Still possible to execute SQL statement if defined in the form action attribute

May 20, 2008 at 8:53 PM
default.asp
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
</form>

show.asp
<%
Response.Write Request.QueryString("PageID")
%>

Output
123;Declare @a;Set @=123;Exec(@);

Result
If Request.QueryString("PageID") is used anywhere in building the SQL, the above code will be executed like charm.

Possible Solution
Parse both the Post and Get requests. The best solution I've found so far to overcome SQL injection in both Get and Post is using the script at the following URL:

Title: Filtering SQL injection from Classic ASP
URL: http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Even the above script fail to prevent SQL Injection in the get request unless the whole querystring is parsed using the QUERY_STRING server variable.

Coordinator
May 21, 2008 at 7:44 PM

Are you sure you tested it? The ISAPI filters both GET and POST and PageID would be:

123,Declare @a,Set @a=123,Exec(@) (changing ";" to ",").

Let me know if I am wrong.

 

Thanks,

 

Rodney


naumanahmed wrote:
default.asp
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
</form>

show.asp
<%
Response.Write Request.QueryString("PageID")
%>

Output
123;Declare @a;Set @=123;Exec(@);

Result
If Request.QueryString("PageID") is used anywhere in building the SQL, the above code will be executed like charm.

Possible Solution
Parse both the Post and Get requests. The best solution I've found so far to overcome SQL injection in both Get and Post is using the script at the following URL:

Title: Filtering SQL injection from Classic ASP
URL: http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Even the above script fail to prevent SQL Injection in the get request unless the whole querystring is parsed using the QUERY_STRING server variable.




May 24, 2008 at 7:42 PM
Hi rviana. I think ur ISAPI filter is cool, but naumanahmed is right. I did exactly what he did and i got the result he had. 

Output was
123;Declare @a;Set @=123;Exec(@);

and not 
123,Declare @a,Set @a=123,Exec(@)


rviana wrote:

Are you sure you tested it? The ISAPI filters both GET and POST and PageID would be:

123,Declare @a,Set @a=123,Exec(@) (changing ";" to ",").

Let me know if I am wrong.

 

Thanks,

 

Rodney

 


naumanahmed wrote:
default.asp
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
</form>

show.asp
<%
Response.Write Request.QueryString("PageID")
%>

Output
123;Declare @a;Set @=123;Exec(@);

Result
If Request.QueryString("PageID") is used anywhere in building the SQL, the above code will be executed like charm.

Possible Solution
Parse both the Post and Get requests. The best solution I've found so far to overcome SQL injection in both Get and Post is using the script at the following URL:

Title: Filtering SQL injection from Classic ASP
URL: http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Even the above script fail to prevent SQL Injection in the get request unless the whole querystring is parsed using the QUERY_STRING server variable.







Coordinator
May 24, 2008 at 8:23 PM

Naumanahmed and Niio,

Thanks for the feedback. The application was designed to handle both GET and POST. You had probably discovered a bug when you use explicitly "POST" and send "GET" information as well. I will investigate the problem and will post a new version as soon as finished. I am also preparing a new version and I need some testers and I was wondering if you guys would like to help.

 

Thanks,

 

Rodney

Coordinator
May 24, 2008 at 9:41 PM

UPDATE:

I could not reproduce the problems you suggested. Have you really tested? The output was:

PageID  123,Declare @a,Set @=123,Exec(@)

These are the files as I created:

test.asp:
<html>
<head></head>
<body>
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
<table>
<tr>
<td>Value</td>
<td><input type="Field1" value="1;delete xxx;"></td>
</tr>
</table>
<input type="submit" value="Send">
</form>
</body>
</html>



Show.asp:
<html>
<body>
<form method="post" target="show.asp">

<table>
<tr>
<td>PageID</td>
<td><%= Request.QueryString("PageID") %></td>
</tr>
<tr>

</table>

</body>

Please let me know what I am missing.

May 25, 2008 at 1:17 AM
Wow! are we using the same versions if ClipSQLInjection?  I ask this because i repeated my test with the  files you have just provided. The output I got was exactly the same as the input. I don't get it. Maybe i'll have to send u a screen dump of something.

Yea! I would love to help test the new version. Cheers

rviana wrote:

UPDATE:

I could not reproduce the problems you suggested. Have you really tested? The output was:

PageID  123,Declare @a,Set @=123,Exec(@)

These are the files as I created:

test.asp:
<html>
<head></head>
<body>
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
<table>
<tr>
<td>Value</td>
<td><input type="Field1" value="1;delete xxx;"></td>
</tr>
</table>
<input type="submit" value="Send">
</form>
</body>
</html>



Show.asp:
<html>
<body>
<form method="post" target="show.asp">

<table>
<tr>
<td>PageID</td>
<td><%= Request.QueryString("PageID") %></td>
</tr>
<tr>

</table>

</body>

Please let me know what I am missing.




