I have website as Classic ASP as Front end and SQL Server 2005 as Back end.
But I am facing a very strange SQL injection on my back end.
Some type of CSS with HTML with spamming site is appending their code to my website database with each table and with each varchar type columns.
For e.g.
</title><style>.am1y{position:absolute;clip:rect(405px,auto,auto,405px);}</style><div class=am1y>same day <a href=http://mazzpaydayloans.com >payday loans</a></div>
I Checked My IIS Log It shows me like this
2013-06-09 19:15:54 GET
/mypage.asp%3C/title%3E%3Cstyle%3E.axo5{position:absolute;clip:rect(404px,auto,auto,404px);}%3C/style%3E%3Cdiv%20class=axo5%3Eapproval%20%3Ca%20href=http:/mazzpaydayloans.com%20%3Epayday%20loans%3C/a%3E%3C/div%3E
- - 204.13.205.99 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
loginfailure=chance=0&bantime=;+ASPSESSIONIDSSDRRCQQ=EDPHPJGCGLMKOADICKHODKBM
- www.mysite.com 404 0 281 543 78
On my this selected ASP Page all SQL queries are parametrized.
But still this issue is persists.
MyPage.asp Code
new_prot = "http"
new_https = lcase(request.ServerVariables("HTTPS"))
if new_https <> "off" then new_prot = "https"
new_domainname = Request.ServerVariables("SERVER_NAME")
new_filename = Request.ServerVariables("SCRIPT_NAME")
set cm1 = Server.CreateObject("ADODB.Command")
cm1.ActiveConnection = conn
cm1.commandtype=1
cm1.CommandText ="select * from Table1 where Web=?"
cm1.prepared=true
dim weburl
set weburl=cm1.createparameter(Web_URL,200,,5000)
weburl.value= Server.HtmlEncode(ltrim(rtrim(new_filename)))
cm1.parameters.append weburl
set Mobile = cm1.execute(RecordsAffected,,adCmdText)
do until Mobile.EOF
response.redirect(Mobile.fields("mob"))
loop
First, your query may be parameterised, but you need to impliment a stored procedure, not a straight SQL command.
set cm1 = Server.CreateObject("ADODB.Command")
cm1.ActiveConnection = conn
cm1.commandtype=1
cm1.CommandText ="select * from Table1 where Web=?"
command text is a no no
you need to impliment a stored procedure:
CREATE ProcTable
#ParamWeb INT
as
SELECT * FROM Table WHERE PAgeID = #ParamWeb
Then Exec the proc. This prevents injection because the page can ONLY accept the numeric value of the proc, and that will only return the revelant dataset (empty or with rows)
Your command text can have
"; any injection script you want"
appended
any injection script can contain sqlcmdShell so once the injection has been made the bad guys can return a list of tables, their content, users, user data etc etc
Related
I'm using ADODB connections to connect to a database which none of my other colleagues understand how to connect to. So far I've got as far as being able to see all the available tables via 2 methods:
Dim ado as object
set ado = CreateObject("ADODB.Connection")
Call ado.open("...")
set rs = ado.Execute("SELECT * FROM sys.objects WHERE type='U'")
and also
const adTable = 20
Set rstSchema = ado.OpenSchema(adTable)
Do Until rstSchema.EOF
Debug.Print rstSchema("TABLE_NAME")
rstSchema.MoveNext
Loop
But the part which is confusing me is selecting from the tables directly... I expected to be able to do:
select * from <<TABLENAME>>
where <<TABLENAME>> was one of the table names returned by the above 2 methods. However whenever I do this I get the error in the title:
Invalid object name '<<TABLENAME>>'.
So how exactly am I meant to access the data in the tables identified from OpenSchema() method. Is there another method which I am unfamiliar with?
As discussed with itsLex in the comments:
In SQL Server terms:
select * from <<Database>>.<<Owner>>.<<TableName>>
Alternatively you can use the USE statement as follows:
USE <<Database>>;
select * from <<TableName>>;
I need to be able to execute an update SQL script, but it isn't working
Here is a link to the site that I used for reference:
https://groovyinsoapui.wordpress.com/tag/sql-eachrow-groovy-soapui/
Here is the format of the code that I ended up writing (due to the nature of the work I am doing, I am unable to provide the exact script that I wrote)
import groovy.sql.Sql
def groovyUtils = new com.eviware.soapui.support.GroovyUtils(context)
groovyUtils.registerJdbcDriver("com.microsoft.sqlserver.jdbc.SQLServerDriver")
def connectString = "jdbc:microsoft:sqlserver://:;databaseName=?user=&password="
sql = Sql.newInstance(connectString) // TEST YOUR CONNECT STRING IN A SQL BROWSER
sql.executeUpdate("UPDATE TABLE SET COLUMN_1 = 'VALUE_1' WHERE COLUMN_2 = 'VALUE_2'")
The response that I am getting is:
Script-result: 0
I also tried to use:
sql.execute("UPDATE TABLE SET COLUMN_1 = 'VALUE_1' WHERE COLUMN_2 = 'VALUE_2'")
Which returns the following response:
Script-result: false
From what you say it seems that no row has COLUMN_2 = 'VALUE_2', so then number of updated rows is 0.
