SQL Injection occurs when an attacker is able to insert a series of SQL statements into a ‘query’ by manipulating data input into an application. This can be either using a web form or URL query string.
In this post i’ll show how the SQL injection look like and the solution to revert back the effected data based on the attacked. What I can say is that, the attacker is quite a ‘nice’ person since the SQL query did not do any big harm to the data itself.
From IIS log file, below are the attacked look like. Note that all the ‘XXX’ are not the original values.
Based on above query string,the original values that executed will be like below.
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
That is very powerful query whereby it will get all thein the database using sysobjects and look for field which are NTEXT,TEXT,NVARCHAR,VARCHAR.
Then, the query will try to update the field to add the additional values.Something like : original value + new value. See,that is why I say this guy still a ‘nice’ person. I’m not sure what will going to happen in case the statement is something else.
The solution for this is very simple where we just need to revert back the original values using below statement.Use back the same code that attacker use with minor modification to cater for our update.
SET @Sqltext = "Update [" + convert(Varchar, @tab) + "] " IF (@xtype=231) or (@xtype=167) SET @Sqltext = @Sqltext + "SET [" + convert(Varchar, @col) + "] = replace(["+ convert(Varchar, @col) + "], '','')" ELSE SET @Sqltext = @Sqltext + "SET [" + convert(Varchar, @col) + "] = substring(["+ convert(Varchar, @col) + "],1,PATINDEX('%
(Let me know if you guys need the whole query since I notice that my sql code here is not properly displayed.)
Well, there are good and bad about this thing. I don’t want to talk about bad things.
The good things is, I learn new stuff.
On top of that, I also learn how to print getdate() using HEX and no…I’m not a hackers,crackers or attackers
Till then, adios and Have a nice weekend.