SQL Injection Protection - b.js
Posted at: June 30, 2008
Related Topic(s): Classic ASP, Databases
There is a automated SQL injection attack doing the rounds at the moments which injects some html (<script src=http://www.domain.com/b.js></script>) into certain fields in all the tables in a database.
If you have been attacked don't feel bad as an Internet search of "b.js" reveals tens of thousands of hacked sites.
The attack cleverly appends a series of SQL commands onto your querystrings and if your code is unprotected, and you don't use Access databases, the commands may be passed on to your SQL server and the damage done.
Considering the damage that could be done by this sort of attack, I guess we are lucky that they chose only to append on their little JavaScript.
However, this attack could render your website as "unsafe" in search engine results.
Reversing the Damage
We are also extremely fortunate that the changes can be easily reversed with a few changes of the attackers original SQL commands.
Simply execute the following to clean up the damage. If you have been attacked multiple times (ie. you have multiple script blocks appended to your SQL data) then you will need to execute the following script for each attack.
|