October 5, 2007

SQL Injection...Again

We've got someone new trying to inject some bad SQL against our server at work.

An IP address originating in Mexico sent this query at us:

.../messageboard/standardboard.aspx?printview=1&ForumId=1%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A323027%20exec%28%40q%29%20%2D%2D

Decoded out, they sent us:

declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A323027 exec(@q)

Decoded out even further, they were trying to execute this:

WAITFOR DELAY '00:00:20'

While I'm glad that none of their attacks have been successful so far, it keeps me up at night worrying that maybe I missed validating a query-string variable or that I've forgotten to handle a text-box.

Asshats like this make me sick.

2 comments:

fds said...

There are always millions of automated bots roaming the Internet, trying their laundry list of vulnerabilities mindlessly at any random IP address.

It doesn't mean they are targeting you specifically. There's no need to get worked up about them. If anything, it's when your server is NOT getting hit by these pointless queries that you should worry. That would mean there's something wrong with its Internet connectivity. :)

For some peace of mind, use numerous database logins, setting their access rights so that each can only do what it is supposed to do in that transaction.
Then even if there's a silly mistake somewhere not verifying input parameters properly, the attacker still didn't gain much, if anything.

RemohDad said...

Hey ROM.... what tools are you using to check web security? I've been trying out Nstalker and Nessus.