Installation

Coordinator
Dec 6, 2007 at 4:05 PM
Installation questions
Dec 28, 2007 at 2:25 AM
Do you just run the installer? I checked the sites in IIS 6 and did not see any ISAPI filters setup.

Thanks.
Coordinator
Dec 28, 2007 at 6:59 AM
Edited Dec 28, 2007 at 8:18 AM
Hi MDevich,

1. When you run the installation you just put the files in the right location:
Normally C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI\

2. If everything is ok, this will show when you run C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI\RegexsearchTest.exe.
You should see:
Old URL = http://test.asp?test1=fkjdshfjhj&test2=asdhj%3d'edd&test3=1or1%3d1&test3=;1oracle1
New URL = test1=fkjdshfjhj&test2=asdhj%3d''edd&test3=1*or*1%3d1&test3=,1oracle1

Type in 0 and hit enter and you should exit the application. Jump to step 4.
If the Visual C++ Runtime is not installed you should see an error instead. If so, see step 3.

3. Make sure Visual Studio 2005 Runtime is installed. Download it from here:
http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647&displaylang=en

4. Run IIS Manager: Start | Administrative Tools | Internet Information Services (IIS) Manager. The IIS Manager pops up.

5. Go to Web Service Extensions.

6. Click the link "Add a new Web service extension..."

7. Enter the full name of the dll (normally C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI\ISAPIClipSQLInjection.dll)

8. Make sure that "Set extension status to Allowed" is set and click OK.

To ensure the ISAPI is bind to an application:

9. Choose the application. Right-click and choose properties.

10. Go to the "Virtual Directory" tab.

11. Click "Configuration"

12. On "Wildcard implementation maps", click Insert.

13. Enter DLL name between quote marks (normally "C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI\ISAPIClipSQLInjection.dll")

14. Click Ok then ok.

The web application should work. I also posted a step-by-step installation instruction video in the release files.

Let me know if it worked.

Thanks,

Rodney Viana


mdevich wrote:
Do you just run the installer? I checked the sites in IIS 6 and did not see any ISAPI filters setup.

Thanks.

Jun 29, 2008 at 3:41 PM
Thanks for the excellent filter. It seems to work well so far, however we are getting periodic IIS worker process errors from our ASP applications where we have installed the filter:

"Faulting application w3wp.exe, version 6.0.3790.1830, faulting module msvcr80d.dll, version 8.0.50727.42, fault address 0x0005275"

Any idea why this is happening and a way to prevent it?

Thanks,

John McTigue
Coordinator
Jun 30, 2008 at 6:05 PM

Please refer to the appropriate thread to see the response.

 

Thanks,

 

Rodney

 

 


jwmctkuno wrote:
Thanks for the excellent filter. It seems to work well so far, however we are getting periodic IIS worker process errors from our ASP applications where we have installed the filter:

"Faulting application w3wp.exe, version 6.0.3790.1830, faulting module msvcr80d.dll, version 8.0.50727.42, fault address 0x0005275"

Any idea why this is happening and a way to prevent it?

Thanks,

John McTigue


Sep 1, 2008 at 12:33 PM
Hi,

I have numerous web sites on my server but only want this installed on my classic ASP website. Can you confirm when I install it only affects the websites its installed on?

Also if I dont run the installation and just copy the files to hardisk location, can you confirm only the wildcard configuration is required.
From steps below I cannot follow steps 5- 9 on my ISS6.0 installation, I do not seem to have Web Service Extensions tab. 

Thanks
Vinny

. Run IIS Manager: Start | Administrative Tools | Internet Information Services (IIS) Manager. The IIS Manager pops up.

5. Go to Web Service Extensions.

6. Click the link "Add a new Web service extension..."

7. Enter the full name of the dll (normally C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI\ISAPIClipSQLInjection.dll)

8. Make sure that "Set extension status to Allowed" is set and click OK.

To ensure the ISAPI is bind to an application:

9. Choose the application. Right-click and choose properties.

10. Go to the "Virtual Directory" tab.

11. Click "Configuration"

12. On "Wildcard implementation maps", click Insert.

13. Enter DLL name between quote marks (normally "C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI\ISAPIClipSQLInjection.dll")

14. Click Ok then ok.
Coordinator
Sep 1, 2008 at 6:45 PM
Hi Aro,

It only affects the web application you install it on and no other application. I don't know why you don't have Web Services Extensions in your IIS. Make sure you are logged in as system administrator. Also make sure your IIS installation is correct. There is also a downloadable video in the release area with step-by-step instruction.

