Skip to main content

Dissection of the ASP SQL Injection Outbreak

Several website owners this past week, including the United Nations and the UK Government, were left with a compromised database after being hit with the notorious SQL injection bug. This is a flaw in which a basic ASP webpage can run malicious script on a SQL server.

The mass attack hit a number of website that were ASP driven and supported querystring paramters for database lookup. Webpages can allow for dynamic retrieval of information based upon querystring parameters; however if programmed in a basic manner, it might allow for a malicious script to be run.

Here is a basic example of a page that is vulnerable:

Page: BadCode.asp

Dim myVar
myVar = Request("input")

...
objComm.CommandText = "Select * from myTable where ID=" & myVar
objRS.Open objComm.Execute

...

In the normal situation, this will query the database for the specified record. However if the value of input is passed in as a malicious script, it could be run by the SQL server and run amok! Lets have a look...

Example SQL ASP Malicious Script


Given our BadPage.asp example, consider what the following HTTP request would do:
http://samplesite/BadCode.asp?input=555;EXECUTE("MALICIOUS SCRIPT")

In the mass attacks we've seen from China (IP=222.91.65.191) in the past week, the actual querystring script was encoded into hexadecimal so that it was interpreted by SQL, but not munged by ASP.

***REMOVED PER GOOGLE EDITORIAL GUIDELINES***

Here is the script as interpreted by SQL:

***REMOVED PER GOOGLE EDITORIAL GUIDELINES***


The outcome of this executing the SQL command would result in modifying all the text content in the entire database. The text content would direct your website users to download malware to their desktops.

Identifying Websites Vulnerable To SQL/ASP Bug

A basic query for ASP pages to Google can be performed to identify potential sites with the flaw.
Combine this script with a mass crawler to identify the querystring parameters, then hit the pages in mass coordination worldwide; pretty cleaver stuff indeed... The actual purpose of this latest infection from China was even more impressive as it ran a javascript to end-user coming to the website. That javascript contained several other fun forms of malware; which fortunately my browser decided to pass on...

SQL Injection Fix


There is no patch that prevents this flaw. A fully patched, secure and locked down server can be susceptible to this problem. It is only eliminated with good coding practices. I recommend exclusively using stored procedures to gain access to the database; in that way you tightly control all access levels and can avoid the pitfalls of rouge or poor programmers and basic exploits.

In short, don't allow uncontrolled, dynamic SQL statements to be run from the web application.
Labels:

Comments

David Rodecker said…
Apparently this article triggered some alarms at Google.

See the two sections in the article that now instead show: REMOVED PER GOOGLE EDITORIAL GUIDELINES

I suspect that the malacious SQL code is fingerprinted by Googlebot and thereby tagged the article, or that Editorial wanted to block the expose so as to prevent would-be hackers from learning a new trick.
6:25 PM
David Rodecker said…
My Letter to Google:

My Blog was apparently marked for being in violation of TOS. I believe that this was a false-positive identification. I suspect that my recent publication "Dissection of the ASP SQL Injection Outbreak" triggered this.
Specifically, the article displayed some tracking code of what we experienced is displayed. I suspect that Google automatically associated the content with the known malware. My article was benign, text-only, and did not place any client-script or malware of any sort.
Nevertheless, to avoid the continued disruption, I am now modifying that article and removing traces that might associate it to an actual suspicious script.
I ask that you release the TOS suspension from my blog.
6:26 PM
David Rodecker said…
Google search believes this is malware:

Google search screenshot

I'm sure that this is a basic finger-print identification since the article merely had text and not anything that would actually run on a users computer.
6:39 PM
David Rodecker said…
Other source IP addresses found attempting the sql exploit:

221.237.189.44; CN [China]
92.12.55.184; GB [United Kingdom]
12:44 PM
David Rodecker said…
We have created an application drop in for ASP.Net that blocks the SQL Injection. It is doing a great job of preventing all attempts.
1:08 PM
Post a Comment

Popular posts from this blog

Windows Firewall can not run because another program or service is running that might use the Network Address Translation component (IPNat.sys)

Windows Networking Firewall failure Error Upon trying to open and configure the Windows built-in Firewall, you receive the error: "Windows Firewall can not run because another program or service is running that might use the Network Address Translation component (IPNat.sys)" Cause is due to settings left in by "Routing and Remote Access" service. Even if the service is stopped, Windows will still report this error because the network card bindings are still being held by RRAS. Disable RRAS by opening the MMC for it and "Disable Remote Access and Routing". This can also be found by Right -clicking "My Computer", opening the Service and Application node. By Disabling RRAS in this way, the network protocol interface bindings are removed allowing for the Windows Firewall and Connection Sharing service to take over.
27 comments
Read more

VB.Net code to control mouse movement and click

VB.Net code to perform mouse movements and clicks. Include references at the top of the class code file to Windows interface libraries: Public Declare Auto Function SetCursorPos Lib "User32.dll" (ByVal X As Integer, ByVal Y As Integer) As Integer Public Declare Auto Function GetCursorPos Lib "User32.dll" (ByRef lpPoint As Point) As Integer Public Declare Sub mouse_event Lib "user32" Alias "mouse_event" (ByVal dwFlags As Integer, ByVal dx As Integer, ByVal dy As Integer, ByVal cButtons As Integer, ByVal dwExtraInfo As Integer) Some fixed constant values will be needed, so include these as basic names: Public Const MOUSEEVENTF_LEFTDOWN = &H2 Public Const MOUSEEVENTF_LEFTUP = &H4 Public Const MOUSEEVENTF_MIDDLEDOWN = &H20 Public Const MOUSEEVENTF_MIDDLEUP = &H40 Public Const MOUSEEVENTF_RIGHTDOWN = &H8 Public Const MOUSEEVENTF_RIGHTUP = &H10 Public Const MOUSEEVENTF_MOVE = &H1 This
47 comments
Read more

Remove Acrobat Toolbar Plugin From Outlook and Office

After installing Acrobat Reader or Professional, a toolbar surfaces in Microsoft Office applications. It wouldn't be so bad except that even when you select to remove the Plugin, it comes right back after the office application restarts. Worse yet, the toolbar puts itself on a new line each time, reducing the usable window size. Since I rarely use this toolbar and would rather open Acrobat explicitly to use the print, email, or save as PDF features, I got rid of the toolbar. Adobe doesn't make this easy, forcing the toolbar to always be visible, unfortunately you have to modify the windows registry. Warning, don't casually modify the windows registry; since it effectivley controls Windows and most applications. 1. Begin by closing the office applications. 2. Then click start, Run, and type: regedit 3. Browse to the below registry keys and delete each one. Note that HKEY_LOCAL_MACHINE is referenced as HKLM in regedit. Outlook HKEY_LOCAL_MACHINE \Software\Adobe\Acrobat\PD
16 comments
Read more