- Feature Articles
- CodeSOD
- Error'd
- 
                
                    Forums 
- 
                Other Articles
                - Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
 
 
            
Admin
Maybe a better title for this article would be "Someone ISN't trying to hack the site".
Maybe I could change it by doing some injections...
Admin
Very similar to some recent code I cam across:
Function SqlInjectionScan(strFilter) Dim objRegExp:Set objRegExp = New RegExp objRegExp.Global = True objRegExp.IgnoreCase = True
End Function
Parameterized queries? Nah, we'll just "scrub" the input.
Admin
If you're seriously worrying about sql injection, you are the WTF. If your framework doesn't have a decent ORM to do a lot of the SQL for you, you should at least be using bound parameters.
Admin
so that's why my friend Bruce Waldrop couldn't use the site. Any why Judy O'Leary got a SQL error when she tried.
CAPTCHA: abico - what's with all the Latin, anyway?
Admin
Okay, so every time someone puts in a comment with select or alter or insert in the text, you're getting email? Cool, self DOS! And bonus points for thinking that commented out debugging code is a WTF issue. It's not. It's good practice for future maintainers.
Admin
Geez, its a good job you cant use a tab character in SQL...
Admin
Its a wonder they didn't just dump strContents into the database instead of an email...
Admin
So I don't know which is worse, the code, or the grammatical error? I really wish the developer could give me some more "detials" about the attempt.
Admin
') DELETE FROM Articles --
Admin
') DELETE FROM Articles WHERE Author_Name <> 'Jake Vinson' --
Admin
This attitude seems to bite a lot of developers who are learning about security vulnerabilities for the first time. Since a lot of them consider themselves ex-h4x0rZ turned legit, they get a charge out of trying to "nail" the "hackers". Even though they barely understand how the "hacks" work and their "hacking" experience was limited to typing IP addresses into WinNuke.
Admin
isnt the real WTF "if InjectionFound = false then" instead of "if InjectionFound == false then" ?!
Admin
Admin
') DELETE FROM Articles --
Admin
spelling the word 'detials' won't scare many people off either ;)
Admin
Admin
My condolences to the poor shmuck who has to maintain this after this kid's gone.
Admin
Admin
Let me be the first one to say %44%52%4F%50%20TABLE Articles; and hope for the best...
Admin
"Some one (sic) is trying to Hack the Site, conveniently using lowercase SQL"
Admin
TRWTF is that the underestimated the power of the almighty capital letter !
DELETE will go through....
Admin
Back when I was working on the 'The Beast' http://thedailywtf.com/Articles/The-Beast.aspx
We had an interesting injection attack hole... There was some document processing code that sucked in word files, pulled them it to bits and shoved it all into the database.
Unfortunately this was all done with in-line SQL, and we found a nice injection attack where a user could send their CV into an Agency and when our organization processed it off-line, if a user happened to write 'DROP TABLE ...', at the end of a particular section in their CV there would have been a few problems...
Worse, it was mainly IT job agencies that used our CV processing engine... (If there was a group of people likely to try that)
Anyhow, before someone beats me to it
Little Bobby Tables http://xkcd.com/327/
Admin
I'm pretty sure InStr in VBScript (and other VB flavours) doesn't care about case (though it's been a while since I used it). As a rule of thumb you're best off assuming VB doesn't care about anything
Admin
'delete * from articles
Admin
') DELETE FROM Articles --
Admin
Admin
Admin
') DELETE FROM Articles WHERE Author_Name = 'Jake Vinson' --
Admin
Ah, the unfortunate lives of people with names like little Bobby Tables.
Admin
'); DELETE FROM comments WHERE comment LIKE '%TRWTF%';
UPDATE comments SET comment = SUBSTRING(comment,0,PATINDEX('CAPTCHA', comment)-1) WHERE PATINDEX('CAPTCHA', comment) > 0;
Admin
So that's where Micheal Bolton went after his singing career died...
Admin
"select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"
I wonder how this can help. Or, what would happen to the following post?
"For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."
Admin
