< < Jul 2008 > >
S	M	T	W	T	F	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

You are not signed in.
Sign in

Entries By Topic
·All Topics
·Classic ASP
·CSS
·Databases
·eBay/PayPal
·General
·Hardware
·Windows XP

Recent Entries
·SQL Injection Protection - b.js
·Unfair eBay fees for used cars
·100% CSS Layout
·MySql: Data Types
·MS-SQL: Data Types
·VBScript: Suggested Prefixes for Indicating the Data Type of a Variable
·Handling Boolean Fields in MS-SQL and MS-Access
·Fixing LCD Stuck Pixels, Dead Pixels and Burn-in
·I hate PayPal
·eBay Announcement - PayPal will be required on all listings

John's IT Blog

SQL Injection Protection - b.js

Posted at: June 30, 2008
Related Topic(s): Classic ASP, Databases

There is a automated SQL injection attack doing the rounds at the moments which injects some html (<script src=http://www.domain.com/b.js></script>) into certain fields in all the tables in a database.

If you have been attacked don't feel bad as an Internet search of "b.js" reveals tens of thousands of hacked sites.

The attack cleverly appends a series of SQL commands onto your querystrings and if your code is unprotected, and you don't use Access databases, the commands may be passed on to your SQL server and the damage done.

Considering the damage that could be done by this sort of attack, I guess we are lucky that they chose only to append on their little JavaScript.

However, this attack could render your website as "unsafe" in search engine results.

Reversing the Damage

We are also extremely fortunate that the changes can be easily reversed with a few changes of the attackers original SQL commands.

Simply execute the following to clean up the damage. If you have been attacked multiple times (ie. you have multiple script blocks appended to your SQL data) then you will need to execute the following script for each attack.

DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update ['+@T+'] set ['+@C+'] = left( convert(varchar(8000), ['+@C+']), len(convert(varchar(8000), ['+@C+'])) - 6 - patindex(''%tpircs<%'', reverse(convert(varchar(8000), ['+@C+']))) ) where ['+@C+'] like ''%<script%</script>''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor;

Protecting against attacks

There are many methods out there to protect against this sort of attack.

The following function is a good method which removes multiple inline SQL commands. If you issue multiple inline SQL commands in one go then obviously it will not be suitable but for everyone else it should stop any attack.

Parse your SQL command strings with the following syntax:

SQLCheck(sql-string-here)

Function SQLCheck(strCommand) Dim intChar Dim blnQuotes SQLCheck = strCommand blnQuotes = False For intChar = 1 To Len(strCommand) If Mid(strCommand, intChar, 1) = "'" Then If Not blnQuotes Then blnQuotes = True Else If intChar < Len(strCommand) Then If Mid(strCommand, intChar + 1, 1) = "'" Then intChar = intChar + 1 Else blnQuotes = False End If End If End If ElseIf Mid(strCommand, intChar, 1) = ";" Then If Not blnQuotes Then SQLCheck = Left(strCommand, intChar - 1) Exit For End If End If Next End Function

View Comments (1) | Add Comment | Permalink

Very useful scripts

Posted by Raja | July 14, 2008

Newer | Latest | Older

ASP Hosting and Domain Names

For cheap asp and asp.net hosting I recommend CrystalTech, for cheap .com domains Cheeky Domains, or for .com.au domains Name Scout.

[Oztion is an Australian auction website which offers no listing fees]