SQL injection hacks

Hi,
i am a bit disappointed by the ability of cisco IPS to block sql injections, even with the new added generic sql injection signatures not long ago, still websites hosted with us are being hacked.
i know its vulnerabilities in the sites, but the command update is a lot used to hack sites, i have created a custom signature that catches "update" in small and caps, but i was surprised yesterday that the hacker used "u%pdate" and it bypassed the sensor !!
any thoughts on the subject
thanks

Interesting. I'm so not a SQL expert, but I don't see how "u%pdate" is valid SQL. Why would the database interpret "u%pdate" as valid SQL? Is the application cleaning up the input before passing to the db?
IMHO, if your customers have vulnerable apps, then they need to fix them. A network based IDS simply isn't going to be the best at detecting every possible variation of injection (or anything else imo, but that's a whole different soap box). It just doesn't have the required context. Throw TLS into the mix, and most of the time coverage drops to zero.

Similar Messages

SQL injection hacking

Hello all,
Someone is telling me that a site of mine is vulnerable to a
hacking
technique called "SQL injection". They cited a URL such as
http://www.mydomain.com/gallery.cfm?VarCatID=29
as an example.
I Googled SQL injection, and found a lot of information,
which I'm in the
midst of reading.
What I really want to know is, how serious a risk is this?
Should I be
taking action, and if so, what?
Aren't there millions of sites that use that type of URL
string?? Are they
all unsafe too?
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate
Worksheet

Thank you, Tom!
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate
Worksheet
"Tom Muck" <[email protected]> wrote in
message
news:ecuu0f$dbn$[email protected]..
> If you are passing an integer on a querystring, make
sure you validate
> that an integer is being passed, either by using a
cfparm, cfqueryparam,
> or by using the val() function on the passed querystring
variable:
>
> <cfquery name="blah" datasource="#mydsn#">
> SELECT * FROM mytable WHERE catid =
> <cfqueryparam cfsqltype="cf_sql_integer"
value="#url.VarCatID#">
> </cfquery>
>
> The DW 8.0.2 update changed the way that DW does this so
injection is no
> longer a concern.
>
> --
> --
> Tom Muck
> co-author Dreamweaver MX 2004: The Complete Reference
>
http://www.tom-muck.com/
>
> Cartweaver Development Team
>
http://www.cartweaver.com
>
> Extending Knowledge Daily
>
http://www.communitymx.com/
>
>
> "P@tty Ayers"
<[email protected]> wrote in message
> news:ecut8j$cg6$[email protected]..
>> Hello all,
>>
>> Someone is telling me that a site of mine is
vulnerable to a hacking
>> technique called "SQL injection". They cited a URL
such as
>>
http://www.mydomain.com/gallery.cfm?VarCatID=29
as an example.
>>
>> I Googled SQL injection, and found a lot of
information, which I'm in the
>> midst of reading.
>>
>> What I really want to know is, how serious a risk is
this? Should I be
>> taking action, and if so, what?
>>
>> Aren't there millions of sites that use that type of
URL string?? Are
>> they all unsafe too?
>>
>>
>> --
>> Patty Ayers | www.WebDevBiz.com
>> Free Articles on the Business of Web Development
>> Web Design Contract, Estimate Request Form, Estimate
Worksheet
>> --
>>
>>
>>
>>
>
>

SQL injection embeded .js file to execute CF hack

I am a programmer sent to investigate suspicious activity at
a client's web application. I cannot attach a file in case of
infection potential. The Coldfusion code is open to SQL injection
attack which is how we believe the Apache web server became
infected. Upon investigation we found javascript files which had
been written with CFML code programatically scripted to fit within
a .js javascript file and write and read data from the server.
Has ANYONE seen this type of attack before? I cannot disclose
the client or specific data as we are under a NDA (Non-Disclosure
Agreement), however, I need help of other Coldfusion programmers to
fully understand this attack. Has anyone seen CFML code programmed
into a .js javascript file and run by calling the .js javascript
file before?
We have found japanese or chinese language within the code
and within files on the server. The client states they have NOT
installed any language packs or anything referencing other
languages than English. There have been japanese characters found
on the database server. There are hundreds of .js and .xml files on
the server which reference japanese. Furthermore, we have found
many XML files on the server,but the client does not use .xml so
these .xml files would then be foreign and potentially
programatically scripted by the server launching code to write
these files under the un-knowing eyes of the client.
So we need to understand the limits or potential threats:
1. Can CFML scripting be embedded into a .js javascript file
2. If database parameters are not locked, what are the
possible attacks available to SQL injection
Any help would be appreciated.
Thank you in advance.
Alex Dove

