Current location: Hot Scripts Forums » Programming Languages » ASP » SQl Injection through ASP and MS SQl 2000


SQl Injection through ASP and MS SQl 2000

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-27-07, 02:39 AM
cancer10 cancer10 is offline
Wannabe Coder
  
Join Date: Oct 2006
Location: India
Posts: 154
Thanks: 0
Thanked 0 Times in 0 Posts
Question SQl Injection through ASP and MS SQl 2000
Hello,


I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?

Can someone explain plz?



Thanx
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiShare on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #2 (permalink)  
Old 10-27-07, 12:05 PM
End User's Avatar
End User End User is offline
Level II Curmudgeon
  
Join Date: Dec 2004
Posts: 3,027
Thanks: 14
Thanked 35 Times in 33 Posts
Try here for a simple explanation:

http://www.securiteam.com/securityre...DP0N1P76E.html
__________________
I don't live on the edge, but sometimes I go there to visit.
-------------------------------------------------------------------------
Sanitize Your Data | Oracle Date & Substring Functions | Code Snippet Library | [url=http://www.codmb.com/Call Of Duty[/url]
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiShare on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #3 (permalink)  
Old 11-03-07, 06:44 PM
koncept
Guest
  
Posts: n/a
there is also this one from the sans institue, they have some good information usually.

https://www2.sans.org/reading_room/w...ication/52.php
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiShare on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #4 (permalink)  
Old 11-24-07, 04:32 PM
MadDog MadDog is offline
Code Master
  
Join Date: Aug 2003
Posts: 935
Thanks: 0
Thanked 0 Times in 0 Posts
SQL injection allows anyone to break a SQL statement and destroy your database.

The best way to prevent this is to strip anything you might put into a SQL statement.

A simple SQL Inject would be:

URL Should be: yourpage.asp?ID=1
But someone enters: yourpage.asp?ID=1;Drop Table TableName;
That would drop the table "TableName" from your database!

To prevent that, your number should be filtered, so you would use Clng or Cint
Code:
intItemNumber = Clng(Request("ID"))

strSQL = "SELECT * From TableName WHERE ID=" & ID & ";"
If your passing a string, you only need to filter out one thing, the ' character:
Code:
strString = Replace(Request("Name"), "'", "''")

strSQL = "SELECT * From TableName WHERE Name='" & strString & "';"
Now you should look up XSS hacks and how to prevent that if you allow user inputs.
__________________
Drew Gauderman
ASP - MSSQL Coder / Buisness Owner / Coder for Hire!
MSN-ICQ-AIM-YIM in Profile
http://www.iportalx.net an easy ASP portal system.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiShare on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #5 (permalink)  
Old 11-28-07, 04:25 AM
GO4TF4CE's Avatar
GO4TF4CE GO4TF4CE is offline
Wannabe Coder
  
Join Date: Apr 2004
Posts: 223
Thanks: 0
Thanked 0 Times in 0 Posts
For additional security you can setup 2 different users for the database, one with full permissions for your CMS for example and the another for the front end of your site with limited permissions.

Our company now uses this as an extra precaution as we had a lot of foreign people trying to hack our sites.
__________________
Intelligence is not knowledge, but the way we use our knowledge.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiShare on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #6 (permalink)  
Old 12-18-07, 02:30 PM
algorithm algorithm is offline
Newbie Coder
  
Join Date: Dec 2007
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
The idea of SQl injection is to convince the application to run SQL code that was not intended

The attacker can know the table names from the error messages (error (server failure) returned by the SQl server.

First apply blind SQl injection And some guess work will get you the error messages that will have useful information. From this information shown by the error messages ,one can have the database table names

Regards
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiShare on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
Reply

Bookmarks

« Nested loop problems... | ADODB.Recordset error '800a0cc1' »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP/ MS ACCESS Pro Sharda ASP 2 10-12-05 08:15 AM
Reading MS Word text with ASP. af11kcc ASP 11 05-11-05 06:18 PM
ASP and MS SQL Assistance knoufal Job Offers & Assistance 2 01-17-05 06:01 AM
2000 MB space - 40GB/month transfer- Asp, ASP.NET, Php,MySQL, MS SQL Firefrog General Advertisements 0 07-29-04 05:54 PM
E-Mail from ASP form to MS Exchange rschrab ASP 0 04-20-04 05:41 PM


All times are GMT -5. The time now is 12:37 PM.
vBulletin® Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.