I would first check that statement on Management Studio just to make sure.
In sqlserver I have a function which generates a complex xml of all products with several tables joined: location, suppliers, orders etc.
No problem in that, it runs in 68 sec and produces around 450MB.
It should only be called occationally during migration to another server, so it doesn't matter it takes some time.
I want to make this available for download over webserver.
I've tried some variations of this in classic asp:
Response.Buffer = false
set rs=conn.execute("select cast(dbo.exportXML() as varchar(max)) as res")
response.write rs("res")
But I just get a standard
An error occurred on the server when processing the URL. Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.
Not my usual custom 500-errorhandler, so I'm not sure how to find the error.
The problem is in response.write rs("res"), if i just do
temp = rs("res")
the script runs, but displays nothing of cause; if I then
response.write temp
I get the same failure.
So the problem is writing such a ling string.
Can I save the file from tsql directly; and run the job periodically from sql agent?
I found that there seems to be a limit on how much data can be written at once using Response.Write. The workaround I used was to break the data into chunks like this:
Dim Data, Done
Done = False
Do While Not Done
Data = RecordSet(0).GetChunk(8192)
If Not Len(Data) = 0 Then
Response.Write Data
Else
Done = True
End If
Loop
Try this:
Response.ContentType = "text/xml"
rs.CursorLocation = 3
rs.Open "select cast(dbo.exportXML() as varchar(max)) as res",conn
'Persist the Recordset in XML format to the ASP Response object.
'The constant value for adPersistXML is 1.
rs.Save Response, 1
Whenever I change windows of opened workbooks and come back to MyFile.xlsb where I have defined external connection, the refresh of all pivot tables in MyFile.xlsb runs automatically. Needless to add it is very annoying feature. How to disable it? How to run refresh all only on demand. Important note. This problem occurs only on computers of the users I distribute MyFile.xlsb. On my computer it works ok.
I have defined the external connection as a reference to stored procedure in SQL.
Connection string:
Provider=SQLOLEDB.1;
Integrated Security=SSPI;
Persist Security Info=True;
Initial Catalog=MyDataBase;
Data Source=MyServerName;
Use Procedure for Prepare=1;
Auto Translate=True;
Packet Size=4096;
Workstation ID=MyWorkstationID;
Use Encryption for Data=False;
Tag with column collation when possible=False
Here is SQL stored procedure I call.
CREATE PROCEDURE [dbo].[MyProcedure]
AS
BEGIN
-- part one, show user what he has to see
SELECT *
FROM [dbo].[MyView]
ORDER BY 1
-- part two, get user data
INSERT INTO dbo.My_other_table_logins_history
SELECT
GETDATE(),
ORIGINAL_LOGIN()
END
The concept of using this procedure is explained here:
SQL procedure from Excel run from connection properties with user login as parameter
Try running this:
Option Explicit
Public Sub disableAutoRefreshConnection()
Dim cnn As WorkbookConnection
For Each cnn In ActiveWorkbook.Connections
With cnn.OLEDBConnection
.BackgroundQuery = False
If .Refreshing Then .CancelRefresh
.EnableRefresh = False
.RefreshOnFileOpen = False
.RefreshPeriod = 0
End With
Next
End Sub
BackgroundQuery Default: True; If queries are asynchronous
CancelRefresh Cancels refresh operations in progress
EnableRefresh Default: True; If connection can be refreshed by the user
RefreshOnFileOpen Default: False; If it auto-updates each time workbook is opened
RefreshPeriod Default: 0; Number of minutes between refreshes
I'm trying to run the following UPDATE query from a python script (note I've removed the database info):
print 'Connecting to db for update query...'
db = pyodbc.connect('DRIVER={FreeTDS};SERVER=<removed>;DATABASE=<removed>;UID=<removed>;PWD=<removed>')
cursor = db.cursor()
print ' Executing SQL queries...'
for i in range(len(data)):
sql = '''
UPDATE product.sanction
SET action_summary = '{action_summary}'
WHERE sanction_id = {sanction_id};
'''.format(sanction_id=data[i][0], action_summary=data[i][1])
cursor.execute(sql)
cursor.close()
db.commit()
db.close()
However, it hangs indefinitely, no error.
I'm new to pyodbc, but it should be setup correctly considering I'm having no problems performing SELECT queries. I did have to call CAST for SELECT queries (I've cast sanction_id AS INT [int identity on the database] and action_summary AS TEXT [nvarchar on the database]) to properly populate data, so perhaps the problem lies somewhere there, but I don't know where to start debugging. Converting the text to NVARCHAR didn't do anything either.
Here's an example of one of the rows in data:
(2861357, 'Exclusion Program: NonProcurement; Excluding Agency: HHS; CT Code: Z; Exclusion Type: Prohibition/Restriction; SAM Number: S4MR3Q9FL;')
I was unable to find my issue, but I ended up using QuerySets rather than running an UPDATE query.