1. Only if the server is set to parse a .js file as CFML
2. A lot!
http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already
http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARA M
Ken Ford
Adobe Community Expert - Dreamweaver/ColdFusion
Fordwebs, LLC
http://www.fordwebs.com
"ajdove" <[email protected]> wrote in
message news:[email protected]...
>
> I am a programmer sent to investigate suspicious
activity at a client's web
> application. I cannot attach a file in case of infection
potential. The
> Coldfusion code is open to SQL injection attack which is
how we believe the
> Apache web server became infected. Upon investigation we
found javascript
> files which had been written with CFML code
programatically scripted to fit
> within a .js javascript file and write and read data
from the server.
>
> Has ANYONE seen this type of attack before? I cannot
disclose the client or
> specific data as we are under a NDA (Non-Disclosure
Agreement), however, I need
> help of other Coldfusion programmers to fully understand
this attack. Has
> anyone seen CFML code programmed into a .js javascript
file and run by calling
> the .js javascript file before?
>
> We have found japanese or chinese language within the
code and within files on
> the server. The client states they have NOT installed
any language packs or
> anything referencing other languages than English. There
have been japanese
> characters found on the database server. There are
hundreds of .js and .xml
> files on the server which reference japanese.
Furthermore, we have found many
> XML files on the server,but the client does not use .xml
so these .xml files
> would then be foreign and potentially programatically
scripted by the server
> launching code to write these files under the un-knowing
eyes of the client.
>
> So we need to understand the limits or potential
threats:
> 1. Can CFML scripting be embedded into a .js javascript
file
> 2. If database parameters are not locked, what are the
possible attacks
> available to SQL injection
>
> Any help would be appreciated.
> Thank you in advance.
> Alex Dove
>
>

I am using dreamweaver cs6 is it protected from various hacker attacks such as sql injection,xss,?

i mean if i built a site using php and sql using dreamweaver cs 6 ...will it be protected from various hacker attacks such as sql injection,xss,spoofed form input,etc..?? if it is not protected...tell me where can i learn to protect my website using php and sql....from all types of hacker attacks...help needed.... thank you..:)

A couple more comments.
To guard against most of these security risks, you have to completely sanitize any user input whether processed further on subsequent pages or added to a database. That complete sanitization usually involves stripping out any HTML/JavaScript, and blocking SQL-crashing equalities/inequalities.
You can get alot of information about these and other methods on the Dreamweaver AppDev forum -
http://forums.adobe.com/community/dreamweaver/dreamweaver_development?view=discussions
which is where most server-scripting topics are discussed.

Can SQL injection output rows to hacker?

Can a hacker retrieve rows through SQL injection or simply
just jumble up the data? I wouldn't see how they could get the rows
without coldfusion code that will actually be instructed to output
the query. If not, are there any hot cf/mssql hacking techniques to
steal database rows?

chazman113 wrote:
> Can a hacker retrieve rows through SQL injection
Yes, yes they can.
You are correct that there would need to be code to output
the data.
The hackers just use the code you already have built to
output data.
But then use SQL injection tricks to output more data then
the developer
intended for anybody to see.
Here is a blog that describe a real life example of just
that.
http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Number s,-Other-Sensitive-Data.aspx