Coordinator
May 25, 2008 at 1:52 AM
Hi Niio,

I provide a test application with the installation. See if it is working with the test app. If it is not, probably something is misconfigured.

Thanks,

Rodney

PS.: I will release beta versions of the new edition and I will ping you to see if you want to test.

niio wrote:
Wow! are we using the same versions if ClipSQLInjection?  I ask this because i repeated my test with the  files you have just provided. The output I got was exactly the same as the input. I don't get it. Maybe i'll have to send u a screen dump of something.

Yea! I would love to help test the new version. Cheers

rviana wrote:

UPDATE:

I could not reproduce the problems you suggested. Have you really tested? The output was:

PageID  123,Declare @a,Set @=123,Exec(@)

These are the files as I created:

test.asp:
<html>
<head></head>
<body>
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
<table>
<tr>
<td>Value</td>
<td><input type="Field1" value="1;delete xxx;"></td>
</tr>
</table>
<input type="submit" value="Send">
</form>
</body>
</html>



Show.asp:
<html>
<body>
<form method="post" target="show.asp">

<table>
<tr>
<td>PageID</td>
<td><%= Request.QueryString("PageID") %></td>
</tr>
<tr>

</table>

</body>

Please let me know what I am missing.







May 26, 2008 at 1:08 PM
Edited May 26, 2008 at 1:13 PM

Hi Rodney,

The test application you provided successfully filters the contents of form fields. But it is unable to filter arguments passed.

This is the original content of default.asp;

<html>
<body>
<form method="post" action="show.asp">
<table>
<tr>
<td>Field 1</td>
<td><input type='text' name='field1' value="';delete from table"></td>
</tr>
<tr>
<td>Field 2</td>
<td><input type='text' name='field2' value="1or1=1;field2;1orca2;'''&test5=3434"></td>
</tr>
</table>
<input type=submit name=b1>
</form>
</body>
</html>

when the show.asp file loads it is clear that the form fields have been filtered. but when i alter the line in default.asp that reads 
<form method="post" action="show.asp">
 
to look like this;
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);> 
a response.write(request.querystring("PageID")) shows that PageID was not filtered.

Now i noticed something. After show.asp has loaded i placed the cursor in the address bar, pressed the Enter key and vuala!! It worked. PageID was filtered. Can you explain that.

 


rviana wrote:
Hi Niio,

I provide a test application with the installation. See if it is working with the test app. If it is not, probably something is misconfigured.

Thanks,

Rodney

PS.: I will release beta versions of the new edition and I will ping you to see if you want to test.

niio wrote:
Wow! are we using the same versions if ClipSQLInjection?  I ask this because i repeated my test with the  files you have just provided. The output I got was exactly the same as the input. I don't get it. Maybe i'll have to send u a screen dump of something.

Yea! I would love to help test the new version. Cheers

rviana wrote:

UPDATE:

I could not reproduce the problems you suggested. Have you really tested? The output was:

PageID  123,Declare @a,Set @=123,Exec(@)

These are the files as I created:

test.asp:
<html>
<head></head>
<body>
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
<table>
<tr>
<td>Value</td>
<td><input type="Field1" value="1;delete xxx;"></td>
</tr>
</table>
<input type="submit" value="Send">
</form>
</body>
</html>



Show.asp:
<html>
<body>
<form method="post" target="show.asp">

<table>
<tr>
<td>PageID</td>
<td><%= Request.QueryString("PageID") %></td>
</tr>
<tr>

</table>

</body>

Please let me know what I am missing.










May 26, 2008 at 4:51 PM
UPDATE

It Works. I overlooked domething

default.asp
<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
</form>

That will only happen if the attacker has access to and can alter your asp source file. If he can't do that, then there is nothing to worry about. That is even if u agree that

show.asp
<%
Response.Write Request.QueryString("PageID")
%>

will give the

Output
123;Declare @a;Set @=123;Exec(@);


You can decide to have show.asp load then alter the url in your web browsers address bar to look something like this

http://www.somesite.com/show.asp?PageID=123;Declare @a;Set @=123;Exec(@);

and then press the Enter key. the output of 

show.asp
<%
Response.Write Request.QueryString("PageID")
%>

will be 

PageID  123,Declare @a,Set @=123,Exec(@)

Goodwork Rodney
Aug 22, 2008 at 8:45 PM
It is still possible to get a sql injection attack using the action attribute as a hacker.. All I have to do is download your form to my computer... alter the action attribute to action="show.asp?mybaddata=XXXXX"

At this point though the receiving asp page isnt expecting a variable called mybaddata thus it really wont do anything... so instead of using mybaddata as the variable name, use the name of one of the posted form's field names.

In the standard default.asp page I used "field1".

