XYZPDQ

TAGS

.Net (4) Adobe (2) Apple (3) ASP Classic (1) ASP.Net (4) ColdFusion (1) dasBlog (1) Game (1) Hacks (1) House (1) HTML (2) IIS (1) Quotes (1) Random Thought (12) Recipes (1) Silverlight (2) SQL (2) Standards (2) Vista (2) WCF (1) Windows (1) WPF (1) XML (1)

RECENT

SQL Injection Attacks
SQL to XML

LINKS

YourScreen
Maybe.For.You
Katapult Media
Be A Know It All

5/11/2008

SQL Injection Attacks

Some of you may have noticed (hopefully not) that your sites or sites you visit have been victims of a SQL Injection attack that is referring to scripts at either wowyeye.cn or direct84.com.  It primarily works against sites that have SQL Server as a database and seems to be targeting primarily ASP and ASP.Net sites.  I have seen a few references to PHP sites and the like, but not many.

There is not a lot of information out there about this, but the best page I have found describing the problem is here: http://hackademix.net/2008/04/26.  I am not going to rehash everything on that page, but if you are uncertain if you have been hacked, I have taken the script that is behind this and modified it for the powers of Good.

DROP TABLE #SCRIPTTABLE
GO

CREATE TABLE #SCRIPTTABLE (TABLENAME VARCHAR(200), COLUMNNAME VARCHAR(200),RECORDCOUNT INT)

DECLARE @T VARCHAR(255), @C VARCHAR(255);
DECLARE TABLE_CURSOR CURSOR FOR
SELECT A.NAME, B.NAME
FROM SYSOBJECTS A, SYSCOLUMNS B
WHERE A.ID = B.ID AND A.XTYPE = 'U' AND
(B.XTYPE = 99 OR
B.XTYPE = 35 OR
B.XTYPE = 231 OR
B.XTYPE = 167);


OPEN TABLE_CURSOR;
FETCH NEXT FROM TABLE_CURSOR INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
PRINT @T + ' ' + @C
EXEC(
'INSERT INTO #SCRIPTTABLE SELECT ''' + @T + ''',''' + @C + ''', COUNT(*) FROM [' + @T + '] WHERE [' + @C + '] LIKE ''% 0

I hope this can be of use to somebody.  I encourage you to check your database to see if you have been attacked and are not aware.  I also encourage you to use the best practices out there and make sure that your code is as protected against these kinds of attacks as you are able. 

Good Night, and Good Luck.

*UPDATE: http://www.0x000000.com/?i=556 has a lot of good information regarding this attack. 600,000+ sites have been hit now.

Categories:  SQL | Hacks | ASP Classic  |  May 11, 2008  |  Permalink  |    Disclaimer  |  Comments [0]  |  Trackback

5/3/2006

SQL to XML

I recently got asked if there was an easy way to take data from SQL Server and export it to XML. Well, turns out, the good people over at Microsoft made this VERY easy. Take your query that you want to export to XML, for our purposes, let's use:
SELECT TOP 1 * FROM ORDERS
INNER JOIN CUSTOMERS ON ORDERS.CUSTOMERID = CUSTOMERS.CUSTOMERID
INNER JOIN EMPLOYEES ON ORDERS.EMPLOYEEID = EMPLOYEES.EMPLOYEEID

and add FOR XML AUTO to the end of it. (oversimplification for some scenarios, but since this is a simple look at things, I am not going to dive into all that is possible. For that google FOR XML EXPLICIT. ) That will return you some Nicely formatted XML with each of the columns as an attribute and each row as an element. ... but say you didn't want that... ... say you wanted each column to be its own element. Then just add FOR XML AUTO, ELEMENTS onto the end of things. 
SELECT TOP 1 * FROM ORDERS
INNER JOIN CUSTOMERS ON ORDERS.CUSTOMERID = CUSTOMERS.CUSTOMERID
INNER JOIN EMPLOYEES ON ORDERS.EMPLOYEEID = EMPLOYEES.EMPLOYEEID
FOR XML AUTO, ELEMENTS
This will render:

10258
ERNSH
1
1996-07-17T00:00:00
1996-08-14T00:00:00
1996-07-23T00:00:00
1
140.5100
Ernst Handel
Kirchgasse 6
Graz
8010
Austria

ERNSH
Ernst Handel
Roland Mendel
Sales Manager

Kirchgasse 6

Graz
8010
Austria
7675-3425
7675-3426

1
Davolio
Nancy

Ms.
1948-12-08T00:00:00
1992-05-01T00:00:00


507 - 20th Ave. E.
Apt. 2A


Seattle
WA
98122
USA
(206) 555-9857
5467
dbobject/EMPLOYEES[@EmployeeID='1']/@Photo
Education includes a BA in psychology from Colorado...
2
http://accweb/emmployees/davolio.bmp

A nice nested output Hope this helps some of you with your SQL XML needs.
Categories:  SQL | XML  |  May 3, 2006  |  Permalink  |    Disclaimer  |  Comments [0]  |  Trackback