SQL Injection with CF7 and MS SQL 2005

I looked through a bunch of SQL injection posts and couldn't
find a definitive answer to this...
Let me introduce this by saying that I know I should be using
CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
But for a necessary quick fix, if I only use it for numeric
DB fields, is SQL injection still possible (using MS SQL 2005)?
I've yet to successfully perform SQL injection while manipulating a
variable surrounded by single quotes in the query.
Scenario 1) select * from users where user_id=#form.user_id#
...is a gimme to hack, but
Scenario 2) select * from users where
password='#form.password#' ...is another story
Has anyone ever heard of a successful SQL injection attack in
a Scenario 2 situation.
I'll fix everything up eventually, but I've got a Pen Test
coming up soon, and a lot of raw code to review.
Thanks

quote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags".

[ask] about oracle sql injection and escalation

Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
-- first,i created table users
create table users (name nvarchar2(50),pass nvarchar2(50))
-- then i created procedure with system user
create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
as
begin
insert into users values(u,p);
end;
-- grant execute privilege to oc user
grant execute on adduser to oc
-- login with user oc and create a procedure
create or replace procedure sqli
as
begin
execute immediate 'grant dba to oc';
end;
-- and then,i run system's procedure
declare
begin
system.adduser('admin','admin'' ; execute immediate ''declare begin sqli() end;');
end;
i hope oracle master help me to i can understand and improving my knowledge
Thanks

The best forum for this is probably Forum Home » Java » SQLJ/JDBC
Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.

SQL Injection from PL/SQL function.

WE have some issues with a third party application which has vulnerabilities to SQL Injection, we have delivered a proof of concept to the developers demonstrating that it is possible to return additional (unrestricted) results to the front end, we have also found the following function in the back end. Assuming that its possible to call this function (which it is) and we can pass in whatever we want and that the user has exp_full_database and imp_full_database roles granted is there anything destructive possible with the following function?
FUNCTION row_count (tab_name VARCHAR2) RETURN INTEGER AS
rows INTEGER;
BEGIN
EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || tab_name INTO rows;
RETURN rows;
END;
version 11.2.0.3, linux x86

Simple example.
SQL> --// table to hack in production - we are going to nuke it
SQL> create table production_table1(
2          some_data       number
3 );
Table created.
SQL> --// production code typically executes with production rights (authid definer)
SQL> create or replace function RowCount( tabName varchar2 ) return integer authid definer is
2 --// code executes with the privs of the owner of the code
3          cnt     integer;
4 begin
5          execute immediate 'SELECT COUNT(*) FROM ' || tabName into cnt;
6          return( cnt );
7 end;
8 /
Function created.
SQL> --// expected use of production code
SQL> var i number
SQL> exec :i := RowCount( 'EMP' );
PL/SQL procedure successfully completed.
SQL> print i
         I
        14
SQL>
SQL> --// create the following in any schema that I, as hacker, have access to and the
SQL> --// right to create a procedure - and using "access/security escalation", I'm going
SQL> --// to get production code to run my code with production rights
SQL>
SQL> create or replace function InjectCode return integer authid current_user is
2 --// code executes with the privs of the caller of the code
3          pragma autonomous_transaction;
4 begin
5          execute immediate 'drop table PRODUCTION_TABLE1 purge';
6          return( 0 );
7 end;
8 /
Function created.
SQL>
SQL> --// production table is there
SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
OBJECT_TYPE                    OBJECT_NAME
TABLE                          PRODUCTION_TABLE1
SQL>
SQL> --// inject my code into production code
SQL> exec :i := RowCount( 'EMP where InjectCode() = 0' );
PL/SQL procedure successfully completed.
SQL> print :i
         I
        14
SQL> --// production table is nuked
SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
no rows selected
SQL>

