-2

I have a database running with SQL Server 2008 r2. I got problems with some column's values

I remarked that some fields values are updated automatically.

They contains data like :

  • orginal value 12345
  • dirty value 12345<div style="display:none">why do husband cheat <a href="http://blog.businessdating.com/page/How-women-cheat">wifes that cheat</a> why do men cheat on their wife</div>

I don't know how can this happen and what kind of attack is it? Knowing that in my application code, which is an ASP.Net WebForms application, I have no update statments and some infected columns are not read from client inputs but they are foriegn keys and their values are read from database so no way to put such dirty values in them.

Ismail Diari
  • 498
  • 3
  • 8
  • Check your Script, and update database type name and validate fields, no script – YOG_PHP Sep 01 '15 at 08:22
  • I have no specific scripts,all the statments are written in my application using SqlCommand. I have only insert statments, and the infected fields are not valorized from client inputs,I valorize them from database. Which kind of attacks is this? – Ismail Diari Sep 01 '15 at 08:28
  • 1
    If your `SELECT` statements are built in a bad way (concatenating together your SQL instead of using **parametrized queries**), these might be allowing for a classic **SQL injection attach** (still the OWASP no.1 attack on the web)..... – marc_s Sep 01 '15 at 08:44
  • Thank you @marc_s for the suggestion, I am not currently using parametrized query,but these fields that I am talking about are really safe because I am talking about **foreign keys** that I valorize them,I get their values from the database, when I create the insert statment. They are not values that comes from user input, so logically they are sanitized. But what I can not understand is how they get their values updated automatically – Ismail Diari Sep 01 '15 at 09:12
  • 3
    I don't want to sound harsh, but please take your application offline right now. It's clearly insecure, and you don't appear to have the skills to protect your application. If you google the URL in your column, you'll find lots of pages that have been compromised. There's a script that has found a weakness in your application; it probably is SQL Injection. If you store personal information, sensitive data, or payment data, you should notify your users right now. – Neville Kuyt Sep 01 '15 at 09:24
  • @Neville K, the application is already offline,and it is not a matter of skills to protect my application, I am working on an existing plateforme seving big clients in my country and we are setting up all the possible best practices to maintain the site as secured as possible. I know that is a question of SQL injection attack but what am asking for is,is it a common SQL injection style? and is there any SQL injection method that **forces** update queries **directly** in the database,because as I said **I have no update statment in my app and the infected fields values are not from user input** – Ismail Diari Sep 01 '15 at 09:49
  • 2
    The whole point of an attack **is** to run a DML statement (update, delete, insert) that is **not** part of the application. –  Sep 01 '15 at 09:54
  • I am aware of that,but I have only insert statment in my application, no delete and no update, and the infected fields **are not got from user input** they are foreign keys and I put their values from code,I make a simple get to the database and then I valorize these fields so ,normally, there is no way for injection. But the injected code make me really shoked. Are there any tools or solutions to track this ? – Ismail Diari Sep 01 '15 at 10:07
  • Stop running your application **RIGHT NOW** and rewrite it to use **parametrized queries** so that you're safe from SQL injection in the future. SQL injection doesn't need any update statements - once it's infected your system, the attacker can do anything he likes - even delete or alter your data. **USE PARAMETRIZED QUERIES - ALWAYS! NO EXCEPTIONS!!** – marc_s Sep 01 '15 at 10:22
  • Thank you so much @marc_s, I will revise it right now. It is really a serious lesson .As I said before I am working on an existing platform which contains some codes that were written even before the appereance of PARAMETRIZED QUERIES. Anyway I will work on it right now. – Ismail Diari Sep 01 '15 at 10:41

1 Answers1

2

I assume this is a SQL injection attack.

The whole point of SQL injection attacks is that they find a single weakness to execute arbitrary SQL commands. If you're accepting input from the web, either for insert/update/delete/select queries, and you don't use parameterized queries, an attacker can access any table in your database and do with it as they want.

Without more details, it's hard to be precise on how it might have worked - it appears to be a script as there are lots of pages on the internet with that same URL, and they all use .asp as the suffix.

It's been way too long for me to remember ASP syntax, but I'll give it a whirl. I've also not bothered with HTML encoding to make this more legible.

As an example, let's say you have a page where you can find out about products:

http://myapp.com/customers.asp?productID=1

When that page hits your server, you construct a SQL string:

Select * from products where productID = & request.productID

And you then execute that, showing the results on the page.

In the normal case, your SQL request is Select * from products where productID = 1

An attacker might manipulate the URL as follows:

http://myapp.com/customers.asp?productID=1 union sp_help

This would mean you execute 

Select * from products where productID = 1
union
sp_help

And show the results on the resulting webpage. It would take a bit of trial and error to get the sp_help results to match the columns in product data, but eventually the attacker gets a complete database schema.

If the attacker then wants to manipulate data, they might do something like 

http://myapp.com/customers.asp?productID=1; update lookupTable set description = description  + '<div style="display:none">why do husband cheat <a href="http://blog.businessdating.com/page/How-women-cheat">wifes that cheat</a> why do men cheat on their wife</div>'
Neville Kuyt
  • 29,247
  • 1
  • 37
  • 52
  • Thank you @Neville K about this answer, It is clear now that potentielly sp_help was the source of the problem. Anyway I will change all my db requests to use SQLParameters. I would like to know If it is possible or not to control this from my database grants,so to enable specific users to make the INSERT ? – Ismail Diari Sep 01 '15 at 11:23