This will send 2 field1's to the receiving asp page. One in the request.form and one in the request.querystring. As long as the developer of the receiving form accesses data using request.form or request.querystring, you are still ok... but if they access it just using request("field1") then it will cycle through the members of the request object looking for anything called field1. You guessed it, it grabs the querystring first.

To stop this the only thing I can think of is to add some sort of protection on your server to not allow posts from the outside world... I am working on that now.. if you have any ideas let me know.

Thanks,

Zack

Here are my 2 asp pages demonstrating this.

default.asp

<html>
<body>
<form method="post" action="show.asp?field1=123;Declare @a;Set @=123;Exec(@);">

<table>
<tr>
<td>Field 1</td>
<td><input type='text' name='field1' value="';jdksdsa"></td>
</tr>
<tr>
<td>Field 2</td>
<td><input type='text' name='field2' value="1or1=1;field2;1orca2;'''&test5=3434"></td>
</tr>
</table>
<input type=submit name=b1>
</form>

</body>
</html>


show.asp

<html>
<body>
<form method="post" target="show.asp">

<table>
<tr>
<td>Request.Form("field1")</td>
<td><%= Request.Form("field1") %></td>
</tr>
<tr>
<td>Request.Querystring("field1")</td>
<td><%= Request.Querystring("field1") %></td>
</tr>
<tr>
<td>Request("field1")</td>
<td><%= Request("field1") %></td>
</tr>
<tr>
<td>Request.Form("field2")</td>
<td><%= Request.Form("field2") %></td>
</tr>
</table>

</body>
</html>

Coordinator
Aug 23, 2008 at 2:49 AM

Hi Zachary,

Thanks for testing the application. I could reproduce the problem and I have released a new version. Please download the new version.

 

Rodney

Aug 25, 2008 at 2:16 PM
Thank you very much. I will test this new version today.

One other thing I noticed your system doesnt appear to look at is sql attacks that are hex encoded. Is that on the list of possible future improvements?

Also, how hard would it be for you to put in a flag that redirects the user to a specific page if an attack is detected... and could that page be configurable in say a ini of config file?

This dll is super close to exactly what we need and I would make the enhancements myself, but I am not a C++ developer.

Is the flag and config file something you could do if you have the time? I would greatly appreciate it.

Thank you for your time on this.

Zack





From: notifications@codeplex.com
To: zacharyjohnson@hotmail.com
Date: Fri, 22 Aug 2008 18:50:08 -0700
Subject: Re: Still possible to execute SQL statement if defined in the form action attribute [IIS6SQLInjection:28102]

.ExternalClass {font-family:Verdana;font-size:0.75em;} .ExternalClass #EC_ThreadNotificationFooter {border-top:1px solid #ccc;color:gray;} .ExternalClass #EC_ThreadNotificationPostBody {margin-bottom:2em;} .ExternalClass {font-family:Verdana;font-size:0.75em;} .ExternalClass #EC_ThreadNotificationFooter {color:gray;border-top:1px solid #ccc;} .ExternalClass #EC_ThreadNotificationPostBody {margin-bottom:2em;} From: rviana
Hi Zachary,
Thanks for testing the application. I could reproduce the problem and I have released a new version. Please download the new version.

Rodney
Read the full discussion online.
To add a post to this discussion, reply to this email (IIS6SQLInjection@discussions.codeplex.com)
To start a new discussion for this project, email IIS6SQLInjection@discussions.codeplex.com
You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on codePlex.com.
Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


See what people are saying about Windows Live. Check out featured posts. Check It Out!
Aug 25, 2008 at 3:42 PM
What happened to the asp.net version of the dll... or have you merged to final product to where there is no asp.net version and nonasp.net version.

Thanks,

Zack





From: notifications@codeplex.com
To: zacharyjohnson@hotmail.com
Date: Fri, 22 Aug 2008 18:50:08 -0700
Subject: Re: Still possible to execute SQL statement if defined in the form action attribute [IIS6SQLInjection:28102]

.ExternalClass {font-family:Verdana;font-size:0.75em;} .ExternalClass #EC_ThreadNotificationFooter {border-top:1px solid #ccc;color:gray;} .ExternalClass #EC_ThreadNotificationPostBody {margin-bottom:2em;} .ExternalClass {font-family:Verdana;font-size:0.75em;} .ExternalClass #EC_ThreadNotificationFooter {color:gray;border-top:1px solid #ccc;} .ExternalClass #EC_ThreadNotificationPostBody {margin-bottom:2em;} From: rviana
Hi Zachary,
Thanks for testing the application. I could reproduce the problem and I have released a new version. Please download the new version.

Rodney
Read the full discussion online.
To add a post to this discussion, reply to this email (IIS6SQLInjection@discussions.codeplex.com)
To start a new discussion for this project, email IIS6SQLInjection@discussions.codeplex.com
You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on codePlex.com.
Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Get ideas on sharing photos from people like you. Find new ways to share. Get Ideas Here!