Search code examples
databasesql-server-2008-r2server-side-attacks

My database is being attacked

I have a database running with SQL Server 2008 r2. I got problems with some column's values

I remarked that some fields values are updated automatically.

They contains data like :

  • orginal value 12345
  • dirty value 12345<div style="display:none">why do husband cheat <a href="http://blog.businessdating.com/page/How-women-cheat">wifes that cheat</a> why do men cheat on their wife</div>

I don't know how can this happen and what kind of attack is it? Knowing that in my application code, which is an ASP.Net WebForms application, I have no update statments and some infected columns are not read from client inputs but they are foriegn keys and their values are read from database so no way to put such dirty values in them.

Solution

  • I assume this is a SQL injection attack.

    The whole point of SQL injection attacks is that they find a single weakness to execute arbitrary SQL commands. If you're accepting input from the web, either for insert/update/delete/select queries, and you don't use parameterized queries, an attacker can access any table in your database and do with it as they want.

    Without more details, it's hard to be precise on how it might have worked - it appears to be a script as there are lots of pages on the internet with that same URL, and they all use .asp as the suffix.

    It's been way too long for me to remember ASP syntax, but I'll give it a whirl. I've also not bothered with HTML encoding to make this more legible.

    As an example, let's say you have a page where you can find out about products:

    http://myapp.com/customers.asp?productID=1

    When that page hits your server, you construct a SQL string:

    Select * from products where productID = & request.productID

    And you then execute that, showing the results on the page.

    In the normal case, your SQL request is Select * from products where productID = 1

    An attacker might manipulate the URL as follows:

    http://myapp.com/customers.asp?productID=1 union sp_help

    This would mean you execute 

    Select * from products where productID = 1
union
sp_help

    And show the results on the resulting webpage. It would take a bit of trial and error to get the sp_help results to match the columns in product data, but eventually the attacker gets a complete database schema.

    If the attacker then wants to manipulate data, they might do something like 

    http://myapp.com/customers.asp?productID=1; update lookupTable set description = description  + '<div style="display:none">why do husband cheat <a href="http://blog.businessdating.com/page/How-women-cheat">wifes that cheat</a> why do men cheat on their wife</div>'