Well I got nailed today. My site INeedCoffee.com which is written using Classic ASP fell victim to a SQL Injection attack. The damage was limited to just one column in a table of nine rows.
Textbook SQL Injection Attack
Almost every example I’ve seen that explains SQL Injection shows how the WHERE clause is vulnerable to querystring manipulation.
sAuthorID = Request.QueryString("AuthorID") sSQL = "SELECT firstName, lastName FROM Author WHERE authorID = " & sAuthorID
This query can be nailed with a single quote and an OR clause to dump the entire table to the screen. Adding 1′ or ’1′=’1 to the querystring now yields this SQL.
SELECT firstName, lastName FROM Author WHERE authorID = 1 OR 1=1
Attacked Via a Column Sort
The attack I received came from appending additional SQL to ORDER BY clause. By clicking on the column header on the contributor page a column number is passed to the querystring. This was getting concatenated to a SQL statement.
EXAMPLE: http://ineedcoffee.com/by/michael_allen_smith/?s=1
The server-side ASP code looked like this:
sort = Request.QueryString("s") If Len(sort) Then sSQL = sSQL & " ORDER BY " & sort Else sSQL = sSQL & " ORDER BY C.Created DESC " End If
The hacker guessed the name of the table and one of the column names. From there it was an easy to hack together a querystring that looked like this:
http://ineedcoffee.com/by/michael_allen_smith/?s=1;UPDATE Section SET Name=’hacked’
A simple semicolon followed by an UPDATE statement. This was just one column on a minor lookup table. I’m grateful that he/she didn’t use the DROP TABLE command in the right sequence.
Locking It Down
Although ASP.NET has a nice feature to add parameters to dynamic SQL, Classic ASP is still best protected with stored procedures. Now the sort parameter goes into a stored procedure which can only perform SELECT. Prior to entering the stored procedure I’m now performing tests on length of the querystring (LEN) and determining if is an integer (IsNumeric).