Cheers,

Rodney
Sep 5, 2008 at 10:24 AM
Hi Rodney, thank you for this excellent application. I have installed it as per your video and it went OK. I have a couple of questions. When performing the test at the end, I go the following output:

Request.Form("field1") ';drop table
Request.Querystring("field1") 123;Declare @a;Set @=123;Exec(@);
Request("field1") 123;Declare @a;Set @=123;Exec(@);
Request.Form("field2") 1or1=1;field2;1orca2;'''&test5=3434

This was a little different to your video. Has my installation worked ok?

My second question is that I have added the SQL injection Filter to the web service extensions and allowed it. Do I now how to bind it to all the individual websites somehow for it to work or will it automatically work on them all?

Thanks!
Coordinator
Sep 5, 2008 at 3:49 PM
Hi Coups,

You have to bind the filter (wildcard isapi) to each application you want to have filtered. It is not a Web Server-wide filter. The video shows how to do it. Let me know if you need further assistance.

Cheers,

Rodney
Sep 7, 2008 at 10:12 PM

Thank you Rodney. I cannot see in the video how I should bind it to each individual site I have under IIS. I have added it to the web services extensions as outlined in the video but am not sure whether I now need to go into each site to somehow bind it. Sorry if I am missing something.

Thanks.

Kind regards,

Luke

Sep 7, 2008 at 10:36 PM

Actually, I have seen what you have done when you bind it to the application. I have tried this but it renders the site pages unavailable for some reason..hmm any ideas?

Thanks for your advice.

Kind regards,

Luke

Coordinator
Sep 11, 2008 at 1:33 AM
Did the test app worked? Did you set the filter as safe?
Oct 15, 2008 at 5:20 PM
Hi Rodney,
I recently installed the filter and as a result I am no longer able to upload files (.pdf, .doc etc) or images to the server via my forms when their enctype is set to multipart/data. Also if the forms enctype is set to multipart/data and you do not upload any files the receiving page cannot retrieve the values entered in simple text boxes and instead the values are set to null or blank. The website is built using classic asp. Are you aware of this problem? Is there a workaround for this?

Thanks in advance,
Jason
Coordinator
Oct 16, 2008 at 1:10 AM
Hi Jason,

I am aware of this problem. The version I am working on now will enable you to keep a list of excluded files which won't be filtered. I am about to finish it and when I have it tested I will release. The timeframe is about a month for the new release.

Thanks,

Rodney
Oct 16, 2008 at 12:07 PM
OK thanks. Look forward to the release.

Jason
Coordinator
Nov 6, 2008 at 4:02 PM
Hi Jason,

Please download version 2.
Feb 21, 2009 at 12:59 PM
Hi,
Thanks for your advise, I really appreciated..

My Computer Guide: Your first stop for a healthy computer! Proccess information, driver downloads, dll files, information about virusses and pc manuals.  
Aug 3, 2009 at 11:12 PM
Edited Aug 4, 2009 at 12:21 AM

Hi Rodney, 

I installed but never saw this in the cmd window

Old URL = http://test.asp?test1=fkjdshfjhj&test2=asdhj%3d'edd&test3=1or1%3d1&test3=;1oracle1
New URL = test1=fkjdshfjhj&test2=asdhj%3d''edd&test3=1*or*1%3d1&test3=,1oracle1

All I see is a large white box open wiht no data in it. 

Additionally, I was attempting to bind it to my applications, however my control panel is Plesk, which seems to take over IIS. If I install the application using IIS, my site asks for login authentication from the browser. I believe this is because it is outside the security settings for the domain Plesk is governing. Do you have any options to join the two? They do have a section to upload aplication packages, but the .zip nor does the .exe upload there. 

Thoughts?

Aug 4, 2009 at 7:30 PM
Edited Aug 4, 2009 at 7:31 PM

Rodney, I answered my own question. I just did a system-wide security change to allow this .dll and that seemed to solve the problem. So hopefully that helps any Plesk users out there. However I still see the white window as opposed to the cmd window using the /exe, but in using the test given by you, I now see that the inputed text is changed upon submission - so it looks like it's working right. 

As I bind this to the rest of my applications, time will tell and I'll hit you back. Thanks. 

Sep 20, 2010 at 5:03 PM

>  I just did a system-wide security change to allow this...

what he means is if you're using Plesk you must do this:

Right click: ""C:\Program Files\Rodney Viana\Clip SQL Injection ISAPI"

Click on PSAADM. Rights should be DENY. Click ALLOW on all.

Click on PSACLN. Rights should be DENY. Click ALLOW on all.