If InjectionFound Then 
        strContents =  "Someone is trying to inject humor into the Site." & "

    " '...etc...
  • mister (cs) in reply to Poor Hacker, lol

    ') DELETE FROM Articles WHERE text='') DELETE FROM Articles --' --

  • xtremezone (cs)

    Where to begin...

    sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"
    idx = split(sqlArray,"|")

    As was pointed out, if whitespace characters other than space are used then injection can squeeze by (the whitespace has nothing to do with the keyword and shouldn't be checked). Also, even if it would work with just a space character, the space character would be redundantly stored in each "element". Also, sqlArray is actually a string, not an array; doesn't appear to be used in string format and therefore wastes instructions converting. I don't see any meaning in the identifier name idx... :-/

    Also, and obviously less serious, [one of] the author[s] wrote in lower-case for a language that, while case-insensitive, is generally camel-cased for consistency and clarity. (i.e. "split" should be "Split", IMO). That goes for keywords and built in functions throughout the code (For, To, UBound, If, Then, True, Exit, Else, False, End, Next).

    pos=InStr(1,Request.QueryString,idx(i),0)

    Here we have the use of a literal instead of a built-in constant (vbBinaryCompare). Also, using vbBinaryCompare instead of vbTextCompare makes the search case-sensitive, meaning that "Select ", "SELECT ", "seLect ", etc., won't be caught. Obviously, we also have the obvious, and previously pointed out, fact that keywords are assumed to mean injection, when in reality they are valid words in many fields...

    else
        InjectionFound = false

    Unnecessary operation. InjectionFound should already be false anytime this code executes.

    I think the most reliable way to prevent SQL injection from VBScript is to convert all integral data types to numeric data and escape all single-quotes (replace each single-quote with two)(assuming the DBMS is SQL Server). Of course, the better approach is to use stored procedures and parameters.

    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)
  • dkf (cs) in reply to xtremezone
    xtremezone:
    Yasd:
    isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
    If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)
    The Real WTF is that some people just can't leave this alone. It was dull years ago, it's duller now. Come on! Find a new stupid language WTF to gripe about. It's VB; there must be masses available...
  • Stu (unregistered) in reply to tragomaskhalos

    ') DELETE FROM Articles --

  • Anonymous (unregistered) in reply to Stu

    Geesh you tools. Forgetting semicolons much?

    '); DELETE FROM Articles --

  • Tim (unregistered)

    I'm sure that the commented-out alert is left over from some hasty runtime debugging.

  • Sean O'Leary (unregistered) in reply to Another Kevin
    Another Kevin:
    so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.

    I'm Sean O'Leary, and my favorite thing to do when hitting a new site it so break it with my last name.

    It's sad the number of sites that reject it. Most things that take a payment get all uppity.

    Sean.

  • tation (unregistered)
    Comment held for moderation.
  • i win (unregistered)

    '); DELETE FROM Articles WHERE Type = 'Mandatory Fun Day'--

  • '); DELETE FROM Articles; -- (unregistered) in reply to i win

    '); DELETE FROM Articles; --

  • NaN (cs) in reply to ClaudeSuck.de
    ClaudeSuck.de:
    "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"

    I wonder how this can help. Or, what would happen to the following post?

    "For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

    It wouldn't for all of them, the %20 is a space, the ones you did not include a space afterwards (all the ones you put inside of words, selection, created...) would not show up. Delete and Update WOULD have shown up, but you made them BOLD, so, your post would NOT have triggered it, despite all the SQL Keywords you used.

    Trippy.

  • NippleBlockage (unregistered) in reply to xtremezone
    xtremezone:
    Where to begin... I don't see any meaning in the identifier name idx... :-/

    I wonder if you're a native english speaker. "idx" can be short for "index".

    You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.

  • NippleBlockage (unregistered) in reply to NippleBlockage
    NippleBlockage:
    xtremezone:
    Where to begin... I don't see any meaning in the identifier name idx... :-/

    I wonder if you're a native english speaker. "idx" can be short for "index".

    You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.

    ...and I used "it's" instead of "its". I never said I was gooder with this english stuffs!

  • DXN (unregistered)

    '); DELETE FROM Comments WHERE Type = 'Attempt to be witty in SQL'; --

  • Paul (unregistered)
    Comment held for moderation.
  • dave (unregistered)

    '); UPDATE comments SET featured = 'Y' where user = 'dave'; --

  • Paul (unregistered) in reply to Paul
    Comment held for moderation.

Leave a comment on “Some one is trying to Hack the Site”

Log In or post as a guest

Replying to comment #:

« Return to Article