sqlArray = "brillant%20|paula%20bean|wooden%20table|lolcat%20|got%20the%20monkey|plz%20send%20me%20teh%20codz" idx = Split(sqlArray, "|") InjectionFound = false For i = 0 to UBound(idx) pos = InStr(1,Request.QueryString, idx(i), 0) if pos <> 0 then InjectionFound = true Exit For End If Next If InjectionFound Then strContents = "Someone is trying to inject humor into the Site." & "
" '...etc...
Admin
') DELETE FROM Articles WHERE text='') DELETE FROM Articles --' --
Admin
Where to begin...
sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_" idx = split(sqlArray,"|")As was pointed out, if whitespace characters other than space are used then injection can squeeze by (the whitespace has nothing to do with the keyword and shouldn't be checked). Also, even if it would work with just a space character, the space character would be redundantly stored in each "element". Also, sqlArray is actually a string, not an array; doesn't appear to be used in string format and therefore wastes instructions converting. I don't see any meaning in the identifier name idx... :-/
Also, and obviously less serious, [one of] the author[s] wrote in lower-case for a language that, while case-insensitive, is generally camel-cased for consistency and clarity. (i.e. "split" should be "Split", IMO). That goes for keywords and built in functions throughout the code (For, To, UBound, If, Then, True, Exit, Else, False, End, Next).
Here we have the use of a literal instead of a built-in constant (vbBinaryCompare). Also, using vbBinaryCompare instead of vbTextCompare makes the search case-sensitive, meaning that "Select ", "SELECT ", "seLect ", etc., won't be caught. Obviously, we also have the obvious, and previously pointed out, fact that keywords are assumed to mean injection, when in reality they are valid words in many fields...
Unnecessary operation. InjectionFound should already be false anytime this code executes.
I think the most reliable way to prevent SQL injection from VBScript is to convert all integral data types to numeric data and escape all single-quotes (replace each single-quote with two)(assuming the DBMS is SQL Server). Of course, the better approach is to use stored procedures and parameters.
If that wasn't a joke, the language in use (looks like ASP/VBScript) has no == operator. The = operator is used for assignment and comparison (context determines which). The language is another WTF. :)Admin
Admin
') DELETE FROM Articles --
Admin
Geesh you tools. Forgetting semicolons much?
'); DELETE FROM Articles --
Admin
I'm sure that the commented-out alert is left over from some hasty runtime debugging.
Admin
I'm Sean O'Leary, and my favorite thing to do when hitting a new site it so break it with my last name.
It's sad the number of sites that reject it. Most things that take a payment get all uppity.
Sean.
Admin
I was once working on a site that was a windows based apache/PHP. It has a down loader script where the file called to be downloaded was passed though a GET var.
You could call
http://www.blah.com/download.php?filename=C%3A%5CProgram%20Files%5CApache%20Group%5CApache2%5Cconf%5Chttpd.conf
To get the location of all of the web sites, then download the source of the files contained within them. If you really wanted to. You could start downloading the data folder from mySQL or MSSQL. I don't remember they DB type on the box...
Admin
'); DELETE FROM Articles WHERE Type = 'Mandatory Fun Day'--
Admin
'); DELETE FROM Articles; --
Admin
Trippy.
Admin
I wonder if you're a native english speaker. "idx" can be short for "index".
You could debate whether or not "index" is a USEFUL identifier, but it's meaning is clear.
Admin
...and I used "it's" instead of "its". I never said I was gooder with this english stuffs!
Admin
'); DELETE FROM Comments WHERE Type = 'Attempt to be witty in SQL'; --
Admin
Nothing to do with SQL injection, but I once found a little bug in a web-based email program I worked on (yes, it was my fault, I admit). No, this isn't one of the more widely used webmail apps ...
Although all our links and operations on the page used POSTs, I found that I could send an HTML-formatted email message with a couple of carefully crafted img tags, like this: [image] [image]
Guess what that did.
More useful, I could do this: [image]
and all email would be forwarded to "[email protected]"
The fix was easy, but it was scary that it took me a few months and couple of releases to the public before this occurred to me. Luckily not many people used the app.
Admin
'); UPDATE comments SET featured = 'Y' where user = 'dave'; --
Admin
Actually, I just remembered, you didn't need to include the host, so: [image] [image] [image]
would work as "intended".