[thelist] Website Hacked?

Chris Anderson Chris at activeide.com
Wed May 28 17:58:25 CDT 2008


> problem.  I'm seeing several places where they hit my search.asp file
> with a
> query of "letter=n" (normal query) followed by
> ";DECLARE%20 at S%20NVARCHAR(4000);SET%20S=CAST(0X..."
> 
> So it looks as though I need to go through and see where the ball was
> dropped.

The main thing to look for there is if the query string is being used to
build a string and then executed or if it's used in a parameterised
query. The latter (as said before) is safer.
Note however that even if the string is passed to a Stored Procedure
using a parameter you are still not necessarily safe (because the proc
could be creating a VARCHAR string from the passed query and EXEC'ing
it!) You would have to check the proc to see how the string is used.
If it's used in a query directly it's okay, but if as mentioned earlier)
it's used to create a string which is then executed - you're in trouble.

Basically - Your code should be able to handle this scenario :
http://xkcd.com/327/  :-)

> I
> see that the SA user has access to a lot of stuff.  I know that I
> changed
> the password for it, but couldn't I just disable it?


In SQL Server 2000, you could only disable the sa account by not using
SQL Authentication (i.e Windows authentication only)
Personally if I have to use SQL authentication, I set the sa password to
a *very* long password (300+ characters) and then never use it.
Admin can be done locally (and therefore via Windows auth) and the only
non-Windows (ie. SQL) users are locked down application users.

In SQL Server 2005, sa can be disabled (and is by default)

In either case, you wouldn't ever use it in an application (unless it
was an admin one of course ;-) )

Chris



More information about the thelist mailing list