Preventing SQL injection - can't use cfqueryparam in this case

Hello. I have a form with a checkbox next to each row. If the user checks some boxes, then clicks the "Delete" button, I want to execute the following query, but I want to protect it from sql injection attacks:
    <cfquery datasource="#application.mainDS#">
        delete userMessages
        where messageID in (#form.messageID#)
    </cfquery>
As written above, it works fine. But if I try to protect this code with <cfqueryparam value="#form.messageID#" cfsqltype="cf_sql_varchar">, I get this error: "Conversion failed when converting the varchar value '7,21' to data type int" (7 and 21 are the messageID's to be deleted). Obviously the comma prevents conversion to an integer.
If I use cfsqltype="cf_sql_integer", then the string gets converted to a single integer (in this case 40015, which is nonsense).
I tried passing form.messageID to a stored procedure, but I seemed to have the same problem there. I could run the query in a loop where I just delete one row at a time, but I'd like to run just one query if I can do it safely. Any ideas?
Thanks.
PK

I agree that you should not do an SQL "DELETE" from a web page. Instead, use "soft deletes," where you contrive for there to be a deleted_flag (boolean), and maybe deleted_by (varchar) and deleted_timestamp. Then create an SQL "VIEW" which automagically omits the "deleted" records.
It is also a very good idea to refer to the records using a nonsensical, made-up "moniker" instead of actual record-IDs. You see, "if I am a nasty person and I know that there is a record #123456, then I'll bet I know the record-IDs of 123,455 other records, too." But if you refer to the record as "QZB0E9S" and the next record-id in the list is "4Q_9RJPEM2" then it won't take me long to realize that I can't get too far, not even by brute-force. (And if I see that the record-IDs seem to have verification tags, like "QZB0E9S:4E396", then I know that I am really scroo'd in my hacking-attempt because even if I did somehow million-monkeys my way into a valid record-ID, I've got no earthly idea how to come up with the tag.
It pays to code defensively, like this. And it doesn't really take more time. Without question, always use <cfqueryparam> !!

SQL Injection, replace single quote with two single quotes?

Is replacing a single quote with two single quotes adequate
for eliminating
SQL injection attacks? This article (
http://www.devguru.com/features/kb/kb100206.asp
) offers that advice, and it
enabled me to allow users to search name fields in the
database that contain
single quotes.
I was advised to use "Paramaterized SQL" in an earlier post,
but I can't
understand the concept behind that method, and whether it
applies to
queries, writes, or both.

Then you can use both stored procedures and prepared
statements.
Both provide better protection than simply replacing
apostrophes.
Prepared statements are simple:
Set myCommand = Server.CreateObject("ADODB.Command")
...snip...
myCommand.CommandText = "INSERT INTO Users([Name], [Email])
VALUES (?, ?)"
...snip...
myCommand.Parameters.Append
myCommand.CreateParameter("@Name",200,1,50,Name)
myCommand.Parameters.Append
myCommand.CreateParameter("@Email",200,1,50,Email)
myCommand.Execute ,,128 'the ,,128 sets execution flags that
tell ADO not to
look for rows to be returned. This saves the expense of
creating a
recordset object you don't need.
Stored procedures are executed in a similar manner. DW can
help you with a
stored procedure through the "Command (Stored Procedure)"
server behavior.
You can see a full example of a prepared statement by looking
at DW's
recordset code after you've created a recordset using version
8.02.
"Mike Z" <[email protected]> wrote in message
news:eo5idq$3qr$[email protected]..
>I should have repeated this, I am using VBScript in ASP,
with an Access DB.
>

SQL Injection on CallableStatement

I will try to post this all in one line, as the tags are not working today. I know that one should use PreparedStatement over Statement to obviate the thread of a SQL injection attack. Is CallableStatement vulnerable as well? For reference, this would be running against an Oracle RDBMS. Thanks!
- Saish

I guess there is no hard-and-fast rule.Well, I guess the hard and fast rule is "only use
bound variables". If you've got a sane database
design then that shouldn't cause you any problems.
Dave.I agree. I was approaching the issue mainly from a security perspective in locking down a legacy system against SQL injection attacks. Using Eclipse, I was able to zero-in on usages of Statement fairly easily. But the more I looked into CallableStatement, the more I realized that I woud have to inspect each invocation manually. (Just in case someone did not bind variables or built a dynamic SQL string).
- Saish

