Preventing SQL injection
Here is a function that a reader wrote that does sanitizing of input for all inputted data.
I am not an asp function programmer so I can not claim that it is complete or correct
but it does appears to work.
This was written by Brian Erman.
Brian spent many hours testing and modifying to make it work. It has stopped
the insertion of bad data into their database. They have been using it now for
over 1 month and have not had a single SQL injection since they added this function.
It eliminates any string that contains the word "declare" and shoots them
off to Google. It also creates a new string from the old string character by
character into the new string. Not by moving the original character into the string.
It also replaces known keywords (i.e. insert, delete, etc...) that may cause
problems within SQL.
,,,,,,Begin Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Function cleanchars(str)
'this gets put in the program that you want to cleans the data with.
'fname = cleanchars(trim(Request("xxxxx"))) <<<Function Call<<<<<<
'here is the call for the function
'Author:
'President Brian Erman
'Nopork Motorsports, Inc.
'2585 Hamner Ave,
'Norco CA 92860
'
'This is licensed under the creative commons attribution-noncommercial 3.0 framework
'http://creativecommons.org/licenses/by-nc/3.0/us/
'
'This function assumes you are using CDO as your object for sending mail, if
'you have CDONTS on your server, simply change the CDO to CDONTS and it
'should process exactly the same.
'
'
newstr = ""
if InStr(str, "'") > 0 then
str = ""
end if
if instr(str, "DECLARE") > 0 then
newstr = ""
Set Mailer = Server.CreateObject("CDO.Message")
Mailer.From = "Email_From"
Mailer.To = "Email_To"
Mailer.Subject = "Your_Domain Hacking Attempt"
msg = Date & VbCrLf & VbCrLf
msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
msg = msg & "STR: " & str & " char " & char & VbCrLf & VbCrLf
msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") & VbCrLf & VbCrLf
msg = msg & "Web Page " & Request.ServerVariables("URL") & VbCrLf & VbCrLf
msg = msg & "Host " & Request.ServerVariables("HOST") & VbCrLf & VbCrLf
msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
Mailer.TextBody = msg
Mailer.Send
Set Mailer = nothing
Response.Redirect("http://www.google.com/")
end if
For ii = 1 to Len(str)
char = Mid(str,ii,1)
Select Case char
case " ", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y",
"z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N",
"O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2",
"3", "4", "5", "6", "7", "8", "9", "@", ".", "-", "_", "/", "&"
newstr = newstr & char
Case Else
Set Mailer = Server.CreateObject("CDO.Message")
Mailer.From = "Email_From"
Mailer.To = "Email_To"
Mailer.Subject = "Your_Domain Hacking Attempt"
msg = Date & VbCrLf & VbCrLf
msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
msg = msg & "STR: " & str & " char " & char & VbCrLf & VbCrLf
msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") & VbCrLf & VbCrLf
msg = msg & "Web Page " & Request.ServerVariables("URL") & VbCrLf & VbCrLf
msg = msg & "Host " & Request.ServerVariables("HOST") & VbCrLf & VbCrLf
msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
Mailer.TextBody = msg
Mailer.Send
Set Mailer = nothing
End Select
Next
if len(str) > 350 then
newstr = ""
Response.Redirect("http://www.Your_Domain/")
end if
if instr(str, "DECLARE") > 0 then
newstr = ""
Response.Redirect("http://www.Your_Domain/")
end if
if instr(str, "declare") > 0 then
Response.Redirect("http://www.Your_Domain/")
end if
if instr(str, "www") > 0 then
Response.Redirect("http://www.Your_Domain/")
end if
newstr = Replace(lcase(newstr), " or ", "")
newstr = Replace(lcase(newstr), " and ", "")
newstr = Replace(lcase(newstr), " from ", "")
newstr = Replace(lcase(newstr), " into ", "")
newstr = Replace(lcase(newstr), "insert", "")
newstr = Replace(lcase(newstr), "update", "")
newstr = Replace(lcase(newstr), "set", "")
newstr = Replace(lcase(newstr), "where", "")
newstr = Replace(lcase(newstr), "drop", "")
newstr = Replace(lcase(newstr), "values", "")
newstr = Replace(lcase(newstr), "null", "")
newstr = Replace(lcase(newstr), "http", "")
newstr = Replace(lcase(newstr), "js", "")
newstr = Replace(lcase(newstr), "declare", "")
newstr = Replace(lcase(newstr), "script", "")
newstr = Replace(lcase(newstr), "xp_", "")
newstr = Replace(lcase(newstr), "CRLF", "")
newstr = Replace(lcase(newstr), "%3A", "")'; HEX
newstr = Replace(lcase(newstr), "%3B", "")':
newstr = Replace(lcase(newstr), "%3C", "")'<
newstr = Replace(lcase(newstr), "%3D", "")'=
newstr = Replace(lcase(newstr), "%3E", "")'>
newstr = Replace(lcase(newstr), "%3F", "")'?
newstr = Replace(lcase(newstr), """, "")'"
newstr = replace(lcase(newstr), "&", "")'&
newstr = replace(lcase(newstr), "<", "")'<
newstr = replace(lcase(newstr), ">", "")'&
newstr = replace(lcase(newstr), "exec", "")'&
newstr = replace(lcase(newstr), "onvarchar", "")'&
newstr = replace(lcase(newstr), "set", "")'&
newstr = replace(lcase(newstr), " cast ", "")'&
newstr = replace(lcase(newstr), "00100111", "")'
newstr = replace(lcase(newstr), "00100010", "")';
newstr = replace(lcase(newstr), "00111100", "")'<
newstr = replace(lcase(newstr), "select", "")'<
newstr = replace(lcase(newstr), "0x", "")'<
newstr = replace(lcase(newstr), "exe", "")'<
newstr = replace(lcase(newstr), "delete", "")'<
newstr = replace(lcase(newstr), "go ", "")'<
newstr = replace(lcase(newstr), "create", "")'<
newstr = replace(lcase(newstr), "convert", "")'<
cleanchars = newstr
End Function
,,,,,,End Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Additionally several sites have published documents describing how to prevent SQL injection.
Open Web Application Security Project:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java#Defence_Strategy
Canadian Cyber Incident Response Centre:
http://www.publicsafety.gc.ca/prg/em/ccirc/_fl/tr08-001-Alleviating-the-threat-of-mass-sql-injection-attacks-eng.pdf
UPDATE: Jason Lam wrote two additional diaries that have additional information on preventing SQL injection.
http://isc.sans.org/diary.html?storyid=4621
http://isc.sans.org/diary.html?storyid=4610
SSH scans, source port 80?
Got an email today from a reader named Justin (thank you Justin) who asks us if we have seen alot of SSH scans with a source port of 80 before. Of course, the answer is yes, but only in test cases!
I've never actually seen this take place on the internet, (well, yes, I have, but very very rarely), and of course I can cause it with certain nmap settings. But this kind of scanning isn't commonplace, afaik, to an automated tool or script kiddie run.
Any information that anyone could provide so that we can help out Justin, and of course the rest of the readers of the Internet Storm Center would be much appreciated. Please write in via that Contact link at the top of our home page. Thank you.
--
Joel Esler
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago