[thelist] Website Hacked?

Anthony Baratta anthony at baratta.com
Sat May 24 17:40:10 CDT 2008


Todd Richards wrote:
> Thanks Anthony.  I am checking so that when someone requests a store - ie.
> Store.asp?id=300 - if it's not a numeric value then they will get redirected
> to the home page.  However, I'm raw on how they could actually get data
> entered into my database.  I know it can happen - I hear about it all the
> time.  However, I'm just not sure where to start to fix it.  The "admin"
> directory is using Windows authentication rather than a database login,
> since I'm the only one who has permissions to update things.  Would that
> make a difference?  

When you fail to validate your data types, you open your SQL statements 
to manipulation. For Example:

Store.asp?id=300;DROP TABLE Store_Inventory;

Obviously they need to convert the space and the semi-colon with URL 
Encoding, but if your code does not validate the 300 string it will run 
both statements and you are hosed.

The more sophisticated hackers will encode their SQL statements like this:

Store.asp?id=300;DECLARE%20 at S%20VARCHAR(4000);SET%20 at S=CAST(0x444
5204054205641524348415228323535292C404320564152434841522832353529
204445434C415245205461626C655F437572736F7220435552534F5220464F522
2736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20
VARCHAR(4000));EXEC(@S);

This is an actual hack attempt against one of my servers. It's truncated 
  for length, but a real life example of how they do it.



--
Anthony Baratta

Every man takes the limits of his own field of vision for the limits of 
the world.
— Arthur Schopenhauer




More information about the thelist mailing list