WhiteSites Blog

protecting against SQL injection attacks using querystring

Posted on Aug 15, 2008 by Paul White

If you run any kind of database driven website always make sure you sanitize your variables.  Else the bots will get you.  One of my buddies recently got his site hacked this way.  I also noticed an increase using this same technique.

They are trying to slip SQL code into the querystring.
Like so

event.aspx?key=20051003110119'%3bDeCLARE+%40S+CHAR(4000)%3bSET+%40S%3d
CAST(0x44454...whole bunch of HEX characters.....6F72+AS+CHAR(4000))%3bExEC(%40S)%3b

Of course if you already have some code that checks for such attacks then immediately blacklists them, then you have no worries.
Else you might want add some code to your global.asax, or even make an HTTP module that will check your requests before processing them.

A few simple things to check for that should catch most attacks
Intances of  ' in Querystring
Instances of declare in querystring
instances of -- in querystring
instances of cast( in querystring
instances of exec( in querystring
instances of ; in querystring

Take the querystring and convert it to lowercase.
Then search for each of these.
If you find one, block the request and blacklist the IP.

Since normally Developers will pass Database IDs in the form of an Int or BigInt you can always just do a check to make sure all the values being passed in your querystring are numeric.  But in recent years as it has gotten popular to use URL rewriting to get more SEO out of your website, this check for numeric rule won't work.  So in this case you might want to search your querystring for list of valid characters (0-9 A-Z).  If one of the characters is not found in the list, then block them.

Just for reference here is the list of IPs that have attempted to use this technique on one of my websites

List Updated 8/23/2008


116.16.85.53
116.193.112.10
116.209.144.22
116.215.27.112
116.22.7.154
116.23.41.91
116.25.1.195
116.25.154.202
116.28.233.232
116.28.42.203
116.4.82.151
117.70.142.120
117.91.204.20
118.232.205.13
118.78.0.236
119.117.208.93
119.123.103.131
119.128.0.201
119.128.200.179
119.135.252.69
119.14.6.138
119.140.64.206
119.93.11.34
121.11.174.200
121.12.75.63
121.176.173.94
121.180.254.23
121.181.154.222
121.19.77.83
121.210.17.173
121.235.106.220
121.235.170.69
121.24.173.112
121.34.118.215
121.46.17.225
121.55.183.242
122.100.195.61
122.116.151.221
122.116.151.224
122.158.67.189
122.230.103.59
122.236.206.142
122.7.73.220
122.99.3.125
123.10.115.57
123.10.119.44
123.128.30.27
123.131.198.13
123.133.194.187
123.149.81.179
123.188.191.79
123.234.127.202
123.240.142.158
123.7.25.1
124.120.36.64
124.155.145.186
124.155.145.74
124.156.3.93
124.160.48.57
124.162.189.52
124.164.120.6
124.165.190.115
124.173.40.126
124.207.230.98
124.226.19.129
124.234.47.232
124.64.191.130
124.94.12.21
125.106.178.61
125.106.33.147
125.110.100.168
125.120.64.203
125.128.60.101
125.224.151.138
125.25.21.227
125.38.29.24
125.40.237.203
125.46.81.34
125.81.116.118
125.83.112.203
125.84.91.29
125.90.115.8
125.90.37.148
125.92.219.159
168.126.103.141
189.131.188.222
189.30.160.236
190.21.112.153
190.40.57.254
190.76.108.133
195.231.210.130
200.28.89.217
200.94.22.251
201.1.47.177
201.10.25.42
201.153.86.165
201.214.32.144
202.101.71.26
202.7.176.138
203.162.3.162
203.168.172.28
203.198.115.12
203.218.9.135
203.87.204.122
208.105.93.166
211.146.64.251
211.207.119.170
213.224.83.33
218.102.84.173
218.15.251.112
218.164.13.16
218.165.112.223
218.169.179.233
218.17.89.76
218.200.47.26
218.242.171.98
218.28.64.162
218.39.2.101
218.59.71.204
218.68.3.213
218.76.153.241
218.82.23.212
218.95.45.45
219.128.115.34
219.129.73.88
219.146.212.134
219.149.183.122
219.150.182.6
219.156.157.65
219.157.174.47
219.161.186.62
219.197.82.14
219.236.180.44
219.78.130.34
219.78.14.66
219.78.162.72
219.78.169.72
219.78.183.7
219.78.29.220
219.79.42.31
220.133.40.164
220.139.55.10
220.161.227.232
220.181.67.99
220.185.243.71
220.185.245.179
220.187.45.248
220.188.239.233
220.207.172.110
220.73.54.164
221.10.130.220
221.11.86.246
221.160.75.133
221.196.137.31
221.203.226.189
221.204.242.236
221.210.1.19
221.217.181.116
221.218.28.169
221.224.2.50
221.234.243.130
221.5.178.125
222.130.180.29
222.132.168.254
222.153.226.12
222.166.160.118
222.166.160.119
222.166.160.120
222.166.160.14
222.166.160.15
222.166.160.233
222.166.160.252
222.166.160.253
222.169.104.20
222.210.142.217
222.216.170.155
222.217.15.23
222.242.107.130
222.243.250.196
222.252.229.44
222.70.140.123
222.80.97.115
222.89.111.34
222.89.187.239
222.93.48.142
24.19.189.108
24.46.104.173
41.220.75.3
58.210.49.176
58.245.85.218
58.35.130.246
58.42.30.83
58.44.5.57
58.48.234.90
58.51.54.40
58.57.68.42
58.60.81.100
58.79.81.79
58.83.34.50
59.111.156.48
59.115.93.210
59.152.196.114
59.17.106.139
59.173.185.241
59.34.110.216
59.56.59.140
59.7.55.47
60.10.180.9
60.168.56.105
60.171.244.4
60.171.91.100
60.182.246.20
60.184.203.142
60.210.92.22
60.211.250.94
60.216.136.187
60.221.11.110
60.252.102.243
60.31.88.87
60.53.55.207
60.7.155.158
61.136.144.169
61.138.108.57
61.141.151.156
61.144.172.50
61.146.170.27
61.172.193.245
61.178.99.236
61.18.170.102
61.18.170.39
61.229.197.64
61.59.154.40
61.8.158.221
65.96.169.213
66.31.107.107
67.184.18.83
67.33.137.33
67.8.113.200
68.194.247.48
68.225.239.119
68.4.106.83
69.142.43.230
69.209.57.42
69.249.95.147
70.105.87.72
70.237.144.74
70.49.85.107
71.120.69.137
71.122.72.166
71.93.223.211
72.147.255.138
72.150.63.199
75.121.116.215
76.175.87.141
82.174.151.76
82.194.62.100
84.108.144.6
84.9.191.216
88.101.77.24
89.137.103.74
93.147.119.78
96.10.48.99
98.227.231.6


They now enjoy a little kick over to google whenever they visit my website

Permalink
5692 Visitors
5692 Views

Categories associated with protecting against SQL injection attacks using querystring

Discussion

No Comments have been submitted
name
Email Needed to confirm comment, but not made public.
Website
 
 
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article