SQL Injection and variable substitutions

Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
with the variable substitutions in order to protect from sql injections.
I'm using apex 3.0.0.00.20
The trickiest component seems to be a Report of type "pl/sql returning sql", since
multiple dynamic sql interpretations are done there.
consider the following innocent looking disaster:
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
RETURN l_out;
END;
if NAME is a single quote the report will return:
failed to parse SQL query: ORA-00911: invalid character
which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
as in: '||lower('S')||'
I also tried to put there a function that runs in a autonomous transaction to log its calls, and
I see that it's called five times for each request.
consider now the similar solution (notice the two single quotes):
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
RETURN l_out;
END;
with this second example nothing of the above is possible.
So my theory (please confirm it or refute it) is that there is a first variable substitution done
at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
Then the dynamic sql is executed and it returns the following string:
select * from test_injection t where t.name like '%' || :NAME || '%'
now another substitution is done (at an "APEX" level) and then query is finally executed to return
the rows to the report.
The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
with the single quote), while the second substitution does.
Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
Thanks

Giovanni,
You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
Scott

SQL Injection -- DBA role..

Hi all,
I'm working as a SQL Server DBA,Now a days we are facing issue with attacks(SQL Injection),most of attacks are taken care by Firewalls but still some attacks hitting Database.
As a DBA How to check whether database got effected
Please help me by providing hints and tips to analysis SQL injection.
Thanks in advance

There is no easy ways to detect sql injection. You should analyze activity against databases and work with developers to address it.
Basically, you can capture sql_completed/rpc_completed events in XEvent or SQL Trace and review them. Anything, which is not parameterized, could be the subject of injection attach (it depends on Client Code and implementation).
As the side note, script below provides you the list of the databases together with number of cached execution plans that were used just once. SQL Injection targets non-parameterized queries. So the databases with large number of single-used plans are more
likely to be affected. In any case, do not rely on output much - large number of single-used plans could be just the sign of bad design rather than being affected. As I said, you need to review client app code just to be sure.
select
epa.value as [DB ID],
db_name(convert(int,epa.value)) as [DB Name],
count(*) as [Single Use Plans]
from
sys.dm_exec_cached_plans p
cross apply sys.dm_exec_plan_attributes(plan_handle) AS epa
where
p.usecounts = 1 and
p.objtype in ('Adhoc','Prepared') and
epa.attribute = 'dbid'
group by
epa.value
option (recompile)
Thank you!
Dmitri V. Korotkevitch (MVP, MCM, MCPD)
My blog: http://aboutsqlserver.com

Sql injection

What is SQL Injection?
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
An attack against a database using SQL Injection could be motivated by two primary objectives:
1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
* JSP
* ASP
* XML, XSL and XSQL
* Javascript
* VB, MFC, and other ODBC-based tools and APIs
* Portal, the older WebDB, and other Oracle Web-based applications and API’s
* Reports, discoverer, Oracle Applications
* 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
* Perl and CGI scripts that access Oracle databases
* many more.
Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
[http://www.securityfocus.com/infocus/1644]
how oracle prevent sql injections?

mango_boy wrote:
damorgan wrote:
And they do so using bind variables
http://www.morganslibrary.org/reference/bindvars.html
and DBMS_ASSERT
http://www.morganslibrary.org/reference/dbms_assert.html
do you have any suggestion for mysql users??Yes. Install Oracle.

Sql injection update signature

hi,
we are currently comparing cisco ips to tippingpoint, i have a cisco ips in front and tippingpoint in the back, so we are checking if cisco ips is missing on a lot of stuff , and currently it is missing on SQL injection attacks and cross scripting, which seems to be the weak point in cisco ips, its missing a lot on sql injection signatures, i mean why a simple update/set command does not have a signature ?

Thank you for your reply, do you know how to get in contact with the ips signature engineers at Cisco , i would like to share my comparaison with them as well as an attack that is passing all sql injection signature containing update but with u%pdate and the sql database is interpreting it as a normal update.

SQL injection hacks

Similar Messages

Maybe you are looking for