I hope programming is a good place to start here... I logged into my site emails this morning for my primary health and fitness website (.asp on a microsoft server) and saw about a hundred Claim Forms submitted within about 10 minutes. This is a simple form customers can fill in and email to me to advise of products being damaged on arrival etc. The form was pretty much blank apart from an sql code that states:- ' WAITFOR DELAY '00:00:20' --After a good number of these submitted with the above sql statement in a number switching fields in the form, I see a piece of SQL code as follows:- declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A323027 exec(@q) -- This appears a good twenty or so times in different fields of the form in the emails and then the email continue with just the following character switching fields in the form. '" I am assuming this is some sort of malicious hacker using software or a bot - as the submissions were very rapid and too many within a short space of time to be done by hand. I did a google on this query and see a large number of sites with their 'comments' pages spammed by this code, published in the comments boxes. Can anybody shed some light on this code - and what the hacker may have been intending to do? The site seems fine at the moment. Im just a little worried. Thanks for any help. [Mods - If this is the wrong category for such a post, please could you move to an appropriate category - thanks]
http://en.wikipedia.org/wiki/SQL_injection for advanced info check out http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf and then read page 12, [Encoding injected statements]. ---- Here is a copy paste of the article: [Encoding injected statements] There is a bewildering array of ways to encode SQL queries. "Advanced SQL Injection" demonstrated the use of the 'char' function to compose a query string; another way is to hex - encode the query: declare @q varchar(8000) select @q = 0x73656c65637420404076657273696f6e exec(@q) This runs 'select @@version', as does: declare @q nvarchar(4000) select @q = 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) In the stored procedure example above we saw how a 'sysname' parameter can contain multiple SQL statements without the use of single quotes or semicolons: sp_msdropretry [foo drop table logs select * from sysobjects], [bar]
Fantastic info - really appreciate that. Sounds scary what people can do, Ill have to have a very careful read of these documents and assess my security.
A great start is to not generate SQL commands on the fly, but abstract away the db behind stored procedures. Give the database user IIS logs in as limited rights in the database. And for fun, run this query, coming from your attacker's script: declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A323027 print @q